We all know that keeping a car’s wheels in alignment is essential. Misalignment causes a lot of problems, from loss of steering control to reduction in the safety and durability of the tires. In the same way, alignment failures in the GRC capabilities of an organization can knock us off the pathway to Principled Performance, cause us to swerve beyond the boundaries of acceptable operations, use up resources unwisely, and put the organization at risk.
No one ever accused me of being a baseball fan, but I was a fan of the great Yogi Berra and his way with words. Today, with a sad smile and remembrance, I just want to pay tribute to the man with a nod to how some of his more memorable sayings fit so well into my world; the world of governance, risk management and compliance, or GRC.
Our business context is constantly and rapidly changing. We have to be ready to respond and change our controls, tactics, strategies, and even objectives if need be, to achieve Principled Performance. That is why the concept of “Learn” is the first component in OCEG’s GRC Capability Model. If we don’t stay on top of our game by observing change, analyzing what it means for us and responding appropriately, everything else we do — from risk assessments to action on strategic and operational plans to compliance efforts — will be stagnant and just plain wrong before we know it. Consider the following example.
Most likely, if you work in the areas of governance, risk management, or compliance, you are already familiar with the “three lines of defense” model that describes risk management in three layers. It’s a good model for understanding how risk is, at some level, everyone’s responsibility, but the discussion needs to go further than most of what I have seen so far.
Forty years ago today, committees in the House and Senate of the U.S. Congress were contemplating what eventually became the Government in the Sunshine Act, a seminal piece of legislation meant to increase transparency of government action.
Perhaps I should be faulted for first discussing (in earlier posts) how risk management and compliance management fit into the new GRC Capability Model before talking about governance. After all, isn’t the “G” in “GRC” the first and most important part of the acronym?
Since I posted an outline of where Risk Management resides in Version 3.0 of OCEG’s GRC Capability Model recently, I’ve been getting requests from compliance officers to show them exactly where compliance management is in the Model. And again, the answer is everywhere.
My generation of baby boomers is used to doing things a different way, but that doesn’t mean our way is still better. Older isn’t always wiser or more capable.
Where is risk management guidance in the revised GRC Capability Model? This is a question I’ve been hearing lately from risk professionals who are looking for where they “fit in” to GRC. The answer is everywhere.
Breathe in confidence, exhale doubt – This oft repeated affirmation is urged on students in yoga classes, athletes heading into competition, and others in programs for building success. Confidence is essential before taking risks of any kind.