Incomplete Thought: Compliance, Governance, Audit and Risk aka GRC We're Doing It Wrong
There’s been lots of discussion here and elsewhere about what’s wrong with GRC as a market and that discussion is pretty spot on. However, last week, I was chatting with Alex and it suddenly hit me that while GRC doesn’t work, the very concept is even more broken then we had previously thought. I briefly mentioned this last week on twitter, and promised a more complete breakdown this week so here we go:
First off, it’s not about governance, risk and compliance, but rather about compliance, governance and audit with risk being both an informer and product of the Compliance, Governance, Audit (CGA) process. So once again we have one of Andy Jaquith’s Hamster Wheels of Pain, with risk as an externality.
[Pretend I put a fancy graph with arrows here]
First off, you have a perceived risk, that risk might be the fear of government legislation in your space (hence the creation of pci), it might be something bad happening to a competitor (lead paint on children’s toys) or anything else really. The result of that perceived risk is some sort of compliance demand, which may be formal like PCI, SOX, HIPAA or informal, the CEO declares iPods verboten and every employee must carry a zune for instance. In other words, compliance is just a declared requirement to do (or not do) something. To totally abuse a metaphor, this kind of sounds like the legislative branch of the government.
Secondly, the compliance requirements drive governance requirements. Governance is just a sexy word for enforcement of compliance. In other words, governance is the series of controls and processes you will use to ensure that the compliance need is being met. To continue the metaphor abuse, this more or less maps to the executive branch.
Finally, we have audit. Audit is in the simplest terms, the group that interprets the compliance requirements and then takes those interpretations and applies them to what the governance group did. Sounds a lot like what the courts do (minus the ability to declare certain compliance requirements as null and void).
As the cycle rotates, we have a new state of being which changes both the real and perceived risk states. This new perception drives changes to compliance. Which drives changes to governance which drives changes to audit. Lather, rinse, repeat.
The net result of this that (once again), it’s really about risk, even when you don’t think it is.