Comments on: Definitions

by: roodee

Thu, 28 Feb 2008 05:04:13 +0000

I’m of the opinion that governance is completely decoupled from risk in many organizations. Instead of governance mapping to acceptable levels of risk as defined here it is instead mapped to what various regulatory rules mandate. When we turn on the compliance engine we are ensuring that ‘what is’ aligns with the ‘what ought to be’. Unfortunately, this is seldom linked with the notions of risk articulated here. Am I the only one with this experience?

by: Someone to Watch, Over Me…. | RiskAnalys.is

Tue, 26 Feb 2008 16:20:54 +0000

[…] Before we dive back into Deming later this week, I wanted to comment on some discussion we’ve been having over at Chandler Howell’s NBFAC Blog. Over at Chandler’s podium for all things risky (which, it should be noted, is the original IRM blog) - there’s some discussion about GRC and their meaning and role and purpose. In my usual manner, I made a hasty, didactic statement to be taken as fact - that Governance and Compliance are actually prior information for Risk Management, and not the other way around (which is an unfortunately all too common phenomena in modern ERM/IRM practices). […]

by: David Walter

Fri, 22 Feb 2008 20:48:29 +0000

Great Article! We engage on a daily basis with many GRC officers from F1000 clients in highly regulated industries. On whole, I would agree with your definitions of governance, risk and compliance. Governance is the culture, policies, processes, laws, and institutions that define the structure by which companies are directed and managed. Risk is the effect of uncertainty on business objectives; risk management is the coordinated activities to direct and control an organization to realize opportunities while managing negative events. Compliance is the act of adhering to, and demonstrating adherence to, external laws and regulations as well as corporate policies and procedures.

The marriage of the three terms enables a synergy that is gained by encompassing all three activities in a consolidated process. Traditionally, companies would evaluate and monitor GRC in separate silos. Only recently, our clients are beginning to understand the importance of breaking down those silos so each function can share data and provide a more holistic view to senior management. Additionally, we are seeing companies using software to effectively and efficiently manage their policies, controls and applicable regulations/standards along with developing a risk register of potential operational, reputational and financial risks. Both components can then be linked to questions in assessments to gather intel in regards to risk exposure and compliance with the governance material. Finally, findings may be generated and tracked to mitigate the risk of non-compliance.

Thanks for the information … spot on!

by: Chandler Howell

Wed, 20 Feb 2008 20:20:30 +0000

Absolutely, Alex.

I’m always happy to see that I’m stimulating thought and discussion.

by: Alex

Wed, 20 Feb 2008 20:14:17 +0000

Chandler,

If it’s OK with you, I’d like to put up a blog post on my site to build upon/answer some of the questions/discussion that’s come up.

by: Mahesh

Wed, 20 Feb 2008 05:07:29 +0000

Hi,

With regards to Governance, again Can we say that being transpherant, following certain ethics, principles, good values while enhancing the value to the stakeholders?

by: Iang

Tue, 19 Feb 2008 22:26:17 +0000

Thanks! I agree with Compliance.

Curiously, I disagree with the above definition of governance and with Wikipedia (why be shy?) … What you all seem to be circling around there I would describe as management. That is, management is taking responsibility for an area within a framework of cohesive policies, consistent decisions and clear rights.

In contrast, I would say that Governance is “protecting the assets.” To be further contrasted with Investment, which is “growing the assets.”

But, I can see from the various and many discussions on wikipedia that I’m in a minority here :)