Is Your GRC Program Overly Focused on Compliance?

No company falls out of compliance over-night.  It’s a gradual process resulting from a combination of overlooked issues, that together create a serious problem.  Strangely enough, compliance issues often result from taking an overly compliance-focused approach to risk management; a common problem for Governance, Risk, and Compliance (GRC) programs.

Take for example J&J who, after a series of product recalls in 2009, has once again fallen out of compliance and now faces a permanent FDA injunction shutting down at least one plant and requiring at least five years of severe FDA oversight.  So what went wrong?

While J&J undoubtedly took the 2009 recalls seriously, they focused on correcting compliance issues rather than digging down to the root causes of those problems and correcting them at the source.  The result?   Manufacturing plants are once again out of compliance just two years later and the public’s trust in J&J products is beginning to wane.

Focusing on compliance is akin to adding another bilge pump because your boat has taken on too much water rather than seeking out and repairing the leak. The real solution to a company’s compliance management issues is to adopt an integrated approach to risk management; one that can identify root cause risk and their impact enterprise-wide, an approach that focuses on performance management not just meeting compliance goals.

These are the hallmarks of an ERM-approach to risk management.  This approach means assessing risks at the operational process level and understanding the consequences of those risks enterprise-wide.

It doesn’t matter whether you sail under the flag of ERM or GRC, the difference is in the approach.  Does your organization take an ERM-approach to managing risk?