GRC Groundhog Day
Same Thing, Different Result?
By Jason Rohlf
“Well, what if there is no tomorrow? There wasn’t one today.”
— Bill Murray as Phil Connors in Groundhog Day
I’d like to lead off this post with a simple assumption: We are all quite familiar with the concept of Groundhog Day, where each year a fuzzy little critter pokes his head out of a hole and provides the year’s most widely discussed weather prognostication. The tradition dates back to ancient European weather lore, and the American incarnation was carried across the Atlantic by Germans who found their way to Southeastern Pennsylvania in the late 18th and early 19th centuries. Many formal celebrations are carried on to this day, the most popular occurring in Punxsutawney, Pennsylvania where crowds nearing 40,000 people ogle at a furry little meteorologist.
Whenever I think of Groundhog Day, can’t help but recall the feature film of the same title, starring Bill Murray, one of my favorite actors. Murray plays Phil Connors, a surly Pittsburgh weatherman who can’t hide his irritation at being forced to cover the Groundhog Day celebrations in Punxsutawney year after year. After he does his obligatory newscast, he finds himself stuck in the town, living the same day over and over and over again until it nearly drives him mad. He comes to the realization that what he’s doing just isn’t working, that there has to be a better way to live his life. Watching Phil find new, creative and sometimes desperate ways to either break the cycle or live his new reality are at times both hilarious and heartbreaking. By the end, you’ll likely find yourself rooting for Phil to complete his transformation, break the repetitive cycle and wake up to February 3.
Repeating the Same Things, Expecting Different Results
What does this have to do with the issues you may be facing as a Governance, Risk and Compliance (GRC) professional? Let me try to explain by posing a question:
When was the last time you performed a critical self-examination of your GRC program?
I realize this is a loaded question, as there are many facets to a “GRC Program.” You may have implemented new and improved processes, and you’ve likely selected a software program to support your effort, on which several of your employees have likely been trained. Perhaps you’ve contracted trusted resources to help you design and implement your program and keep you aware of new developments within the industry. Everything has been configured, implemented, documented, communicated and now you’re humming on all cylinders. So now it’s time to leave well enough alone and let things just hum in the background, right?
If you were an attorney, this is the point where you’d shout, “OBJECTION! Leading the witness!” and I would be guilty as charged. But I believe this point is valid. It is a good practice to constantly reevaluate your processes and procedures, especially those that are deemed mission-critical to the success of your organization. I believe that GRC and its ancillary processes fall squarely into that mission-critical category. Regardless of whether we manage a small piece of the GRC puzzle or the entirety of the program, I think we can agree that doing the same thing over and over without periodic reevaluation is not a recipe for success. What may have worked two years ago, last year or even last quarter may be outdated, obsolete or downright incorrect given the circumstances your organization is facing right at this moment. So I’ll ask again:
How confident are you that what you’re doing is addressing your organization’s most critical needs?
Don’t Equate Introspection with a Hamster Wheel
Now I realize that it is neither feasible nor practical to place yourself into a state of constant assessment and evaluation. Your organization must place its primary focus on the execution of the critical GRC processes that have been vetted and validated. That said, as you ride the ebbs and flows of your business, it is crucial to perform periodic assessments of your processes to make sure it’s giving you what you need. Keep in mind that this does not merely involve reviewing your process documentation, making a few tweaks, and calling it a day. Rather, you should focus on asking yourself some tough questions:
- Have your organization’s objectives changed, and if so, is your GRC program flexible enough to adjust and provide the critical information that supports your ability to meet these objectives?
- Are there opportunities to streamline and/or automate portions of your process that are currently managed manually? What are the time and cost implications of missing out on these opportunities to automate and enhance processes?
- Does your software product provide you with the critical capabilities you require to manage your program in light of the challenges your organization is currently facing? Does your software provider follow through on its promises for new features, or are you constantly being resold existing features?
- If you employ consultants, do they regularly counsel you on emerging trends and practices? Do you believe they have it all figured out, or could your processes potentially benefit from a fresh set of eyes?
Asking these seemingly simple questions may not always result in earth-shattering revelations that forever transform your GRC program. However, there is a very good chance that applying a healthy dose of professional skepticism from time to time may lead to valuable insights into those elements of your program that are either stuck in neutral or worse, preventing you from providing the value that your stakeholders expect from GRC. We encourage you to constantly challenge the status quo, ask the tough questions and move past the constant hum of Groundhog Day.
Reposted with permission from opgrc.com.