In a previous blog entry, I explored, through an admittedly strange analogy, the connection of GRC and a funk ‘groove.’ I got to thinking – if GRC is so hard to define, what then should a technology-based GRC solution actually do? I am glad I asked myself this question since it led to a bit of an epiphany for me. Well -- I guess you couldn’t really label it an epiphany when I think the understanding was already there, but I felt the groove and went with it. Let me explain.
GRC solutions have a tough bill to fit. As I discussed in my earlier blog, GRC has to be different for every company. The company must find its own underlying groove such that the business can work with freedom, but in a controlled manner. GRC processes across companies have some resemblance; there are core elements that must be present for success. Technology should help bring those processes alive and make execution simpler. But this is where GRC solutions can sometimes fall down. Rigidity in GRC, like rigidity in music, is unacceptable and leads to very poor results.
GRC technical solutions must support the key elements of GRC – policies, management oversight, control implementation, incident management and compliance -- but also allow the organization to insert its own intricacies and improvisations into the solution. The technology must set a reliable, solid base within an intelligent structure. The technology must also allow a path to support new processes and fold in maturing and evolving elements of the GRC functions.
I won’t take this analogy too far but just like the drums and bass provide the structure for a song, GRC technologies must provide the platform for the business to explore and discover new ground. GRC technical solutions should not be implemented to make the business conform blindly to rules but rather lock in on a foundation that can address new risks, new business processes and new needs. GRC can then enable the business to find its perfect melody. That is the essence of the GRC groove.