Today marks the official release of the public draft of the governance, risk management, and compliance (GRC) paper that I have worked on over the past couple months with Ted Frank, of The Compliance Consortium, and others. The writing of the paper was driven by three convictions:

  • GRC stands apart: Governance, risk management, and compliance are all of a piece–and they are related to a coherent set of objectives and practices that are fundamentally different from the other things going on in an organization.
  • GRC needs high level attention: Governance, risk management, and compliance comprise a set of concerns and objectives that must be dealt with at the board of directors and senior management level.
  • GRC is manageable: Even though governance, risk management, and compliance touch thousands of processes and objectives throughout an organization, there really is a small, manageable set of concerns that should inform board and management decision-making.

This last point relates to the “both forest and trees” view that I wrote about in my recent post on XBRL and Compliance. To make GRC manageable we need ways to zoom into the details and zoom back out to the big picture. Said more formally, we need ways to deal with the concept at different levels of abstraction, from fine-grained to chunky. XBRL looks promising in this regard.

One of the key ideas expressed in the paper is that the United States Sentencing Commission guidelines regarding compliance and ethics can serve as a good starting point for identifying the important, board and senior management level GRC objectives. This idea is practically appealing, since following the guidelines can result in a 95% reduction in penalties in the event that, despite a company’s best efforts to prevent it, fraudulent activity takes place. The intent of the paper is to also make this idea appealing at an operational and functional level — we believe that we make the case that concentrating on just seven objectives can get management and board members focused on the right concerns and questions.

If this interests you, take a look at the paper.  If you have comments, you can of course add them here — but if you want your comments to get more in the way official consideration, you should also express your views on the Compliance Consortium website.