A long time ago, in a consulting firm far, far, away, we were taught a somewhat counterintuitive principle: work backward. This proved to be an effective way to approach many difficult problems. We read complex documents from back to front, begin business process maps at the end and work toward the beginning, look at transactions from the client’s desired end result first, and so forth.
Today’s approach to Enterprise Governance, Risk, and Compliance (GRC) should really be no different. Separated into its constituent parts, GRC is the confluence of three seemingly distinct disciplines: Corporate Governance, Enterprise Risk Management, and Legal & Regulatory Compliance. Blending the three in the modern organization is truly an art.
Those who touch GRC on a daily basis—Corporate Counsel, CIO’s, Policy Directors, and many others—should work in reverse from the strategic goal to be achieved on behalf of the organization, back to the operational tasks that need to be executed to “make it happen.” This is a bit different, and more comprehensive, than the oft-repeated “Begin with the End in Mind” proviso. Under the backwards analysis principle, we actually do begin at the end, and all analysis and strategic mapping is then planned in reverse from the end state.
For example, your desired end state might be to have a fully-developed Corporate Compliance plan in place by December 31st. The underpinnings of such a GRC project are quite complex, to be sure. But the various operational tasks become much clearer when you first understand what you are trying to achieve. Do you want to obtain a certification, develop a corporate policy, or reduce risk? These three objectives might be closely related, but it is important to define them separately. Similarly, the line between strategy and operations should be clear. While a business can afford some variations in operational execution, it can almost never afford mistakes in strategy.
Stephen Covey wrote about understanding the difference between the functions of “What to Do” and “How to Do.” Thinking about your GRC program in a holistic manner from desired finishing point back to starting point is clearly a “What to Do” function (which was, according to Covey, a higher-level task within an organization). It is really the entire conceptualization and design of the GRC program. Much of the actual execution of the program—the “How to Do”—can be carefully delegated to your operational staff or outsourced.
Moreover, the backwards analysis principle also allows us to work conceptually from the general, down to the specific, similar to the methodology utilized in cladistic diagrams. In cladistic analysis, a scientist will begin with the most general classification of organisms, and then drill-down level by level until the organism is properly classified. You should think in similar terms about GRC concepts—beginning with the goal to be achieved on behalf of the organization, and then schematically outlining each group of tasks or workflows required to accomplish the higher-level objective. This will also provide you with a neatly-packaged hierarchy that can be useful for internal audit purposes, resource justification, internal costing, and, perhaps most importantly, quantifying progress. The cladistic diagram will effectively be your primary roadmap for conceptualizing your program.
There is another unexpected benefit of starting at the end: the degree of buy-in from your Board of Directors and C-Suite is enhanced because your program is built around organizational goals. A GRC program constructed in reverse with a comprehensive understanding of law, corporate policy, and societal goals will be more enduring, effective, and easily applied across the entire corporate organization.
And finally, enjoy the pride and purpose knowing that you are delivering your GRC program at a strategic level, not an operational or tactical level. Working in reverse will help you perform your functions holistically, at a high level, and not become mired in ‘the thick of thin things.’ You will demonstrate the intellectual discipline of understanding the end game and aligning your GRC program and its execution to the overall corporate vision, mission, and goals.