Incomplete Thought: Compliance, Governance, Audit and Risk aka GRC We’re Doing It Wrong

by David Mortman on August 13, 2009

There’s been lots of discussion here and elsewhere about what’s wrong with GRC as a market and that discussion is pretty spot on. However, last week, I was chatting with Alex and it suddenly hit me that while GRC doesn’t work, the very concept is even more broken then we had previously thought. I briefly mentioned this last week on twitter, and promised a more complete breakdown this week so here we go:

First off, it’s not about governance, risk and compliance, but rather about compliance, governance and audit with risk being both an informer and product of the Compliance, Governance, Audit (CGA) process. So once again we have one of Andy Jaquith’s Hamster Wheels of Pain, with risk as an externality.

[Pretend I put a fancy graph with arrows here]

First off, you have a perceived risk, that risk might be the fear of government legislation in your space (hence the creation of pci), it might be something bad happening to a competitor (lead paint on children’s toys) or anything else really. The result of that perceived risk is some sort of compliance demand, which may be formal like PCI, SOX, HIPAA or informal, the CEO declares iPods verboten and every employee must carry a zune for instance. In other words, compliance is just a declared requirement to do (or not do) something. To totally abuse a metaphor, this kind of sounds like the legislative branch of the government.

Secondly, the compliance requirements drive governance requirements. Governance is just a sexy word for enforcement of compliance. In other words, governance is the series of controls and processes you will use to ensure that the compliance need is being met. To continue the metaphor abuse, this more or less maps to the executive branch.

Finally, we have audit. Audit is in the simplest terms, the group that interprets the compliance requirements and then takes those interpretations and applies them to what the governance group did. Sounds a lot like what the courts do (minus the ability to declare certain compliance requirements as null and void).

As the cycle rotates, we have a new state of being which changes both the real and perceived risk states. This new perception drives changes to compliance. Which drives changes to governance which drives changes to audit. Lather, rinse, repeat.

The net result of this that (once again), it’s really about risk, even when you don’t think it is.

10 comments

I think this is a great critique of GRC and pretty much hits the nail on the head. The only bit I would add is something new I’m tumbling to, which is shifting to discussion of risk tolerance instead of getting mired in compliance, audit, governance, etc. Jeremiah touched on this a bit in a recent piece (http://jeremiahgrossman.blogspot.com/2009/08/security-religions-and-risk-windows.html) and it’s an area I’ll be covering in an article soon. Too much time is being spent on risk assessment, risk management, governance, heavy formalities, etc., without ever getting to the core issues: how sensitive is your organization to “risk”? and, how does your org ensure that risks are held to an acceptable level?

Overall, I need to figure out how to integrate risk tolerance into my revised TEAM Model (http://twitpic.com/ahjek), perhaps as part of defining requirements. Risk tolerance should be something that can be defined in relatively clear business metrics, which means it’s something we might actually succeed in leveraging in lieu of all the other things attempted in this industry (with marginal success). fwiw.

by Ben on August 13, 2009 at 4:53 pm. Reply #

[…] may call it an incomplete thought, but I don’t. Incomplete Thought: Compliance, Governance, Audit and Risk aka GRC We’re Doing It Wrong <&l… Tags: ( grc […]

by Interesting Information Security Bits for 08/13/2009 | Infosec Ramblings on August 13, 2009 at 8:59 pm. Reply #

[…] Incomplete Thought:  Compliance, Governance, Audit and Risk aka GRC We’re doing it wrong – “It’s all about risk, even when you don’t think it is.”  Very true words. […]

by Network Security Blog » Thursday night PCI articles on August 14, 2009 at 4:44 am. Reply #

I recommend you look at Michael Rasmussen’s blog, especially this entry: http://corp-integrity.blogspot.com/2009/04/response-to-lumigents-grc-starts-with-c.html

He’s a GRC industry analyst and consultant (formerly with Forrester Research).

He makes similar points, as do the people who commented on the post.

I *strongly* suggest that you guys get a dialog going with Michael on this topic. Maybe it would lead to a joint conference presentation, webinars, or what ever. We *must* bridge the gap between the risk management community and the regulation-compliance-audit community, IMHO.

Russ

by Russell Thomas on August 17, 2009 at 10:34 pm. Reply #

Audit does have “the ability to declare certain compliance requirements as null and void” – by not auditing them. Organizations in a strong Compliance-Governance-Audit regime study audit reports intensely. They quickly identify when auditors don’t look at compliance requirement X, and stop doing X.

The real issue is that there are different types of risk. If a project risk manifests, the project may fail – which may be in the best interests of the organization but not necessarily the project manager. A security risk manifesting, on the other hand, is bad for the project and the organization.

