Governance, Risk & Compliance (GRC) & other disparate, forced and failed approaches to the management of risk, mitigation of harm or safety/security
There is an overwhelming, persistent pursuit with all matters related to 'risk'
That is, a new term, concept or 'model' associated with 'risk' becomes normative and demanded by organisations, industries and even professions, with little or no questioning of the validity, efficacy and origins of the concept or that of the originator.
Especially where an industry, organisation or practice is seeking to reinvent itself
"The acronym GRC was created by OCEG (originally called the "Open Compliance and Ethics Group") as a shorthand reference to the critical capabilities that must work together to achieve Principled Performance"
Source: OCEG
GRC made its first 'academic' appearance in a journal in 2007, where the author/originator held an advisory position at the same journal—essentially relegating functions and practices related to 'risk' to that of a consolidated, back office function, or similar to that of a BPO. Where the expression was picked up, popularised and 'endorsed' by various multinationals as the definitive solution for risk management across physical and digital jurisdictions.
This is just one, well-known example of the proliferation of 'risk' literature, 'findings', 'wisdoms' and associated buzzwords manufactured in the past couple of decades.
However, graduates, personnel and former member(s) of various GRC functions emerge from these made-up constructs as somewhat of industry or organisational super heros or modern polymaths. Routinely exhibiting little formal qualifications or demonstrable utility other than the 'time served' or memorising the hundredth monkey effect practices of the group or those that went before them. These 'graduates', once in a position of power, influence, seniority or influence, impose the GRC purity and practice upon the organisation, industry and community. No one dare question, research, speak ill or other other wise challenge this collective single-loop learning and application phenomena. As a result, I'm likely to draw the ire and fury of GRC purists and devotees as a result of this analysis and research.
Governance, Risk and Compliance are not event related concepts, let alone disciplines. If they were physical objects, it would be easier for individuals and organisations to question or realise they remain disparate, technical and professional vocations, disciplines and even sciences. But if you saw the words:
Accounting, Engineering and Medicine (AEM)
Forced together as single department, discipline or demand, you would reasonably question how that might be possible, the qualifications required for each vertical and the collective academic and practical skills necessary for each function, let alone how to justify/explain it to others not familiar or supportive of how you came to such a random conclusion or assertion.... nearly two decades ago.
In short, alarm bells would be ringing.
Increasingly, emergent and complex legislation, regulation and other compliance related demands require highly specialised, experienced and very knowledgable individuals, teams and supporting resources.
So much so, they are specialised functions, not practicing nor required to provide 'governance' nor expert 'risk' inputs and solutions either. Software and technology that suggests otherwise may require it own disclosures, reevaluation or revised confidence.
Governance may be theoretical, practical or reference-based.
It may also be 'stuff done' within an organisation, government or industry. It may present as management or a variety of 'control' functions, practices and beliefs. It may also be non-compliant or compliant, depending on trends, laws and customs/cultures. It also varies considerably from one jurisdiction to another.
Governance may also require and individual or team(s) to speak/understand 'other' languages, both literally and practically. Governance may also be a catch-all phrase used for stakeholders, regulators, internal and external communications. Compliance may be an infrequent demand or rarely considered activity. Risk management (all-hazards) may not be required by either compliance or governance, beyond in terrorem, which in itself is a moving concept and 'threat'.
Risk management is an ideology, community of practice, vocation, professional title/role, science and layperson/person protective practice conducted subconsciously.
In other words, it can be lots of things. Some evidenced and some made up. Some documented, structure and verified, while other things related to risk management are done 'on the go'.
Qualifications and levels of accepted competency vary remarkably, with some individuals having no specific, objective or verified qualifications associated to 'risk' management. While others may have undertaking 3 hours education, a community course of a few days or formal, higher education.
In short, 'risk management' is a mixed bag of theories, practitioners, beliefs and practices. This includes 'standards'. As a result, 'risk management' conflicts with governance and compliance, which may required objective, independent 'risk management' too. In much the same way the three lines of defence (3LOD) model routinely fails, invites conflicts and remains a made up concept, widely practiced and worshiped by some. This includes the "rebranded", made-up three lines model , commonly co-located with GRC devotees and ideologies, routinely lacking empirical, scientific or academia basis. All of which are subject to perverse influences such as concealed preferences and other heuristics or biases. Especially once you venture beyond the dominant accounting and generalist offerings, narratives and publications.
Recommended by LinkedIn
As a result, any person or system that asserts they are a "GRC Professional", is akin to claiming to be a Decathlete. That is, you would have to master a broad, disparate array of skills, qualifications and experiences to be remotely accurate in such assertions or claims.
"In God we trust, all others must bring data"
Alas, proof is routinely elusive or dependent upon self-authored narratives, 'qualifications' and 'experience' repurposed as a proxy for evidence, qualifications and/or specific training. Therefore, there are no prizes for guessing which 'multi-disciplined' practices and departments routinely fail government, regulatory, corporate and community expectations when it comes to governance, risk and compliance? Yet they remain the insistent upon construct for some industries and devotees/graduates of past (including failed), GRC and/or 3LOD constructs.
Are you and apple, an orange or a pineapple?
Or do you insist on being a called a professional 'fruit salad'?
See graphic for terms of reference to this trope, idiom or metaphor. 😀
In sum, the management of 'risk' invites innovation
That is, there are many 'popular' practices, concepts and ideology throughout 'risk' management that have been invented by big brands, popular pundits or aspiring 'influencers' and celebrities.
These fads and lightweight models become popular and are very, very hard to correct or supplant. Especially by those raised by or devoted to 'the system', no matter the flaws. This is why so few go looking for proof of efficacy, origins, influences or alternate views. Governance, Risk and Compliance (GRC) serves as an example.
Look for yourself. Examine both sides of the argument. Not just those self-serving, popularised or 'branded' views. Because that's not science, let alone academic and remains a questionable professional trait/practice. What do you find? If it's another 'group think', fable, self-authored 'truth', perhaps the management of risk is not suited to your beliefs and practices.
Especially where such unqualified and unsubstantiated practices create or compound systemic risk and amplify harm to others, at every increasing scale(s).
“It must be remembered that there is nothing more difficult to plan, more doubtful of success, nor more dangerous to manage than a new system. For the initiator has the enmity of all who would profit by the preservation of the old institution and merely lukewarm defenders in those who gain by the new ones. ”
Niccolò Machiavelli
Risk, Security, Safety, Resilience & Management Sciences
GM ValiCor UA | H.E.A.T. UA - Emotion Intellect | Board Member ValiCor US | Risk/Crises Management | Corporate Security PRO | UA Military and Iraq Veteran | Author's model of Convergent Security | Security What's Matters
2yAs in the fable Swan, Crab and Pike. And here there are three different directions. This is also the same as why for most Phys Security + Inf Security = Convergence Security ?! Is it a mistake?!