Steve Schlarman, IT GRC product manager, Archer Technologies

Rocco Prestia, the bass player for the funk band Tower of Power, was once asked to define “groove”.  He scratched his scraggly beard and with his inimitable gravelly voice told this anecdote:

“Imagine yourself walking down the street with your buddies – your closest friends – on a Saturday night.  Everyone is feeling great, you all have that swagger in your walk, and all the vibes are just right. Then, one of your friends picks up a rock and throws it through a store window. Well, he just messed up the groove.”

I paraphrased a bit but I am sure you are asking yourself, “Now, what does this have to do with GRC?” There are many people in the industry who are trying to define GRC. Everyone is coming at it from different angles – the risk managers, the security gurus, the auditors, the C-Suite. But I have a simple theory – GRC, like groove, is indefinable. By that I mean that you can define the components of GRC – the oversight functions, the policies, the processes, the controls, etc. – just like Rocco could have talked about tempo, rhythm patterns, tone, and all of the musical theory components of a song. But those things are all peripheral to the bottom line. Groove is about collaboration and anticipating direction of your fellow band mates. When asked about groove, Rocco made one thing perfectly clear: “If it ain’t there, make no mistake – you’re going to feel it”. 

My point is this: GRC is more than just a sum of the parts of implementing a well controlled environment. GRC embodies the flow within the organization created when people are working together with strong communication to move the business forward in a meaningful and ordered manner. When processes are well defined, controls are implemented, risks are being managed, then the business, through strong collaboration among their individual  business units, can be free to make beautiful music.  

But before I go too crazy with this analogy, I’ll sum it up. GRC can’t be defined across the board; each company must find its own groove that underpins the business and makes them successful. GRC is the discipline that lays down the foundation upon which the business can move freely and unrestricted knowing that the risks and dangers of today’s environment are accounted for and controlled. That doesn’t mean the business goes off willy-nilly into high-risk situations at will, but that there is an established strategy to enable the business to implement new ways of doing business, open new markets or explore any of the other growth activities that can fuel a successful business. So stop worrying about defining GRC – focus on finding your company’s groove and let the business lead the way.