What is the Right Business Approach for GRC?

August 27, 2015

Among the many webinars hosted by Enablon in the past, one was with well-known GRC (Governance, Risk and Compliance) expert and Chief GRC Pundit Michael Rasmussen. Rasmussen, considered to be the father of GRC, was the first to define and model the GRC market in February 2002 while at Forrester.

During the Q&A period of the webinar, the following question was asked:

“What are the main differences between a federated approach to risk management versus a centralized approach?”

The greater question is: What is the right business approach for GRC?

Before answering it, here are common definitions of the three different business approaches and architectures to GRC as per GRC 20/20 and others:

Decentralized: This is the most immature approach to GRC, even referred to as “anarchy” by Rasmussen. Under a decentralized scenario, risk management and regulatory compliance activities are performed in multiple silos throughout the organization. Responsibilities are scattered, which leads to a situation where there are big differences between departments. This approach is also usually characterized by manual GRC activities (e.g. emails, document, spreadsheets, etc.)

Federated: Under a federated GRC approach, there are common taxonomies, standards and methods for risk identification, management and reporting throughout the enterprise. However, distinct risk methods, taxonomies and workflows are also supported, in order to meet unique needs across the company. A federated GRC architecture is characterized by central coordination and shared services with distributed accountability and autonomy where it makes practical sense. There is GRC oversight at the corporate level but the actual management of GRC is performed more at the department level. Risk functions from different departments work and collaborate together.

Centralized: This approach to GRC has some things in common with the federated GRC architecture, namely the presence of common taxonomies, standards and methods for risk identification, management and reporting. However, under this GRC architecture and strategy, GRC efforts, processes, and services are coordinated at the corporate level across the entire company, with less autonomy at the department level. There is a common GRC platform, but more importantly, there is centralized GRC coordination.

Which approach is the best? What does Rasmussen think? What do you think?

To start, we can easily disqualify the decentralized approach. Because of the need to manage Risk holistically (EHS and Sustainability also for that matter), with an alignment of standards, methods, objectives and reporting across the enterprise, the decentralized GRC architecture does not make sense.

What about the federated and centralized GRC architectures? Is there a clear advantage of one over the other, especially in large organizations? Michael Rasmussen says “yes” and chooses the federated approach as the most ideal one. If you want to learn more about this, download a recording of the webinar. The webinar also places the three GRC architectures within the larger framework of the GRC maturity model.

If you need to align Risk and EHS management strategies, making sure that you have the right GRC business approach in place is an excellent start. Therefore, ask yourself whether the structures and processes present in your organization favor a federated approach to GRC.