In 1993, Academic James Moore authored a Harvard Business Review article introducing the concept of the “business ecosystem.”[1] Moore, a leadership expert who studies changes in large-scale systems, defined his new phrase as “an economic community supported by a foundation of interacting organizations and individuals – the organisms of the business world.”
In the ensuing decades, the analogy expanded beyond its original description of external marketplace dynamics to make sense of the inner workings of organizations -- their integrated networks of business activities, structures and technology that form a symbiotic system of mutual support and co-development.
Through that organizational lens, Moore’s ecosystem model remains just as relevant today, especially when applied to the complex nature of GRC. While discrete governance, risk management and compliance structures comprise the foundational elements of organizational resilience, policy management fulfills a crucial connective role by integrating and constantly interacting with all GRC activities to ensure they are performed in a standardized and unified manner.
“Without an integrated GRC ecosystem, an organization cannot act with the agility, resiliency and confidence it needs to thrive in today’s complex business environment,” notes Mike Rost, Vice-President at Workiva, a leading GRC solution provider.
Without a fully GRC-integrated policy management program, the efficacy of governance, risk management and compliance activities are at risk of unexpected culture and control detours, taking on unacceptable risk exposures and compliance failures.
Any assessment of an organization’s GRC ecosystem begins by identifying the various parts of the business that share an environment and how those areas can interact for the greater good of all stakeholders.
In a biological ecosystem, no organism can exist in isolation. Each will have many different interactions of different types that contribute to the life of the organism and to the well-being of the ecosystem overall. The same holds true in the GRC ecosystem, which hosts countless interactions that are critical to driving the overall health of the business. Consider the professionals who specialize in different roles, the processes they operate and the technology they use -- unless those ecosystem participants share current GRC information regarding changes in governance structure, risk appetites, regulatory requirement and the like, the business cannot survive.
The GRC ecosystem also connects all aspects of high-level objective-setting, strategic planning, and the numerous mechanisms through which those plans are executed throughout the business in pursuit of stated objectives. Those mechanisms include all business processes (e.g., risk management, workforce management, sales, etc.), supporting technology systems, individual decisions, and interactions, and more.
Within the GRC ecosystem, the role of policy management is to help ensure that all of the organization’s processes, technologies, decisions, and behaviors are conducted within the guardrails that GRC requirement provide, notes Rost. Current policies (an important qualifier given that policies change in response to changing business and regulatory conditions) support and guide leaders, managers, and professionals in their daily work. Providing this support requires policy information to continually flow throughout the GRC ecosystem while ensuring that all employees receive the right level and volume of relevant policy information.
A GRC ecosystem begins with a central focus on the objectives of the organization. It expands to include continual monitoring of the internal and external business environments to identify possible threats to the objectives as well as opportunities that may arise. The ecosystem further expands to include the business operations and what those operations due to meet the objectives while mitigating risks. This activity is supported by a number of business units or activities that help keep the organization on track to meet its objectives while addressing the uncertainty from risks and staying within the boundaries – both mandatory and voluntary – of acceptable conduct. These supportive parts of the GRC ecosystem include human resources, communications, and training, legal, finance, change management and related areas.
Various types of technology are also part of the GRC ecosystem and must be connected with each other in a way that enables the sharing and use of consistent information. These systems include applications that identify and track outcomes for objectives, monitor and assess risks, maintain budgets and requests for resources, track employee responsibilities and related access rights, and train employees on requirements and procedures.
Policies are statements that guide conduct to support the achievement of the defined objectives. They also provide the framework for the establishment of specific procedures that are implemented throughout the organization. In this way, policies connect all aspects of the GRC ecosystem. Rost suggests five important connections that must be present for an effective policy management program:
When these types of connections are present, a GRC ecosystem becomes more integrated with policy management. That connectivity helps all members of the ecosystem collaborate in ways that strengthen GRC capabilities, making the organizational organism more agile, more resilient and more confident in its ability to achieve its objectives.
[1] “Predators and Prey: A New Ecology of Competition,” by James F. Moore, Harvard Business Review, May–June 1993 Issue: https://hbr.org/1993/05/predators-and-prey-a-new-ecology-of-competition.