Governance, risk and compliance which conveniently contracts down to a Gartner compliant TLA - GRC - is one of the hottest topics in the enterprise world today. If the Enron, Tyco and other financial scandals were not enough, the popularity of all things ‘green’ has put GRC close to the top of agenda in many CXO offices. But as always with a new acronym, people want to know what it means.

GRC is not a product in the conventional sense of the word. Unlike ERP for instance, you can’t go down to your friendly software vendor and ask for a GRC package. Instead, you’re more than likely to be offered a bunch of consulting to figure out what GRC solutions can be shoehorned into your existing IT applications infrastructure. What you will find is that vendors are positioning products like business intelligence, SOX management and financial control software as part of the package of stuff they want you to buy. Sound surprised? You shouldn’t be.

One of the big issues companies experience comes from not having good compliance processes in place. Only last week, Dave Turner, marketing director at CODA came up with this ‘sex, lies and embezzlement‘ scandal out of Austria. If it wasn’t true you’d think you are reading a work of fiction:

…a former finance manager found himself at the centre of a sex, lies and embezzlement scandal when he was convicted of robbing a human rights group of $1.8m – all in the name of keeping his mistress happy.

The 43-year-old-man, as yet unnamed, steered money into his bank account for six years under the cover of financing human rights projects and happily clocked up the NGO’s credit card for personal use.

His mistress, obviously flush with illicitly gained cash, allegedly gambled away up to $7,000 a week, treated herself to new breasts and a nose, and even asked for $44,000 to open a hair salon.

The accountant, who had been sentenced to three years in jail, told a Viennese court that she had promised to pay him back in part from a huge inheritance owed to her.

Unfortunately for his employers - the International Helsinki Federation for Human Rights (IHF) – the hefty fraud has forced it to call in the administrators.

Sadly, these tales are all too common yet could be avoided with the right controls in place. The problem is where do you start and stop? Good compliance should be silent in the sense it operates in background. It should not materially impinge on people’s ability to get things done. At the same time it should be clear that processes are being monitored such that people feel protected in the work they do. To that end, analyst firm Redmonk developed a Compliance Oriented Architecture framework. While Redmonk acknowledges the research needs refreshing, it has received support from Freeform Dynamics in its analysis of compliance in financial services. According to James Governor, principal analyst at Redmonk, it is starting to gain increased attention from a variety of vendors both large and small.

Risk is something that we all know exists yet find hard to define. Financial risk is easy to envisage and often goes something like this: ‘What would be the effect if X% of the people who owe us money failed to pay?’ or ‘What is the downstream risk of this hedge given it is backed by cocoa beans?’ Risk is deeper than that. Last week a person told me that when they consider outsourced manufacture, they look at a range of metrics. These include whether the outsourcer complies with local labour laws, that they’re sourcing materials from sustainable resources and that they are not overt polluters. Why?

One only has to think about how Nike and others had to take drastic action to clean up operations to realize that reputational risk is a significant business issue. In a world that is demanding transparency, how business is conducted becomes a topic of discussion where the microscope of pressure groups can become a firehose of adverse comment. At an almost mundane level the way customer support is delivered becomes a risk issue. Remember Dell Hell where Jeff Jarvis used his influence to bring a change in the way Dell manages customer relations and responds to product issues? Expect to see more horror stories of this kind.

Finally we have governance. This is a horribly wooly area. For many organizations it is an expression of how oversight operates, usually but not restricted to the way a company undertakes tasks like executive compensation, partnering and so on. A good example is that of the Global Reporting Initiative. However, what you say you’ll do and what you actually do are not the same thing. In discussion with SAP for instance, they argue that governance statements without the benefit of being wrappered by process are not doing the job. I agree.

While we’re at it, where does CSR fit in? That’s less clear. I see CSR policy execution as part of the overall topics of managing governance and risk. So for example when I see that in the SAP developer community, there is the start of discussions about process and measurement on topics like labor practices and decent work indicators, then I know these feed back to basic systems around HR. Equally, these indicators could feed back to the policies adopted by companies conscious of their need to beseen to be doing the right thing.

While organizations can expect their vendor contacts to be dripping the GRC TLA into their ears, the fact product is hard to find should not be a reason to sit back. Investigate, review and consult but always with a business problem in mind. The products will come.

Over the coming weeks and months, I’ll be exploring the issues around these broad topics, how companies are tackling the issues that are raised and looking at some of the ways organizations are raising awareness and reacting to the issues. On occasion, some of these will be amusing for their invention.

Enjoy and I look forward to your feedback good and bad.

Disclosure: I am part of the SDN community and an editor of the SAP CSR wiki. I am not currently remunerated for my work with these communities.