Governance, Risk and Compliance (GRC)

In the current economic environment, and baring in mind what catapulted us into it, there are three terms that are coming up more and more. These terms have always been considered within IT and business operations, however the spotlight is now turned and directly highlighting these rising stars. So I thought today, I'd dip in a little into all three areas.

Let's start with Governance. The dictionary defines it as "The act, process, or power of governing; The state of being governed." The word Govern means to "rule with authority; conduct policy and affairs of state".  But I like the Wikipedia version, which actually highlights some component parts, often forgotten:

"Governance relates to decisions that define expectations, grant power, or verify performance. It consists either of a separate process or of a specific part of management or leadership processes. Sometimes people set up a government to administer these processes and systems.

In the case of a business or of a non-profit organisation, governance relates to consistent management, cohesive policies, processes and decision-rights for a given area of responsibility. For example, managing at a corporate level might involve evolving policies on privacy, on internal investment, and on the use of data.

In terms of distinguishing the term governance from government (both of them nouns) - "governance" is what a "government" does. It might be a geo-political government (nation-state), a corporate government (business entity), a socio-political government (tribe, family, etc.), or any number of different kinds of government. But governance is the kinetic exercise of management power and policy, while government is the instrument (usually, collective) that does it."

What I find interesting here is that many will be happy to define the process, the policies and responsibilities that go to make up the Governance standard, but few tend to clearly define the expectations, grant authority or power in a clearly defined manner and even fewer verify the performance of the governance being complied with. In fact as you see from the latter part of Wikipedia's definition, Governance is what a "government" (business entity in our case) does, however unlike a state the business does not invest in "policing" of policy to ensure adherence and enforcement. Hence the problems with the Banks having policies in place, but no policing to ensure brokers, traders etc adhered to them, or interpreted them correctly. As always Policy needs to be Specific, Measurable, Achievable, Realistic, and Timely (SMART).
 
Risk. This one is even more interesting, as the scale or level is different for different people, businesses and Governments. It is often determined by place, time and people. Crossing a road in the Australian outback without looking, is of lesser risk than crossing a road in downtown New York or London. Again going back to the dictionary we find "possibility or change of danger or loss or harm."  Risk is something we expose ourselves to, wittingly or unwittingly, based on experience, knowledge and analysed fact. So good old Wikipedia (it can be useful you know!), explains it well I think:

"Risk is a concept that denotes the precise probability of specific eventualities. Technically, the notion of risk is independent from the notion of value and, as such, eventualities may have both beneficial and adverse consequences. However, in general usage the convention is to focus only on potential negative impact to some characteristic of value that may arise from a future event.

Risk can be defined as "the threat or probability that an action or event will adversely or beneficially affect an organization's ability to achieve its objectives"[1]. In simple terms risk is 'Uncertainty of Outcome', either from pursuing a future positive opportunity, or an existing negative threat in trying to achieve a current objective."

The link back to Governance here is the part which highlights that risk will adversely or beneficially affect an organisation's ability to achieve its objectives. We need to ensure when creating our Governance policies we take into account the risks of adherence to that policy and the breaking of it. Adhering to a policy exactly may actually be a risk, as it may prevent innovative thinking or action which may generate new or more business areas or focus. This is why we need to understand and analyse the risks and be pragmatic in measures taken. Going back to the Banking example earlier, the brokers/dealers interpreted the policies in a manner that allowed for greater risk taking and greater rewards (at the time), however no-one appears to have "policed" the exposure and therefore change in risk and deviation from policy. Highlighting that the two areas (Governance and Risk) must be linked for effectiveness.
 
Now the "policing" element that should ensure both of the above are being SMART.
 
The Compliance element. Back to the dictionary and we get "in accordance with" and what I love about dictionaries is that they force you to look up other words with are used in defining others! So "accordance" is to be in accord with, and "accord" means to agree or be consistent. So compliance is to be consistent with, and agree to, something. In this case the Governance policies laid out. This is the "measurable" element and needs people and tools to carry out the reviews (policing) to report back on how consistent or inconsistent things are. Again, it's an element often ignored and seen as an expensive overhead. But we've all seen the expense of not having it in place with the Banking world! Jumping into Wikipedia again, it really helps me out, as it refers to the policing element too.

"The act of adhering to, and demonstrating adherence to, a standard or regulation. There is considerable regulation in the UK, some of which is from EU legislation. Various areas are policed by different bodies, such as the FSA (Financial Services Authority), Environment Agency and Scottish Environment Protection Agency, Information Commissioner's Office and others."

Interesting that it highlights the policing body of the FSA which should have measured the inconsistencies and risks of the non adherence to the Governance policies laid down by the UK Government, The EEC and the Banking Code of Conduct etc. As mentioned earlier failing to do all three areas well can have costly consequences, not just for you, but for a much much wider audience.

So when setting our governing policies within our groups, departments, organisations, sectors, states, countries and geographies we need to ensure we consider all three areas of Governance, Risk and Compliance to be effective and realistic. We in IT have guidance in many areas to help us, the most notable one being CobiT which in turn refers to and compliments ITIL. The Service Strategy book in ITIL v3 providing much more guidance than in the past. Most sectors have guidance too, so it's best to look at both to ensure your IT policies are aligned to the business you work within, as often IT is expected to measure and monitor against these policies as the "policing" mechanism.

Bringing all this down from the 35,000ft view the one area that still needs addressing in many organisations is Asset Management. We often have our policies set in place as to which standard builds can be purchased (having negotiated with suppliers). We understand the risk of interruption to service when we implement the asset (h/w or s/w) by analysing the Asset Db or the CMDB (CMS), but we often fail with the "policing" compliance element. If we have automated data collection tools in place, great, but we also need regular manual audits to verify the accuracy and quality of the data. This element is often ignored. So no matter where you are within the organisation these three areas of GRC need to be considered for your own protection and that of the business you work within.

I hope this has been educational and helpful I know it helped my own clarity of thought.

[Cross-posted at the ITP report]