The Evolution of GRC
For those who haven’t seen Leonardo DiCaprio’s latest film, The Wolf of Wall Street – the premise of the movie could be summed up in that sentence alone. The film tells the story of the rise and fall of Jordan Belfort – Wall Street tycoon who made and lost his millions creating an incredibly corrupt stock brokering organization – Stratton Oakmont.
While The Wolf of Wall Street may have been an extreme case of lack of governance (and morals), this film brings to light a recurring pattern throughout human history: governance is established, risks are identified, and compliance fails with devastating outcomes. Business enterprises are no exception – railroad robber barons in the 19th century, the Wall Street crash and Great Depression of the 20th century, and the global financial crisis just a few short years ago. How can we prevent history from repeating itself and ensure this kind of mayhem does not happen again?
Establishing a robust and effective framework around governance, risk management, and compliance is essential. The key is understanding how GRC has adapted to reflect the changing face of the business world as technology continues to radically evolve and enhance the way that organizations operate. Over the last 150 years, the business world has been revolutionized, and the ability to manage and control the organization has never been more critical.
At Cask, we recognize three types of governance that each make their own contribution to the complexity: a company’s policies and strategic direction, regulatory requirements, and industry best practices. Understanding how these three types have evolved and united can ultimately help organizations comprehend the importance and challenge of the GRC process.
Let’s flash back to the Industrial Revolution of the 1800’s, which dramatically changed the way the world worked. Cities and populations grew, along with household incomes and the size of corporations. With this boom in technology and improved manufacturing processes within corporations, the scope of operations and the level of risk grew substantially. It was no longer possible for one owner, regardless of experience or skills, to personally oversee and direct the entire enterprise. The need grew to create policy and regulate the decision-making of subordinate managers. With minimal government regulations and virtually non-existent industry standards, organizations began to create internal governance structures that were designed to achieve the company’s strategic objectives
Over the course of the 1900’s, construction of regulatory frameworks began to explode. In response to corporate excesses, the government began to regulate their activities. The process began in the first half of the century, with the establishment of the Federal Reserve and SEC, and continued after WW II with environmental regulations, equal employment laws, and landmarks like HIPAA in 1996 and Sarbanes-Oxley in 2002. The purpose of these frameworks varies – protecting information, privacy, and individual rights, or establishing and enforcing how entities operate with one another. Whatever the intention, legal frameworks have become a fundamental part of the business world, with a significant impact on strategy development and management practices to insure that corporate objectives are achieved while maintaining compliance with regulatory requirements.
Industry best practices serve a dual purpose in efforts to achieve both corporate objectives and regulatory compliance. Organizations such as ASME and IEEE began establishing engineering standards in the late 19th century, and the shared knowledge of their best practice guidelines not only increased efficiency, they also improved the safety of industrial operations. Corporate management adopted the standards created by professional standards bodies as a result of the financial returns compliance created, while regulatory bodies utilized the groups to provide technical content required for regulations. As technology has become an increasingly critical influence on organizational success, the adoption of best practice frameworks such as ITIL, PMBOK, PCI, and COBIT has increased just as rapidly. By adopting industry best practices, many organizations are able to establish standard governance processes that achieve meaningful and consistent results, while managing risk effectively and achieving compliance.
There is no one-size-fits-all solution to improving governance, risk, and compliance results. It requires a solid understanding of the business and regulatory environment within which an organization operates, and an appreciation of the value that industry best practice frameworks bring to the challenges in that environment. Within our consulting engagements, Cask offers a flexible and comprehensive approach that is based on applying fundamental service management principles to assessing and enhancing the GRC processes. Learn more about Cask’s IT Governance capabilities.