The “Groove Theory of GRC” and its Postulates

Categories: Governance, Risk & Compliance

Many moons ago, in a galaxy far far away, a theory emerged that would challenge the very existence of the universe.   Okay, I may be a little dramatic here.  It was actually in 2009, in Overland Park, KS and involved a two part blog series I wrote for SC Magazine entitled “The Groove Theory”.    Citing a four year old blog isn’t the grand entrance I was looking for and truth be told – it didn’t challenge the very existence of the universe.  However, the blogs did propose a theory and centered on the premise that GRC is very difficult to explain but an absolute definition is not always necessary to discuss something.  In the blogs, I likened GRC to the “groove” within a song – hard to define but you definitely know if it is or is not present.   As with all electrons trapped in the Internet, this blog series (Part 1 and Part 2) is captured for eternity – along with poorly thought through Facebook photos and tweets regarding people’s breakfast choices.   Not that I am comparing the value of these blogs to the life changing decision between Captain Crunch and Cocoa Puffs but sometimes it is nice to have these reminders of our past thinking to stimulate new thoughts.

In the four years since those blog posts, the landscape of governance, risk and compliance has evolved substantially and, I believe, is reaching an inflection point.  In some respects, the discipline is enjoying the benefits of constant maturation.  Companies have been on the journey for multiple years and, evidenced by many of our long-time customers, are profiting from this adventure in both tangible and intangible ways.   In other respects, GRC, in some eyes, has become a bloated term – nebulous in its meaning and suspect in its value.  It is hard to argue with any concept that advocates managing risk, maintaining effective compliance to laws and regulations and, ultimately, making intelligent data driven business decisions.   But some detractors of the concept of GRC talk of immense, costly, protracted, delayed projects that rarely cross the finish line.

Sometimes it is good to get back to the roots and over the next few blogs, I wish to wander down some previously traveled paths and try to find some new ways to look at things.  I still believe in the “Groove Theory” premise that GRC is hard to verbally explain but is definitely observable.   So instead of focusing on the bottom line definition of GRC, I wish to articulate the observations that distinguish governance, risk and compliance initiatives.   Just like listening to a song and feeling the groove, GRC can be detected and felt within an organization.  Companies that can harness this force can move to a higher plane – just like those tunes on American Bandstand that had ‘a good beat and you can dance to’.

I hope you join me on this foray and weigh in on your experiences.  We at RSA Archer have always promoted the fact that GRC is a community driven industry.  As I lay out this new “groove”, I hope you pick up your drum, or horn, or instrument of choice and join in.

Steve Schlarman
Author:

Steve Schlarman is an GRC Strategist for RSA, The Security Division of EMC. With deep compliance, security, audit and IT management expertise, Mr. Schlarman is responsible for product design and architecture for RSA Archer GRC Solutions focusing on IT and Security. Prior to joining Archer, Mr. Schlarman was the Chief Compliance Strategist for Brabeion Software where he led overall product strategy, product management and content management. Before Brabeion, he was a Director in PricewaterhouseCoopers' Advisory Practice, focusing exclusively on information security consulting and auditing. Mr. Schlarman received a Bachelor of Science degree in Mathematical Sciences from Southern Illinois University-Edwardsville. He holds both CISSP and CISM certifications. Subscribe to Steve's RSS feed