Illustration borrowed from gapingvoid.com.
The concept «outsourcing» came from American Glossary ‘outside resourcing’ and it dates back to at least 1981.
Outsourcing is an arrangement in which one company provides services for another company that could also have been provided in-house.
«Governance, Risk Management and Compliance» («GRC» for short) is however, a relatively new term. Some argue that it started after USA’s Sarbanes-Oxley act saw the light in 2002. GRC addresses «the three pillars that work together for the purpose of assuring that an organization meets its objectives.» (cite: wikipedia.org).
OK, let’s start at the top.
Governance concerns the rules senior management puts in place to run a business in a given context, such as:
- The standards the business should get certified by (ISO, BS, etc)
- The organisational model with roles and levels of authority (Hierarchical, Matrix,Network of teams, etc)
- The business processes and policies
In addition, all organisations must naturally abide applicable local and international legislation.
As we all know, senior management do not have the possibility to outsource the accountability of any aspect of the organisation’s operations. Hiring management consultants for a limited period of time, such as to get support through a business transformation is advisable, but to outsource the governance on a semi-permanent basis does simply not make any sense.
Senior management cannot outsource accountability
Let me elaborate: By outsourcing the governance of a business senior management would have a third party running the business they are in charge of, while the third party would be exempt from the accountability for their actions. Say, if the outsourcing company would break any anti corruption laws, senior management would still be accountable and probably end up in jail (at least in Norway).
It’s not technically impossible to outsource governance, but I would definitely look deeply into the matter before making any final decision.
If you have any experience in outsourcing the governance of a business, please leave a comment.
Risk Management concerns dealing with potential unwanted events. Internally, risk management is mainly about handling the risk of the organisation not following the governance set by senior management. Externally, it is centered around dealing with external elements that have a potential impact for the business.
Both internally and externally, risk management includes:
- Assessing the probability and the impact of an unwanted event,
- Initiating activities to reduce or remove a risk, and
- Planning and executing activities when a risk occurs (risk mitigation)
Effective risk management requires a deep insight of the business; and that knowledge is best kept in-house
Although outsourcing risk management is technically possible, I would argue that effective risk management requires a deep insight of the business; and that knowledge is best kept in-house.