The essence of something, of anything, is what makes that thing what it is. So what is the essence of the G in GRC, the essence of governance? Let's step back a second and ask the obvious question which doesn't always get asked - why in the heck are we, as organizations, willing to be governed in the first place? If you really cut through all of the bull, the reason is simple. An organization is a collective group of people coming together for some common purpose. And the organization of any collective group of people is found in the set of rules put forth by the leaders of the group and consented to (voluntarily or coercively) by the followers; either to stave off chaos or outside influencers. To put it simply, if you are a fine French store like Target, you'll most likely have an e-commerce governance team to set your cardholder data rules - if only to stave off being sued by the card brands or a class action lawsuit. So now we know why we consent to being governed - because it beats the alternative of being governed by outsiders or the possibility of the madness of chaotic crowds. But that isn't the spark, the essence of governance. I believe the essence of governance lies within the inclusion of, familiarity of, or at least transparent view into the process of governance. James Madison, writing about the essence of governing, stated that "the essence of governing is power; and power, lodged as it must be in human hands, will ever be liable to abuse." He also said that "all men having power ought to be distrusted to a certain degree." So if the essence of governing is power (which can readily be abused), then to keep this in check the essence of governance must be the force behind a transparent process - force enough to bring to light how decisions are made, risks taken, and compliance enforced. Remember that governance isn't simply a heavy handed approach to power. Governance is only effective when those who are being governed consent to obey the rules set forth (thinking, correctly or not, that it beats the alternatives). There is no voluntarism about obeying compliance rules (unless you are an IT security zealot). While the consent of the majority might put a nice face on being governed, in fact, most people within any organization are governed through coercion. Why else would we have the need for internal (and external) auditors? Therefore, the essence of governance can be found in that which makes being governed, of being coerced into "doing what is right," less distasteful. As the old saying from Marry Poppins goes, "a spoonful of sugar helps the medicine go down." And in most cases with governance in organizations, that sugar is a view into (or participation in) the transparent process that give the force its legitimacy. It is not governance to say to the organization "You must follow this policy." It is governance to say to the organization "This policy is derived from these controls in these authority documents. We have found that it is less risky to spend the money and time to follow the policy than to ignore the policy and expose the organization to non-compliance penalties." Governance implies the setting of policy based upon known and communicated rules. The part that makes organizational governance what it is, is the transparency into that system of communication and rules. If we are to measure our GRC programs, or our GRC professionals, would their essence show through? Would the person or tool be the vehicle to:
Editors Note: Dorian Cougias will participate in a Webinar, Survive the Regulatory Tsunami with the Unified Compliance Framework and Spectra Tuesday, December 16, 2008 at 10 a.m. Central / 12 p.m. Eastern. Register here. |
 |
|
|
|
