Last night I made the mistake of attending a local IT Forum meeting. In addition to the usual cliché ridden talk of establishing a “silicon valley” locally, perceptions and strategies were 20 year out of date and based on requiring government lead. Bureaucracy driven innovation, now that’ll work! Needless to say I left early.
That got me thinking about the problem with our field of Governance, Risk and Compliance. Why, with the number of fertile minds that exist in our field, is it still a case of an irresistible force meeting an immovable object. The paradox I believe, like our would-be entrepreneurs above, is one of approach.
The current approach to Governance
The current approach to Governance is to systemize, control and regulate as a method of ensure things can’t go wrong. Suffering fraud & corruption is wrong, poor performance is wrong, and not meeting customer expectations is wrong. So we have quality management systems to protect customers, safety management systems to protect workers and enterprise risk management to protect the business. All entail setting rules to be followed, surveillance systems to monitor compliance, and documenting everything under the sun in the false hope it will all work out as planned.
We have CRM systems to tell us customers' previous trends, ERP to communicate between departments, and portals (SharePoint) to tell workers everything they need to know. All sorted then. But how empowered do you feel? We, by which I mean senior management, have fallen into the old public official’s quicksand of believing good management is a guarantee of good results. It isn’t. Introducing more rules & controls is the business equivalent of thrashing around in the quicksand. With its disruptive trends, the complex and volatile business world we face in the 21st century, (as we hear ad-nauseam) requires a different approach from the predictable past, but how?
Let’s start by taking a step back and look at what we are trying to achieve and how we are going about it. Why do we want Governance, Risk & Compliance within an organisation?
Out of Date concepts of Governance
The key principle in Governance is Leadership which, as the pundits ruminate, is about motivating people to follow, not herding or controlling. Almost to a tee, ask anyone in business about Governance, and they’ll tell you it’s the process of ensuring (euphemism for controlling) people to do the right thing. But the principles of modern democracy are founded on the premise that the collective knowledge and abilities of the body politic is more capable than any individual or oligarchy. Doesn’t this principle also hold true for business. It is the basis of Game Theory and collective intentionality, which are the main drivers of modern market behaviour (hence the overuse of social media marketing), and represents far better strategic planning and decision making models than top-down gut-feel. Being wedded to 18th century concepts of Governance, is looking more and more like the boy with his finger in the dyke.
The Solution is…
It’s no newy, empower staff. This is done by creating a Collaborative Organization with a collaborative culture, motivated workforce and supportive infrastructure. In his great article on this whole subject by Jay Cross available from CitrixOnline titled “Why-Corporate-Training-is-Broken-and-How-to-Fix-It” (yes but imitation is the sincerest form of flattery) it states that knowledge workers are motivated by a sense of autonomy, mastery, and a purpose that is greater than themselves.
If we approach our business from the perspective that our role as managers is to remove the obstacles from the way of our workforce and provide the resources for them to be successful, then GRC needs to be a resource not an obstacle. Governance needs to foster a collaborative environment (the best protection against rogue behaviour), Risk be an informative decision making tool and compliance as a process of mentoring i.e. useful.
Integrate Governance at the coalface
CRM is NOT about relationships, it’s about tracking salespeople. ERP doesn’t foster interdepartmental communication it silos it. And portals are just a dumping ground for unstructured data, great for analytics but not empowering workers. To drive Governance forward, it needs to integrate intelligence (knowledge not statistics) engendered in GRC systems, with the operational points of decision making, not a separate reference source or review function.
Ditch the OHS concept of Risk
Comparing Corporate Risk Management and OHS Risk Management is like comparing Social Engineering to Mechanical Engineering. Although they contain the same word, they are totally different fish. OHS risk is a defensive control discipline based on rigidity while corporate risk management (ERM) is its antithesis, an expansive opportunity oriented discipline aimed at flexibility. To be beneficial to operational management as a decision making tool, risk management has to interactive and provide options (e.g. scenario analysis) not registers & restrictions.
Compliance must Add Value
Compliance needs to be proactive mentoring advice by connecting people with a source of expertise (a person) or historical lessons learnt. Risk based Auditing becomes threat & vulnerability reviews if conducted by someone with subject expertise. The compliance framework give a systematically approach to analysis. Findings and observations, instead of being judgemental, should be useful operational recommendations for Realisation, Optimisation and Innovation (see PDCA is NOT Best Practice).
The result: Qualitative not Prescriptive Governance
Moving to a more qualitative rather than prescriptive form of Governance will allow an organisation to be more resilient, adaptive and release far greater potential from your workforce.