Norman Marks is a vice president at SAP and an evangelist for GRC. Before he went to SAP, he had worked as a head of internal audit, chief risk officer, chief compliance officer, and chief ethics officer. He led internal audit departments for global corporations for 20 years. He’s a thought leader in several areas of GRC, including risk management and internal audit. “I try to bring to the table some ideas and suggestions for how people can run their organizations better,” he says, “whether it be risk management, governance, compliance, or internal auditing, and try to move thought and then practice forward through debate and sharing.”

Marks has won numerous awards for his writing and is on the board of multiple periodicals. He’s a blogger for the Institute of Internal Auditors in addition to being on their Professional Issues committee, where he helps develop guidance in interpreting standards and best practices and in running internal audit functions. He speaks globally on topics surrounding governance, risk, and compliance and how they relate to the business. We spoke to Marks about his views on the often complex area of GRC and to hear how GRC processes, or the lack thereof, can affect your business.

What does GRC mean to you?

NM: I’d been a practitioner for many years, including running internal auditing groups for 20 years, before SAP asked me to be an evangelist for GRC. I said yes and started asking what GRC is. It’s not something you often see within an organization. You don’t usually see anything labeled a GRC process or a GRC department (although SAP has one, which is interesting). So I started thinking, “What is this? Is this something very new, or is it just a new perspective on the way people run their business?”

This has been a journey for me, of trying to figure out what GRC is. It’s very clear that there is no generally accepted single definition of GRC other than that it stands for: governance, risk, and compliance. So the words stand for something but what’s the meaning behind it? I stumbled across the definition used by the Open Compliance & Ethics Group (OCEG). The way I would summarize it is that GRC is about the need for activities related to governance, activities related to risk, and activities related to compliance to come together. It’s talking about what we call harmony between different activities within an organization and it’s talking about breaking down silos.

So those are the primary things it’s targeting, but really that’s still not a definition of GRC. My paraphrase of the OCEG definition, with which I agree, is that it’s how you manage and direct the business to optimize the value to the stakeholders (i.e., the performance of the organization) through managing and considering risk, and remaining in compliance.

What is the value of GRC to an organization?

NM: The value of GRC is in recognizing that governance activities, like developing strategy, are only effective when you consider risk, and that risk has to be managed as it relates to the achievement of strategy.

You don’t manage risk just because there’s a risk. If you’re driving down the freeway and see a deer on the side of the road, by the time you see it, it’s already past you. It’s a risk but it doesn’t affect where you’re going. It’s not relevant to what you’re trying to do. It might impact other people and you might feel a need to do something about it, but the risks you’re more concerned about are those that lie in your path, those that represent potential obstacles to achieving the value you need and to optimizing performance.

Risk on the other hand also represents opportunity. In order to optimize performance, you need to consider not only potential adverse events but also be ready to seize opportunities that may arise. The interaction between risk and strategy is that as risks change, you need to be ready to change a strategy because it’s no longer the best way to get something done or perhaps your target needs to be changed. GRC is all about intelligent management, it is not about technology. Technology can enable you to do it better, but a fool with a tool is still a fool.

The value of talking about the elements of GRC together is in recognizing that in most organizations, the functions that are necessary to drive performance through consideration of risk and remain in compliance don’t work together. Strategy doesn’t talk to risk. Risk information doesn’t flow to strategy. Compliance always seems to be chasing the bus — you engage in new initiatives and then compliance finds out about them. Then compliance officers have to scurry to put programs in place to keep the company from hitting an obstacle because compliance issues are not necessarily part of how you develop strategy. GRC is about breaking down those silos. It’s also about eliminating or addressing the issue of fragmentation because if you take an organization and you look at their risk function, there may be seven different groups doing risk management using different languages, different processes, different criteria, different reporting styles — so nobody has a view of risk across the enterprise.

Why is GRC important?

