Governance, Risk and Compliance or GRC is another business process that does not quite match how we live our day to day lives. In the real world we live by laws (Governance) and if we get caught breaking laws we get punished (Risk), and then we promise to be good again (Compliance). In the Business world they get off easier. First, they get to write their own rules and then they hire their own Auditors who are always nice when it comes to the punishment.
In our industry the Governance is called ISO9000 and you can’t do business without it so everyone gets Audited, no exceptions. It all starts with a written document of what the Company promises to do and then another document to prove they did what they said in the first document. If they don’t match the Auditor declares a violation and you have to change the documents.
Here is a real world example of the changes in my Backup document.
2000 Version 1: Tapes will be shipped off site every Tuesday.
2002 Version 2: Tapes will be shipped offsite once a week.
2005 Version 3: Tapes will be shipped offsite once a month.
2008 Version 4: Tapes will be shipped offsite as needed.
2010 Version 5: Tapes have been replaced by hard drives
Each of these revisions was the result of a failed Audit where I had missed a Tuesday or we decided to decrease our frequency to save costs. I wish we had made it generic from the beginning but we had to learn the hard way.
In the Business world the Governance is self determined, they get to write their own rules, in the real world the Governance has more bite and we don’t get to write our own laws. In the business world the Risk is all monetary but in real life the Risk is all too real. In the business world the Compliance is voluntary but in real life Compliance is enforced with a heavy hand.
When it comes to enforcement in the Business world, it seems they get away with more money for less punishment compared to the real world where criminals serve more time for stealing less money.
No comments:
Post a Comment