I’ve been thinking more lately about what GRC really is, in its purist, simplest form. How do we explain the real motivation behind combining these three basic elements? I had one of those thoughts that makes you smile during dinner last week with a few of my EMC colleagues.
It’s this: Enterprise is all about creating shareholder wealth. Creating shareholder wealth, however you define it, depends on exploiting the right opportunities: no risk, no reward. GRC then is, very simply, managing the pursuit of shareholder wealth, at the margins. Are we inside or outside of the boundaries of our mission, strategic intent, and performance measures?
It’s that simple. Of course, it is never that simple. J So, here’s a little more meat. Let’s think of managing risk vs. reward as a cycle of four challenges, questions we must constantly ask ourselves if we are truly creating shareholder wealth.
1. Translating Strategy into Appetite
What is the appetite for risks given our business strategy and intent? Here we drive that understanding into the day to day cultural fabric of the enterprise by managing to business and regulatory requirements, and rationalizing against policies and control sets. This may mean taking the tone at the top and collaborating, communicating and acknowledging when and how that risk appetite is being comprehended and acted upon.
2. Managing Information within Appetites
How do we manage our appetite within tolerances while meeting our requirements, and supporting the hyper-extended enterprise with fluid, elastic infrastructures? Here we manage the boundaries while information is exploding and our organizations are becoming more complex, virtual and extended. This may mean building new models of business and technology information and infrastructure management that allow us to 'see around corners'.
3. Measuring Meaningfully
What are realistic and acceptable thresholds and how do we measure at the appropriate level of granularity? Here we measure precisely what we must, plus a little more to gain the context we need to truly understand when we are close to, or crossing the boundary – staying in the margins. This may mean adopting new technologies that measure continuously, automatically – providing analytics and visualizations at the right level of granularity, when are where it counts.
4. Evolving and Adapting
What is the appropriate level of agility for a certain stage on the maturity curve? Here we manage to best practices, weighing where our peers are, identifying and exploiting opportunities for competitive advantage while lowering costs and becoming more streamline and efficient. This may mean embracing new approaches like business process analysis across the silos, and technologies like the private cloud.
Each of us, no matter where we are in the enterprise, meets these four challenges, every day, in every way, consciously or unconsciously. Next time you are faced with a dilemma on whether to take a risk, or not, would it help to ask yourself these four questions? Is it within the enterprise’s risk appetite? Can we manage within the boundaries? Can we measure meaningfully to stay at the margin? Can we evolve and adapt to where we need to be by taking this risk? And now that I have you thinking...are there other GRC-based questions we should be asking, of ourselves, our management, peers, partners and customers in order to manage the pursuit of shareholder wealth at the margins?