GRC: Oxymoron, tautology, or just plain bunkum

The author criticizes the over-reliance on GRC technologies and the proliferation of new risk categories like Regulatory, Compliance, and Legal Risk. They argue that these categories are often redundant and that the true focus should be on underlying human behavior and systemic issues that lead to risk.








Over these last few years I have watched with growing bemusement, as a highly lucrative industry has been built around Governance, Risk, and Compliance (GRC), by many purveyors of press-here-and-push-there technologies. What is offered to a naïve and hungry audience is instant gratification with respect to risk & compliance frameworks and everything else you might possibly need, to please the long line of stakeholders who dares ask whether you know your risks and how do you actually manage them.
And with all of this (don’t know how causal or correlated) has come some exotic and newfangled risk-vocabulary. New Risk-types are springing up, not least among them being Regulatory Risk, Compliance Risk, and Legal Risk. These are really risk-types? Do we hold our breath for Risk-Risk!?!

Yes, I get it, these are times when markets, banks, and corporations are beset by Regulatory / Compliance concerns; there is much flinching and squirming and check-writing by those on the wrong side of the law and regulations; and all this of course in the continued aftermath of the last financial crisis (to me, 2007/09 now seems actually far enough in the past – surely we are close to repeating such bad history again soon – but that is another story). I also get it, that the sellers of fine medicine that can treat every disease you may or may not have, have realized that entre into the C-suite is through risk-portals, and such terminology quite beautifully takes up the mantle of Open-Sesame in these times.

Compliance Risk means the risks, I presume, arising out of non-compliance. So it is about exposure to supervisory and legal penalties, financial forfeits, and reputational loss that an organization faces when it fails to act in accordance with laws and regulations, policies or prescribed practices. Legal Risk I suppose is very similar or the same – about the risks of corporate butts getting hauled to courts on legal grounds. And Regulatory Risk,, again more of the same, must be the fear of pissing Regulators off more than you already have (which may be a feat in itself) by blatantly, or even worse unknowingly, violating Regulations.

 

I am singularly unimpressed. These are effects, not causes of bad management of risk. Risk is about the future not being what you thought or wanted it to be. Its management is about assessing outcomes, about looking at what vulnerabilities you have against what may be coming at you. Whereas these meaningless (LR, CR, RR as above) terms are simply double-negatives or redundant positives. Policies, regulations, standards, and principles by definition exist to identify, define and contain risks, at the level of one desk or institution or the system as a whole.

Violation does not create a whole new type of risk. It simply reopens the risk that the policy itself was in the first place seeking to address – that you could have avoided (or at least limited) re-exposing yourself to by complying with the law, regulation or policy in the first place. Compliance is hugely important, and quite simply essential to your being allowed to exist; it is about doing the right things now, and adhering to what you have agreed to obey … but inventing a whole phraseology and pseudo-function around compliance risk (and meaning it to be the risk of non-compliance)? Cease and desist please. The risk of not taking medicine when you have the headache is simply the headache itself and it’s not going away soon, worse becoming larger. We don’t need new terminology to define it anew. Take the medicine. Be aware (continually) of what you need to follow and adhere. And just follow and adhere. Yes, I understand those dashboard and yet more toolkits give you this sense of comfort. But speak to risk, and help you manage it? No, they don’t.

Meanwhile, we show no signs of getting the overall point. Regulators were significantly embarrassed through the last crisis, realizing as they then (finally, correctly) did, that the hubris and excess of financial services can and will threaten the world. Their own eventual appreciation of the issues that come from correlations and concentrations, has by now been sharpened to absolute disgust and sheer paranoia. Can you really blame them? Isn’t it but natural, however uncomfortable and seemingly business-unfriendly it is, that they will come at markets and players now with a sense of don’t-trust-and-will-verify and will then ask you what if you and we are wrong again.

That’s my real problem with innovative risk-creation and system-selling and showcases full of black-boxed-frameworks. I believe that the misguided schools of Compliance Risk and Legal Risk and GRC are together conjuring up this great escape mechanism for risk-takers who do not want to, or cannot, understand and deal with the underlying risks. They are designed for and help perpetuate this school of box-checkers trying to postulate adherence to regulation, paying lip-sympathy to systematized approaches to control, and getting an obsessive hold over form, with not a prayer on substance. Technology does not manage risk, it enables it, and very much so especially with the phenomenal ability we all have today to harness data for all it is worth. But the voodoo part (the parrot picking the risk-card from the native astrologer) is not Risk Management … not least of the differences being that Risk Management is about forming forward-looking views on risk and how to manage it within one’s appetite, how to earn an optimal return against such risks, how to be able to define “the unusual, the unintended and the unacceptable”, and how to survive for the benefit of the employee, the shareholder, the customer, and the market at large. Not playing catch-up games with fancy boxes and arrows and colors.

Call me old-school. But if one of these Compliance Risk or Legal Risk or Regulatory Risk gurus ever finds and deals with a Risk on time and effectively, do give me a shout. I might have by then actually started making my own “Risk Risk” consulting. And do send a hat over, for I would have already eaten mine!