governance framework around it was left with the auditors — the company
likely retained very little of this “how to” knowledge. It was the equivalent
of receiving a fish someone else caught rather than learning how to catch it
yourself.
The solution is for companies to start perceiving GRC as more than just
addressing separate issue areas and perceive it as a strategic initiative rather
than a set of tactics to be applied on a piecemeal basis. As such, a company
should integrate this knowledge and function into its day-to-day operations
rather than having an outside firm carry out the process for them. A company
could hire an auditing firm to consult on what controls are needed, how to test
them, and help document the process. At that point, however, the process
should be brought in-house. Third parties can still be helpful to periodically
evaluate how well the GRC initiative is being carried out, however, and to sug-
gest improvements.
Justifying the cost of GRC ...................................................................
The fact that cutting costs equals increased profits, all other things being
equal, is a very simple formula for people to understand. You can easily see
that executives and managers face huge pressures to make sure that costs are
as low as they can be. In many ways, cost control is their number one impera-
tive. Within the context of GRC, though, top-down pressures could push some
managers and executives to cut GRC-related investments to the point that the
company’s exposure to risk and compliance violations is increased.
For example, think back to the homeowner’s analogy we mentioned earlier in
this chapter. When a person buys a house, they have it inspected to ensure
that the roof doesn’t leak, the electric system is up to code and safe, the exte-
rior walls are painted and there are no signs of rot, the septic system is in good
working order as is the rest of the plumbing, and that the foundation is solid.
However, as time goes by, a certain amount of wear and tear occurs on the
house. Without continued investments to replace the roof before it leaks,
update the electric system, maintain the plumbing, and fix cracks in the foun-
dation, there is a risk of failure with profound consequences to the house and
the people living in it. Further, a lack of investment may cause the home to
violate certain municipal codes or ordinances. And of course, the batteries
in the smoke detectors need to be regularly checked and replaced.
GRC for a company is no different: It has to be an ongoing investment. There-
fore, it is important to incorporate within the governing framework a means
to rationalize and communicate the need (risks and benefits) to maintaining
investments in GRC in an enterprise-wide and sustained manner.
One solution to this issue, writes Scott Mitchell, is to develop a thorough and
logically argued business case for GRC investment that can be easily accessed
80 Part I: Governance, Risk, and Compliance Demystified
