In my last blog post, I talked about the importance of building collaboration across the organization to bring the greatest value to your GRC program. For this blog, I am borrowing a piece of wisdom from an old sage of rock and roll. I heard an interview recently with Mick Fleetwood (of Fleetwood Mac fame) and he said something that really struck a chord for me. He said great songs transcend the artist’s original story and become a story of the audience. He meant that while an artist expresses his or her original thought, the song is adopted by the listener and becomes the listener’s own story. We have all had this happen. The song we share with our sweetheart; the tune we rocked out to with our high school friends on a Friday night; the theme song of our favorite sports team during the run to the championship. The songs we associate with those memories have risen above the artist’s original idea and become our own. It doesn’t matter if it is Glenn Miller, Lennon & McCartney or Eminem - great song writers know how to craft a song to make this magical journey. This takes me to my next Postulate for the Groove Theory of GRC:
Postulate #3: Great GRC programs are founded on Key Processes that guide the organization, make the end goals of risk and compliance management personal and ultimately become part of the culture of the organization.
When one dissects GRC, there are certain processes that are core to the program - the essence of these processes is to enable governance, manage risk or ensure compliance. Processes such as Policy Management, Risk Assessments and Controls Testing are essential building blocks of GRC programs. Without these Key Processes, there is no program. Dangling off of these key processes are the many bits and pieces within the business that support the program. In the IT department, configuration and disaster recovery management are not core GRC processes but manage risks to the availability of systems. In the Finance department, monthly close out processes are not core GRC processes but ensure compliance to accounting practices. These supporting processes are specific to the domain – IT and Finance, in these examples – and support the Key Processes of the GRC program.
The relationshipbetween GRC processes and business operations are very analogous to the creative process of song writing. Many times, song writers will come into the studio with the chord progression, the lyrics and the melody – but the individual parts of the song are built in collaboration with the band members. The drummer can add his own beat; the bass player picks up a nice countermelody and so forth. But the framework of their inputs is the vision of what the song writer originally put on paper. When the musicians are framed by the musical arrangement, they should have the freedom to color but stay within the lines.
GRC programs should help frame those lines such that the business can move freely but remain within the context of managing risk and complying with laws and regulations. A GRC program has truly impacted the culture of an organization when the business feels this freedom but can make the right decisions at both the macro and micro level. Management is driving the business towards optimized performance; employees are making sound, risk-based, ethical decisions on a daily basis. If we take a step back, we should be able to discern between the Key Processes that are core to GRC within the organization and the Domain Processes that are tangential to those Key Processes. The Key GRC Processes, such as Risk Management, Audit Management and Strategic Planning provide the foundation. The business then leverages those processes to enable and guide daily operations.
To close out my analogy in this instance, great songwriters (the GRC advocates and drivers in an organization) must craft a message and story that resonates with their fellow band members (the business) to create a memorable experience for their listeners (the customers). The GRC program does this through establishing Key Processes that allow the business to use their own processes to collaborate in creating a culture that permeates the organization. The end goal is a creation worthy of a #1 album and a place forever in the heart and memory of the listener.