Skip navigation
All Places > Products > RSA Archer Suite > Blog > 2013 > May

In my last blog post, I talked about the importance of building collaboration across the organization to bring the greatest value to your GRC program.  For this blog, I am borrowing a piece of wisdom from an old sage of rock and roll.  I heard an interview recently with Mick Fleetwood (of Fleetwood Mac fame) and he said something that really struck a chord for me.  He said great songs transcend the artist’s original story and become a story of the audience.   He meant that while an artist expresses his or her original thought, the song is adopted by the listener and becomes the listener’s own story.  We have all had this happen.  The song we share with our sweetheart;  the tune we rocked out to with our high school friends on a Friday night; the theme song of our favorite sports team during the run to the championship.  The songs we associate with those memories have risen above the artist’s original idea and become our own.    It doesn’t matter if it is Glenn Miller, Lennon & McCartney or Eminem - great song writers know how to craft a song to make this magical journey.  This takes me to my next Postulate for the Groove Theory of GRC:


Postulate #3:  Great GRC programs are founded on Key Processes that guide the organization, make the end goals of risk and compliance management personal and ultimately become part of the culture of the organization.


When one dissects GRC, there are certain processes that are core to the program - the essence of these processes is to enable governance, manage risk or ensure compliance.   Processes such as Policy Management, Risk Assessments and Controls Testing are essential building blocks of GRC programs.  Without these Key Processes, there is no program.   Dangling off of these key processes are the many bits and pieces within the business that support the program.  In the IT department, configuration and disaster recovery management are not core GRC processes but manage risks to the availability of systems.  In the Finance department, monthly close out processes are not core GRC processes but ensure compliance to accounting practices.  These supporting processes are specific to the domain – IT and Finance, in these examples – and support the Key Processes of the GRC program.


The relationshipbetween GRC processes and business operations are very analogous to the creative process of song writing.  Many times, song writers will come into the studio with the chord progression, the lyrics and the melody – but the individual parts of the song are built in collaboration with the band members.  The drummer can add his own beat; the bass player picks up a nice countermelody and so forth.  But the framework of their inputs is the vision of what the song writer originally put on paper.  When the musicians are framed by the musical arrangement, they should have the freedom to color but stay within the lines.


GRC programs should help frame those lines such that the business can move freely but remain within the context of managing risk and complying with laws and regulations.  A GRC program has truly impacted the culture of an organization when the business feels this freedom but can make the right decisions at both the macro and micro level.  Management is driving the business towards optimized performance; employees are making sound, risk-based, ethical decisions on a daily basis.  If we take a step back, we should be able to discern between the Key Processes that are core to GRC within the organization and the Domain Processes that are tangential to those Key Processes.  The Key GRC Processes, such as Risk Management, Audit Management and Strategic Planning provide the foundation.  The business then leverages those processes to enable and guide daily operations.


To close out my analogy in this instance, great songwriters (the GRC advocates and drivers in an organization) must craft a message and story that resonates with their fellow band members (the business) to create a memorable experience for their listeners (the customers).  The GRC program does this through establishing Key Processes that allow the business to use their own processes to collaborate in creating a culture that permeates the organization.  The end goal is a creation worthy of a #1 album and a place forever in the heart and memory of the listener.

The initial inspiration of my “Groove Theory of GRC” was Rocco Prestia, the bass player for the funk band Tower of Power.  His definition, or lack thereof, of the term groove started my thought process on how very important things can exist without exact scientific explanation.   In my last blog, I talked about combining Musicality and Performance to create a special musical experience and how GRC should strive for this powerful combination through Visibility and Accountability to result in Performance Optimization.  Now I want to explore the complexities of any musical endeavor.  While solo performances can be captivating, a full orchestra performing in perfect concert together is one of the highest forms of human collaboration and expression.  So on to postulate #2.


Postulate #2:  The more pieces of the business involved; the more complex the challenge but the greater the value.


Across the spectrum of GRC activities, multiple pieces of the business need to pick up their instruments and build to the crescendo of a well-oiled organization.  This may be a flowery way of putting it to fit my running analogy so let’s cut to brass tacks:  Everybody needs to play nice in the sand box.  Not as dramatic but that is the bottom line.  Organizations that build walls, foster politically motivated cultures, enable kingdom building and all of the bad behavior we saw on the playground in kindergarten will struggle with making the right decisions and eventually face a serious business breakdown.


GRC is one of those avenues to break down the barriers between parts of the business.  If an organization can rally around a significant regulatory compliance challenge (as many companies faced with Sarbanes Oxley) or unite to respond to a major calamity (as organizations experienced during recent natural disasters), then the organization should be able to  band together to operationalize risk and compliance processes.   Domains of the business such as Information Technology, Finance, Audit, Legal, Compliance and others are necessary to build the right fabric across the organization.  A common strategy, with defined objectives and executive buy-in, will go a long way.


Each domain, or department will at times seek to build its own GRC approach.  This is completely understandable as each domain has its own drivers and needs.  Information Technology may utilize GRC to improve IT service responsiveness, reduce security risks and maintain compliance to data protection standards.  Finance may focus GRC on financial reporting processes, look to reduce capital, market or liquidity risk and maintain compliance to accounting practices.  G, R and C mean different things to different operational elements.  However, the organization can begin to bring those together into a more concerted, complimentary approach through an enterprise strategy.


