Martin Kling's picture

At IDS Scheer we are deep into GRC projects for years now so we decided it is time to share some of our knowledge and insights here in this forum. Hopefully we can enrich our expert discussions with cross boundary knowledge from all of you.

So I have the pleasure to open up a blog post series on GRC that will reflect and enhance the topics already displayed on the new website This blog post series will cover many regulatory topics, aspects of risk management, corporate governance and much more from an expert view (hopefully not too much lecture) and from pragmatic project experience. We plan to post at least one article a week and we promise to cover any aspect of GRC we have something to share upon. By the way - if you have any specific interest you'd like to see covered just comment so or mail me your ideas.

The opening topic is obviously to prepare the ground: What is GRC? Well first hand it is a TLA. You don't know a TLA? Well that's a Three-Letter-Acronym of course! One of those fancy management talk abbreviations nobody really understands but everybody uses with great conviction to show he/she is up to date with the latest consulting hypes. <big grin>

In this case it stands for Governance, Risk & Compliance - a firsthand unrelated combination of aspects of management of a company. But looking deeper into that this combination is not by chance. So lets have a look at the parts before talking about them together. Wikipedia states: Governance is the activity of governing. Well, that's helping!

So we go for Corporate governance: ... is the set of processes, customs, policies, laws, and institutions affecting the way a corporation (or company) is directed, administered or controlled. Now we are closer to an understanding. So mainly the Governance in GRC is reflecting to the tone at the top of a company, the way management signals business should be run, the general dos and don'ts. Another not so prominent but as important aspect of governance is accountability: Accountability of individuals for their actions and the actions of those they are responsible for.

Risk is easier to grasp. It refers to risk management concerning a business or company. Actively analyzing the environment to identify threats to the achievement of objectives and to reduce or avoid those risks by taking actions against the possibility of a risk event actually occurring. This is a discipline with many ups and downs in the last years (see my previous posts). Especially in the financial services sector this has been brought to perfection on the statistical side - but unfortunately this had not prevented companies from taking too high risks.

On Compliance Wikipedia tells that it means conforming to a rule, such as a specification, policy, standard or law. Regulatory compliance describes the goal that corporations or public agencies aspire to in their efforts to ensure that personnel are aware of and take steps to comply with relevant laws and regulations. This is as good as any definition hereon. The actual challenge on the compliance side is to find an efficient way to ensure that all those relevant laws and regulations are covered and adhered to - if not the effort (cost) will seriously hamper a company's performance. 

But actually all these definitions are fine but didn't prevent any case of misbehavior or non-compliance in the last years nor those cases where risks were too high and the events killed the companies (and damaged those around). I think we need to understand what David Brooks nicely stated in his post in May.

Our society is build on intricate high-tech systems and complex processes. Without those systems neither the financial markets, energy production, travel, etc. would be possible. But those systems are too complex for any single person to understand. But we know that humans are not good in judging and responding to risk when being in situations they cannot really grasp. Gut feeling only works when applied by experts with broad expertise and knowledge on the respective topic. To compensate for that people tend to get used to risk - this didn't happen so far - so it won't in the future! Richard Feynman compared this once to playing Russian roulette - success in the last round is not a good predictor of success this time.

But still we are not using the right means to get to the roots of the GRC challenge. We still keep our employees more than often in the dark about reasons for policies or controls. We still do not regularly use fact based approaches for risk assessment. We still create even more complex situations to work in. There is still a lot to improve concerning Governance, Risk & Compliance. 

I hope I got your interest to follow the coming posts in this series and stay with us and discuss the upcoming topics. We will use the hash tag #LoungeTalk so you may easily find the related articles coming via or via ARIS Community. You may also join the community group ARIS GRC and subscribe to the relevant feed.

For more information, please see

Tags: GRC compliance LoungeTalk