The interesting history of Governance, Risk and Compliance

thryve at IRMSA Conference October 2019

By Riaan Bekker, Force Solutions Managed, thryve

As we head towards the IRMSA conference, 2-3 October at Gallagher Estate in Midrand, Johannesburg, I am preparing for my presentation on the debate between GRC and IRM. ‘Governance, Risk & Compliance vs. Integrated Risk Management’ became a topic of debate when research firm Gartner decided a separate category was in order. It now operates two different magic quadrants, GRC and IRM, its reports highlighting the best brands in a category.

Not everyone agrees with this decision and there have been some heated opinions written about it. This debate shows to what extent modern technologies have improved governance, risk and compliance. The particular capability to integrate and balance risk data across an organisation is really powerful. But does it warrant a split in categories?

Part of the drama relates to the name of GRC. It was coined in the early 2000s by Michael Rasmussen, then working for Forester, another well-known research firm. GRC has officially been around since around 2002 when Rasmussen sat through a number of presentations from software companies and consultants in the GRC space. At some point, he noticed the overlapping qualities between Governance, Risk Management and Compliance. The analyst used the label ‘GRC’ and it stuck.

But Rasmussen only takes credit for the acronym, writing: “Organizations have been doing GRC since the dawn of business. We did not need a three-letter acronym to all of a sudden do GRC. Every organization has some approach to the aspects of governance, risk management, and compliance: from the ad hoc and disorganized to the mature and aligned.”

The rise of Governance

Governance is an old practice since it can relate to any type of government. Even ancient tribes qualify. Corporate governance is more modern: the primary purpose of such governance is to manage affairs between the owners and management of a company if they are separated. 

One of the earliest examples was the Bazacle Milling Company, a society of 12th-century mills that pooled their interests and used stocks to manage the partnerships. The Dutch East India Company, formed in the 17th century to break royal monopolies on trade routes, became the first public company with shareholders, creating success and hardship as it grew in scale and power.

Compliance alters behaviour

The VOC is one of many examples showing how corporations aren’t the best at behaving. This is where compliance steps in. As with governance, compliance has a long history. You could say Adam eating the apple was a compliance failure! But modern compliance would follow long after corporate governance. As industrialisation expanded, the problems it created needed to be addressed. Modern compliance first emerged through public safety agencies at the start of the 20th century. The famous US Food and Drug Administration is one of these, formed in 1906.

Compliance expanded to cover different areas of corporate activities. While the VOCs thankfully faded into history, infamous examples such as the United Fruit Company held on into modern times. Today we still see major collapses due to compliance failures, but it’s a monumental improvement over the past. Compliance has made it riskier to do the wrong thing.

Risk becomes smarter

Risk is the oldest discipline of the group. I could argue that awareness of risk is part of any living thing, but we needn’t go that deep. Risk as a human practice might have become enhanced by games of chance. Rolling bones or dice led to probability theory, the precursor to more advanced risk management. 

In the late 1600s, this matured: the predictable patterns for a person’s longevity within a specific group were discovered. Modern insurance and pension industries soon followed. A century later, the word ‘actuary’ was first used. But risk management only qualified as a serious corporate activity in the middle of the 20th century. It became too expensive to manage every risk with insurance, so new management methods were developed to tackle risk in other ways. 

The age of GRC

This brings us full circle back to GRC. But what is GRC? By the early 2000s, the three corporate disciplines had found natural alignments. Then several corporate collapses in the US led to the Sarbanes-Oxley Act of 2002 (SOX). 

SOX had a major impact, leading to calls for more mature management of the three areas. The Open Compliance & Ethics Group (OCEG) reinforced Rasmussen’s GRC acronym, defined GRC as “critical capabilities that must work together to achieve Principled Performance – the capabilities that integrate the governance, management and assurance of performance, risk, and compliance activities.”

It was joined by a wave of modern software systems that proudly brandished the GRC badge. That continued until Gartner decided to split IRM into its own category. 

Is IRM that different from GRC? That will be the topic presented by Adelani Adesida, Sales Executive at Riskonnect, and myself at the IRMSA conference, 2-3 October at Gallagher estate. 

But IRM is definitely the next chapter in the story of these three corporate forces. Risk management platforms such as Riskonnect are changing what is possible with risk data to reinforce governance and compliance activities. Stop by thryve’s stand at the conference and see the future of GRC and IRM in action.