Governance, risk management and compliance (GRC) is a hot marketing buzz phrase ­ see, for example, Oracle’s announcements at its Openworld conference recently ­ but let’s be clear: GRC is not a market category. Using the term GRC conflates three distinct business functions that are best facilitated using different tool sets; cynical readers will be forgiven for wondering if the resulting confusion is intended to trick them into buying more tools than they really need.

Rapid technology evolution and significant changes in regulation have conspired to throw governance, risk management and compliance into confusion over the past two decades. As a result, all three disciplines have become rather dysfunctional. Tools supporting governance, risk management and compliance are immature, and the recent adoption of GRC as a buzzword has further mired an already muddy picture.

There is no such thing as GRC. Its use increases the probability of confusion about critical issues.

Pretending that GRC exists damages businesses by conflating separate issues and obscuring the real problems in a company. Société Générale’s (SocGén’s) €5bn (£4bn) trading loss stemmed not from a single failure but from at least two failures. The first was a risk management failure ­ a trader was able to turn off the monitoring controls that should have alerted the bank to a magnitude of risk that put it in danger.

The second was a governance failure. When the French Banking Commission detected the rogue activity and warned SocGén that its risk management regime was not working properly, SocGén management apparently failed to take effective
action. Not identifying both failures and who was responsible for addressing each one was disastrous for SocGén ­ as it would be for any firm in a similar position.
Companies are most successful when they look past tool deficiencies and focus on a few core goals when designing governance, risk management and compliance programmes.

Governance initiatives should focus on building organisational transparency and business value. This focus should be turned into action by implementing “roundtrip management” processes that allow executives to see whether their mandates are being implemented, to observe the effects of their mandates on behaviour, and to measure the changes those mandates cause in business value.

Risk management initiatives should shift focus from loss avoidance to creation of value through identification of risks that should be taken rather than avoided, and through identification of competitive advantages created by risk management competencies.

Compliance initiatives should shift the focus from avoidance of liability to reduction of losses that create liability.

Governance is the responsibility of senior executive management and focuses on creating business value and building organisational transparency. Risk management is a responsibility shared by business unit executives, the IT leader and the chief financial officer, and focuses on balancing risk-associated losses and gains. Compliance is a responsibility shared by various executives depending on the regulatory environment. Not surprisingly, these diverse activities require diverse tools, and the activities are most effective when they support one another.
Governance, risk management and compliance are three separate but related activities that solve different problems for different executives. They have different goals, are managed by different executives and require different tools, and it is essential for business to recognise this fact.