NM: GRC is important because it shines a new light on how you run the business. It points out some of the reasons that businesses fail to achieve their strategy. If you look at some of the recent studies that have come out, for example from the Organization for Economic Cooperation and Development (OECD) and the Basel Committee, they talk about the failure of governance and the failure of risk management. They talk about the fact that when strategy is developed, it’s not shared and communicated across the enterprise. How do you expect everybody to be working towards the same goals if not everybody knows what those goals are, if initiatives are not aligned, or if people in one area are investing resources that are not necessarily driving the bus in the same direction that the board wants to go?

They also talk about how information is not necessarily there in order to understand and set the strategy properly. That’s one of those problems that we see all the time. The information necessary to run the business, to set the strategy, to optimize performance, to understand risk, to understand compliance needs and performance, is not there — it’s fragmented, it’s out of date. You’re doing what I call managing through the rearview mirror because you’re always looking at historical information. Information is really the oil that greases the engines of GRC; without it, performance is not optimized and risk can arise without you seeing it.

Then there’s this big hole created when risk and strategy are considered as separate processes rather than realizing that in order to establish where we want to go and set the strategy, we need to understand the risks and we need to be monitoring and managing the risks in order to achieve that strategy.

A real issue with risk management has been that risk management information doesn’t flow up to the board, so the board doesn’t understand and is not able to provide oversight. The executives are not necessarily getting timely, current, complete, and accurate information on risk so they can adjust the business decisions that are being made. Risk management in many cases was not senior enough in the organization to be heard; risk management was not always timely and not always looking at all the right risks.

The value of looking at GRC is really that at the end of the day it helps you optimize the different processes of governance, risk management, and compliance, and the sharing of information, by looking at them together. GRC enables you to have an organization that is agile and able to optimize and sustain performance.

Why is there so much confusion surrounding the relationship between the G, the R, and the C of GRC? What essentially is the relationship?

NM: There are different frameworks, and this is why sometimes I think the CFO.com article on demystifying GRC said it quite well when it stated that “[GRC is] an academic definition of the word ‘mess.’” I like another definition I heard — that “GRC stands for governance, risk, and confusion.” Part of the confusion is that people are looking at GRC without defining what it is — there’s no common definition, and no common language.

But there are also people looking at the individual pieces — for example, governance frameworks. I like the one from South Africa, which is the King III code. It talks about governance of the organization and includes risk management as part of governance. Internal control and compliance are aspects of those (Figure 1). So control is how you respond to risk, and compliance is one dimension of risk. In that way of looking at the world, governance incorporates risk which incorporates control, and compliance is one aspect of risk that you have within the organization.

Figure 1

One framework explaining the GRC relationship. Aspects of the business such as operations and compliance affect all three areas

Then you’ve got these risk frameworks, like COSO ERM or ISO 3100:2009 that came out at the end of 2009. They see the world a little bit differently because they incorporate into risk management the need for governance and oversight of risk. Control again is how you respond to risk and compliance is something you need to manage. So it’s a little bit complicated, the relationship between them. I like the first model, the OCEG definition, because it emphasizes that it’s all about how you achieve and optimize performance of the organization, and governance is where you establish that. Risk is something you’ll have to consider as part of optimizing performance, and compliance is a necessary dimension.

What is federated GRC? How does one go about breaking down silos within the business to achieve it?

NM: If you ask people like myself in the GRC area, we’re not trying to say that these organizations, these departments and functions within the business, have to come under a single owner. We’re not advocating that there needs to be an executive vice president of GRC.

What we’re saying is that these functions have to work together. They have to cooperate and share best practices. Where possible they should share the same processes. They should certainly use the same taxonomy and share information as much as possible. So we don’t talk about unifying GRC, we talk about federating GRC. And federating implies, just like a federation of states, the recognition of the independent nature of each one of the groups and that, for example, performance optimization or the management of risk has to be done at an operating level.