Back to my Groove theory:  Most organizations will start with a string quartet or jazz trio or folk singing duo.  The goal is then to bring more and more instruments into the ensemble until a full orchestra is making music together from the same song sheet.   Obviously that singular score, if its parts are written with harmony and based on solid music theory, can enable the movements, countermelodies and dynamics that make for a beautiful symphony.   It is at this point where the organization transitions from singular players into a larger, more complex performance.   The result:  Opus # 9 in GRC sharp.


* I had to include a link to this video showing "Tower of Power" from 1973 – 2011.  A band as tight and funky as can get even after 38 years of creating music.  Now that is the type of sustainable collaboration we all hope we could foster in our organizations.

Many moons ago, in a galaxy far far away, a theory emerged that would challenge the very existence of the universe.   Okay, I may be a little dramatic here.  It was actually in 2009, in Overland Park, KS and involved a two part blog series I wrote for SC Magazine entitled “The Groove Theory”.    That isn’t the grand entrance to this blog I was looking for and truth be told – it didn’t challenge the very existence of the universe.  However, the blogs did propose a theory and centered on the premise that GRC is very difficult to explain but an absolute definition is not always necessary to discuss something.  In the blogs, I likened GRC to the “groove” within a song – hard to define but you definitely know if it is or is not present.   As with all electrons trapped in the Internet, this blog series (Part 1 and Part 2) is captured for eternity - along with poorly thought through Facebook photos and tweets regarding people’s breakfast choices.   Not that I am comparing the value of these blogs to the life changing decision between Captain Crunch and Cocoa Puffs but sometimes it is nice to have these reminders of our past thinking to stimulate new thoughts.


In the four years since those blog posts, the landscape of governance, risk and compliance has evolved substantially and, I believe, is reaching an inflection point.  In some respects, the discipline is enjoying the benefits of constant maturation.  Companies have been on the journey for multiple years and, evidenced by many of our long-time customers, are profiting from this adventure in both tangible and intangible ways.   In other respects, GRC, in some eyes, has become a bloated term – nebulous in its meaning and suspect in its value.  It is hard to argue with any concept that advocates managing risk, maintaining effective compliance to laws and regulations and, ultimately, making intelligent data driven business decisions.   But some detractors of the concept of GRC talk of immense, costly, protracted, delayed projects that rarely cross the finish line.


Sometimes it is good to get back to the roots and over the next few blogs, I wish to wander down some previously traveled paths and try to find some new ways to look at things.  I still believe in the “Groove Theory” premise that GRC is hard to verbally explain but is definitely observable.   So instead of focusing on the bottom line definition of GRC, I wish to articulate the observations that distinguish governance, risk and compliance initiatives.   Just like listening to a song and feeling the groove, GRC can be detected and felt within an organization.  Companies that can harness this force can move to a higher plane – just like those tunes on American Bandstand that had ‘a good beat and you can dance to’.


I hope you join me on this foray and weigh in on your experiences.  We at RSA Archer have always promoted the fact that GRC is a community driven industry.  As I lay out this new “groove”, I hope you pick up your drum, or horn, or instrument of choice and join in.

Welcome to my second in a series of blogs based on what I term “The Groove Theory of GRC”.   As you may or may not know (or infer from this series), I have been a musician for much of my life.  Starting in grade school playing in the school band, I have enjoyed the gift of making music over many years.  While I am no longer a “gigging” musician, I still pick up my craft and noodle at home often.   One aspect of making music that I have enjoyed is the debate between musicality and performance.  Is a great musician guaranteed to be a great performer?  Are all great musical performers talented musicians?


Miles Davis is an easy example of this.  On one hand, you have an intense musical genius that fueled scores of jazz standards and inspired countless musicians across the globe.  On the other hand, you have an individual who later in his career performed quite literally with his back to the audience facing the other musicians and at times seemed oblivious that an audience was even present (Check out this video of his classic song Tutu).   Unfortunately I never got to see Miles Davis in person so I can’t weigh in on the feeling of being physically at one of his performances.  I am sure the power of the musicality was overwhelming but the performance may have left some feeling disconnected from the artist.   My point is that in some cases, you can have one without the other – great musicality without a grand performance or engaging entertainment without a deep, complex musical experience.   How does this fit into my “Groove Theory of GRC”?


Postulate #1:  Optimizing Business Performance is the end goal; Visibility and Accountability is the method.


The end goal of any GRC program should be Performance Optimization.  If GRC were a concert, the performance matters.  I am not talking about lasers and smoke machines.  I am talking about the substantive effect one feels at the end of a great performance – whether it is music, or theatre or a sporting event.  Management and the Board of Directors need to make decisions that are more certain to result in desired outcomes thus optimizing the performance of the business.   The GRC program should set this as the fundamental objective and impact the organization positively.   But great musical performances just don’t happen.  All the lasers and smoke machines in the world cannot make up for a truly awful band.   A talented set of musicians who know their own role, are dedicated to their craft and are communicating together can bring a musicality that transcends the individual members of the band.  This is the magic that makes the performance great.    The strength of the Performance is through the Visibility and Accountability the band members have with each other, the music and the audience.


To make it simple using my analogy, you have to have Musicality AND Performance to completely capture an audience.  Artists such as Michael Jackson, Prince, Frank Sinatra and many others have epitomized this unique blend of talent, personality and commitment.    GRC needs both Performance Optimization as a goal with Visibility and Accountability enabling the performance.  The program must be absolutely concerned about the positive impact to its audience AND based on a collaborative, connected ecosystem of contributors.

What are your organization’s end goals for GRC?  How do your GRC musicians connect, share and keep the audience engaged and entertained?  Do you feel your organization is bringing both performance (focus on business optimization) and musicality (visibility and accountability) to the concert hall?

Filter Blog

By date: By tag: