Since IanG has been wondering about it in comments, I thought I’d take a moment to follow up on the theme that Alex Hutton so nicely summarized in one of his comments on my post:

Governance and Compliance are priors for Risk Management, and not the other way around.

So, starting with my favourite data source, Wikipedia, Compliance is defined as:

conforming to a specification, standard or law that has been clearly defined.

Governance, similarly, is defined as:

In the case of a business or of a non-profit organization, governance relates to consistent management, cohesive policies, processes and decision-rights for a given area of responsibility. For example, managing at a corporate level might involve evolving policies on privacy, on internal investment, and on the use of data.

Governance and compliance are two sides of the same coin–compliance is about following the rules, governance is about making sure the rules are clearly, consistently defined and enforced.

I think that one mistake people tend to make is to confuse Risk Analysis, effectively the process of compressing the three axes of risk (impact and likelihood over time) into a single value, with Risk Management, the process of ensuring that risks are identified and kept at some desired level.

How is this accomplished? Well, first and foremost, we must define the level–that’s where the clearly defined policies, processes, etc. come in. Once we define the rules, we (try to) ensure that people are aware of them and following them, then enforce and update them over time.

When people are in compliance, they are implicitly at our accepted level of risk. If they get too far outside of tolerances, then we now have a risk that must be managed. But without knowing what our accepted level risk is, we don’t know which risks can be accepted and which risks must must be managed to that level.

Hence, Alex’s observation.

Thanks! I agree with Compliance.

Curiously, I disagree with the above definition of governance and with Wikipedia (why be shy?) … What you all seem to be circling around there I would describe as management. That is, management is taking responsibility for an area within a framework of cohesive policies, consistent decisions and clear rights.

In contrast, I would say that Governance is “protecting the assets.” To be further contrasted with Investment, which is “growing the assets.”

But, I can see from the various and many discussions on wikipedia that I’m in a minority here :)

Hi,

With regards to Governance, again Can we say that being transpherant, following certain ethics, principles, good values while enhancing the value to the stakeholders?

Chandler,

If it’s OK with you, I’d like to put up a blog post on my site to build upon/answer some of the questions/discussion that’s come up.

Absolutely, Alex.

I’m always happy to see that I’m stimulating thought and discussion.

Great Article! We engage on a daily basis with many GRC officers from F1000 clients in highly regulated industries. On whole, I would agree with your definitions of governance, risk and compliance. Governance is the culture, policies, processes, laws, and institutions that define the structure by which companies are directed and managed. Risk is the effect of uncertainty on business objectives; risk management is the coordinated activities to direct and control an organization to realize opportunities while managing negative events. Compliance is the act of adhering to, and demonstrating adherence to, external laws and regulations as well as corporate policies and procedures.

The marriage of the three terms enables a synergy that is gained by encompassing all three activities in a consolidated process. Traditionally, companies would evaluate and monitor GRC in separate silos. Only recently, our clients are beginning to understand the importance of breaking down those silos so each function can share data and provide a more holistic view to senior management. Additionally, we are seeing companies using software to effectively and efficiently manage their policies, controls and applicable regulations/standards along with developing a risk register of potential operational, reputational and financial risks. Both components can then be linked to questions in assessments to gather intel in regards to risk exposure and compliance with the governance material. Finally, findings may be generated and tracked to mitigate the risk of non-compliance.

Thanks for the information … spot on!

[…] Before we dive back into Deming later this week, I wanted to comment on some discussion we’ve been having over at Chandler Howell’s NBFAC Blog.  Over at Chandler’s podium for all things risky (which, it should be noted, is the original IRM blog) - there’s some discussion about GRC and their meaning and role and purpose.  In my usual manner, I made a hasty, didactic statement to be taken as fact - that Governance and Compliance are actually prior information for Risk Management, and not the other way around (which is an unfortunately all too common phenomena in modern ERM/IRM practices). […]

I’m of the opinion that governance is completely decoupled from risk in many organizations. Instead of governance mapping to acceptable levels of risk as defined here it is instead mapped to what various regulatory rules mandate. When we turn on the compliance engine we are ensuring that ‘what is’ aligns with the ‘what ought to be’. Unfortunately, this is seldom linked with the notions of risk articulated here. Am I the only one with this experience?