So you’ve got a lot of different people who have to manage risk. Whether it’s somebody in the treasury department, supply chain, logistics, or manufacturing, all of these people have to manage risks daily. We’re not trying to set up a global function that owns everything; what we’re trying to say is that everybody needs to work together in a federated way.  

For example, if you need seven groups understanding risk, don’t try to force them into one organization if it’s wrong for the business. If it’s right for the business certainly bring them into one organization, but I like the model where the chief risk officer is more of a facilitator and risk is actually managed throughout the organization. What we need to do then is if you’ve got seven different functions managing risk, have them use the same language, have them share information so that each can see what the other is doing and can understand the impact of risk on each other, and develop frameworks in such a way that the people at the top of the organization can see what the risk is across the organization. Then they can aggregate where it is necessary and they can shift resources. For example, if IT is dependent on procurement for a major IT project, the risk is probably managed in procurement. It needs to be visible to IT and to executive management so they can see risks to the business if that IT project fails or is delivered late.

What is the best way to bring those different parts of the business together?

NM: Some ask if setting up a GRC officer is the best way. Well, most GRC officers are really risk officers with perhaps something else. At SAP, our senior vice president of global GRC is the chief risk officer, but also has compliance responsibilities. But she has few governance responsibilities.

What I’ve seen work successfully begins like the 12-step program for Alcoholics Anonymous — the first step is always recognizing you have a problem. You can’t embark on the journey of correcting an issue until you understand what it is. Hopefully the GRC lens through which you view your business enables you to see that you have these problems of silos, fragmentation, inconsistent information, and so on.

The first step is to get a broad level of understanding of the nature of the problem among the executive team. I’ve seen it work where five or six people who report directly to the CEO form a GRC council. I’ve also seen it where they’ve appointed their direct reports. Either way, you’ve got very senior people representing the major areas of the firm that participate in GRC-related activities.

So you’ve got finance, IT, internal audit, risk, legal, human resources, and maybe some of the operating functions in a GRC council, and what they do is look at these problems and prioritize them in terms of their significance to optimizing performance of the organization as a whole. Then they will kick off projects, which they co-sponsor, to address them. It’s done in a coordinated way and it’s done with buy-in and support from the key players within the organization because frankly, the politics of trying to get all these organizations to talk to each other can be a major problem. There are silos for a reason; there is fragmentation for a reason: People wanted to do it their way. To get everyone to do something a little bit differently for the good of the whole organization is a challenge, especially when the solution may not be perfect for any one individual, but it’s the best solution for the business as a whole.

Can you give us some examples of GRC success stories?

NM: I’ll give you a couple. The first is SAP ourselves. There are many improvements we’ve been able to make in the business by bringing risk management together, by bringing compliance together. They certainly resulted in saving several million dollars of insurance premiums, which is a very tangible benefit. I’ve heard the CFO for Americas talk about the several million dollars of bad deals that we avoided through the application of risk management techniques. We are certainly engaged in integrating strategy and risk; that’s a major project we have going on right now.

Most everybody is on a journey, and we’re on a journey too. This is not something that you can fix quickly, because it’s big — it embraces so many different departments and functions within the organization, but we’re well along the journey.

Another example is Raytheon. They did just as I suggested in terms of putting a GRC council together and they are on a journey of recognizing there’s a problem, prioritizing projects, and executing them.

What can happen without a good GRC policy in effect?

NM: I think the bankruptcy courts are littered with examples. Here’s an illustration: IBM has completed their first global ERM study. They reported that in 2009, 70 percent of organizations that responded failed to identify even half the adverse events that they suffered that year. That means that they were surprised, and we’re talking about events that were significant to them. Furthermore, of the ones that did identify, 70 percent got the assessment wrong. So what we’re seeing is this link between strategy and risk is epidemic in proportion.

In fact, Fortune magazine said that only 10 percent of strategies are actually achieved. So anybody who gets this right is going have a competitive advantage. You can look at almost any company and you can point to what caused them to have problems. It’s going to come down to a GRC kind of failure.