Another way to categorize risk is by the control you have over them. Some risks are controllable – like internal system configuration. Some are uncontrollable – like whether your auditor is incompetent. In between there are some risks that can be influenced – like how your superior responds to an auditor report.

by DanT on August 19, 2009 at 12:44 pm. Reply #

Hmmmm, where to start.

When you attack GRC I am curious by what definition, experience, and framework you are basing your discussion on.

Your opening statement does get to the heart of the matter by referring to the GRC market. GRC is broader than a market for technology and services. It is about collaboration across the business. Getting legal, compliance, operational risk, finance, treasury risk, IT, ethics, audit, health & safety, fraud to work together and communicate with each other. The goal is to gain enterprise perspective on the risk and compliance issues facing the business. Technology helps deliver this, and there is a market for such technology, but GRC is broader than a tech market.

Your definitions and approach to Governance, Risk, Compliance, and Audit are also confusing to me. Governance is more than reacting to requirements. Governance is about establishing to culture, values, and control of the organization. Compliance is about defining boundaries – whether external laws or regulations, internal values and control established by governance. Risk is about measurement and modeling of potential events that can have an impact on the business. All of these do work in harmony together. For instance you can have two different organizations with different governance and cultures – though in the same industry. Each of these different cultures could very well have different views of risk taking and management – different thresholds for risk appetite and tolerance. This is communicated by policies and procedures, monitored by assessment done by compliance. Audit acts as an independent accessor that the organization is controlled the way it states it is. Of course there is much variation and detail to all of this.

GRC is simply 3 legs to a corporate stool that would be very unstable if one was removed.

The problem is there are many bubbles/silos/stovepipes. For every risk person wishing compliance or audit folks to get out of their bubble I can also show another role (e.g., compliance, audit, finance, health & safety, ethics, legal) that wishes risk would come out of its bubble.

While there is a relationship to risk across areas – it does get deeper than just risk management. It gets to ethics, values, code of conduct, staying in boundaries, culture, and more.

The truth is – this is what GRC is about. That is collaboration. GRC is not about a technology product. It is not about one role (e.g., risk, compliance, audit) dominating others. It is about working together in a collaborative discussion, architecture, and framework to drive toward what OCEG calls Principled Performance.

Interesting, even within the subject of risk management you have different factions. I know enterprise and operational risk folks that jump up and down that information risk does not get it. Bubbles within bubbles.

by Michael Rasmussen on August 19, 2009 at 8:06 pm. Reply #

@Russell Thanks for the link. Fascinating stuff.

by David Mortman on August 19, 2009 at 8:23 pm. Reply #

@Michael

Unfortunately due to the software space, GRC as a concept has been completely bastardized to mean the latest attempt to meet the failed promises of the SIM/SEM/SIEM marketplace.

In terms of the larger space that it occupies, I object to the term GRC largely because it ignores the importance of audit and how it is a necessary supporting leg of governance and compliance. I don’t disagree with the need for Risk, I just think it fits in the picture in a slightly different way.

I don’t think your and my definitions of G, R, A and C are actually that different. My definitions were deliberately high level and I feel that they more or less encompass your much deeper and more specific ones.

The truth is – this is what GRC is about. That is collaboration. GRC is not about a technology product. It is not about one role (e.g., risk, compliance, audit) dominating others. It is about working together in a collaborative discussion, architecture, and framework to drive toward what OCEG calls Principled Performance.

I’m not familiar with OCEG (looking through their stuff now) but I more or less agree with your assertions. Again I think we are actually pretty close in our thinking in reality.

by David Mortman on August 19, 2009 at 8:39 pm. Reply #

@DanT
Audit does have “the ability to declare certain compliance requirements as null and void” – by not auditing them. Organizations in a strong Compliance-Governance-Audit regime study audit reports intensely. They quickly identify when auditors don’t look at compliance requirement X, and stop doing X.

Excellent point. This could easily feed back into the Compliance aspect as well and change the rules to require further enforcement or drop it entirely.

by David Mortman on August 19, 2009 at 8:40 pm. Reply #

@Ben

Too much time is being spent on risk assessment, risk management, governance, heavy formalities, etc., without ever getting to the core issues: how sensitive is your organization to “risk”? and, how does your org ensure that risks are held to an acceptable level?

Well I think too much time is being spent mindlessly doing this activities without understanding what the important resources, which makes the rest of the question and effort pointless. Goes back to my earlier rants about operational discipline. But that’s another post that I need to write.

by David Mortman on August 19, 2009 at 8:42 pm. Reply #

Leave your comment

Not published.

If you have one.