How do you think that technology for GRC will evolve in the future?

NM: I think the technology is improving in a number of different ways. The first one is that the technology for individual functions is improving. The technology for risk management is improving. The technology for understanding and optimizing your spending is improving. Technology for understanding what you have to comply with and manage those requirements is improving. You’ve also got companies like SAP, Oracle, and others that are improving the level of integration between these different functions. It’s like in the old days of pre-SAP when you had a general ledger system that you bought and you also bought inventory software and you bought manufacturing applications and you bought credit and you bought treasury — and you made them work by passing files backwards and forwards. Then you started moving to more of an integrated ERP environment. I think what we’re doing is recognizing that, for example, risk management actually has to be embedded in how you do business throughout the organization. So you’re going to see risk management embedded in different applications that support those processes. 

You’re going to see improved functionality for a process, you’re going to see improved integration between the software applications supporting GRC processes, and you are going to see better integration between GRC software and the enterprise ERP systems. You’re also going to see far better availability of information to drive all of that. For me, if you’re trying to manage risk and you’re trying to optimize performance, you need the best information to make decisions and you need that information immediately. You don’t want to say, “OK, I need to make a decision, let me have some information,” and then have someone say, “I’ll give it to you in a week.” You need the information when you need to make the decision. You need information about actual performance, and you need information about risk, much more continuously.

Risks are changing all the time. We’ve got new risks emerging, we’ve got the level of risks changing and fluctuating dramatically, and you don’t get a lot of early warning of a potential obstacle or adverse event anymore. Something comes up and you have very little time to react. There’s an article in the National Association of Corporate Directors magazine where someone said that these days with blogging and tweeting and everything else, the time that boards have to respond is five minutes. That’s the time between when an event occurs and when it hits the media. Now that may be an exaggeration, but it’s very graphic. Business has to operate faster and you have to manage risk at the speed of business. You have to be able to make decisions quickly. Agility really means dancing these days. An agile corporation is not one where something comes up and it takes a month to decide what to do.

What I see happening is that there’s more and more availability of information to show how you make intelligent decisions. Take ATM network data, for instance, and your ability to analyze billions of records in a minute. With that you can understand what’s happening and make decisions more intelligently. That is coming, and in fact that’s almost here. The ability to see trends so you can understand what’s happening with risk is amazing.

Things like sentiment analysis are emerging so you can now use social media to not only advocate or market your brand but also to understand what people think about your brand and your company. Understanding that helps you make better decisions, adjust your strategy, understand the level of risk, and so on. I see all of these things very much coming together.

Then you’ve got to add on to that the fact that people are using different devices to connect to that information. You no longer even need a laptop to get alerts on risk information; it’s now coming to your phone. All of this is rapidly changing as the technology is improving all the time. I still go back to the need to understand your business, understand your business process, understand your needs, and continuously look at the technology. Think about and have a vision for how technology can help you run the business better in the future. You may even have to change your business process because of the way your consumers, your customers, and your employees need to work and how you need to make decisions.

Are there any new SAP GRC tools in the works?

NM: We have a major release of our GRC software coming out eminently. SAP BusinessObjects GRC 10 is not only going to improve individual functionality in risk management and the other parts of our solution, but it will increase the ability of all these to work together. Then there’s major things happening in the world of information — the technology to analyze data and provide information is being added to GRC applications like risk, strategy, and performance management. We’re trying to make all these different things come together so that we can enable our customers to run their business better, because that’s what it’s all about. SAP is all about running the business better. Rather than individual pieces of software, we’re giving customers solutions to help their business run better.

Laura Casasanto

Laura Casasanto is a technical editor who served as the managing editor of SCM Expert and Project Expert.

You may contact the author at lauracasasanto@gmail.com.

If you have comments about this article or publication, or would like to submit an article idea, please contact the editor.