Have you ever heard of the Winchester Mystery House in San Jose, California? It’s a sprawling mansion that was built in the 1800s at the cost of $5.5 million (calculate inflation, and that is one very expensive house today). It had 147 builders that built it over 38 years with no blueprint, no design, and no architect. As you might imagine, it’s a confusing maze of construction.
The story of this house reminds me of GRC and GRC processes in many organizations, perhaps yours. The components of GRC – governance, risk management, and compliance — are in every organization. My position is that while every organization does GRC, their approaches and results vary. It may be ad hoc, fly-by-the-seat-of-our-pants approaches. But GRC done right delivers the capability to reliably achieve objectives [GOVERNANCE], address uncertainty [RISK MANAGEMENT], and act with integrity [COMPLIANCE].T

The Winchester Mystery House (Source: Wikipedia Commons)
The Winchester Mystery House analogy is how GRC looks in many organizations. You may have shadow GRC processes that spring up all over the organization in the bowels of operations that lack an enterprise top-down coordination and strategy. Over the last 38 years, the typical organization has had the equivalent of 147 different builders of GRC doing their own thing without thinking of the broader picture.
One organization I worked with closely stated that 80% of their risk and compliance staff time was spent managing documents, spreadsheets, and emails — not managing risk and compliance. Another took 200 hours to build a report for the board of directors because the information was trapped in silos. The stories of confusion and inefficiency go on and on.
Three steps to getting leadership buy-in for your GRC program
To solve this, organizations need to understand their needs for GRC processes, supported by an integrated GRC platform and architecture, and build a clear and compelling business case that delivers greater levels of efficiency, effectiveness, and agility. This involves:
- Understanding your current state. For many organizations, it will be a discovery of the Winchester Mystery House of GRC confusion. But to evolve and progress, you need to understand what is being done today and assess what is working, what is not, and what is missing. Inquire on the functions, processes, roles, and technologies that have a stake in the area of GRC you are addressing. Find out how they are approaching this, what is working well, and what is not.
- Design your future state. This involves the design of how GRC strategy, processes, information, reporting, accountability, responsibilities, and technology should ideally work in the organization. Assessing the gap between your current and future state delivers the foundation for building your business case.
- Build a business case. Measure the value the organization will achieve by working towards an integrated and collaborative view of GRC. This is the measurement of the objective/quantified and subjective/qualified value between the current and future state.
Successful GRC strategies can effectively mitigate risk, meet requirements, satisfy auditors, achieve human and financial efficiency, and meet the demands of a changing business environment. GRC solutions should achieve stronger processes that utilize accurate and reliable information. This enables a better-performing, less costly, and more flexible business environment.
How to measure the business value of GRC
When measuring the value that goes into a GRC business case, I break across the areas of efficiency, effectiveness, and agility. Organizations looking to achieve GRC value will build a future state business case that delivers greater:
- Efficiency. GRC provides efficiency and savings in human and financial capital resources by reducing operational costs through automating processes — particularly those that take much time consolidating and reconciling information to manage and mitigate risk and meet compliance requirements. GRC efficiency is achieved when there is a measurable reduction in human and financial capital resources needed to address GRC in the context of business operations.
- Effectiveness. GRC achieves effectiveness in risk, control, compliance, IT, audit, and other GRC processes. This is delivered through greater assurance of the design and operational effectiveness of GRC processes to mitigate risk, protect the organization’s integrity, and meet regulatory requirements. GRC effectiveness is validated when business processes are operating within the controls and policies set by the organization and provide greater reliability of information to auditors and regulators.
- Agility. GRC delivers business agility when organizations can respond to changes in the internal business environment rapidly (e.g., employees, business relationships, operational risks, mergers, and acquisitions) as well as the external environment (e.g., external risks, industry developments, market and economic factors, and changing laws and regulations). GRC agility is also achieved when organizations can identify and react quickly to issues, failures, non-compliance, and adverse events promptly so that action can be taken to contain these and keep them from growing.
With a clear and compelling business case of greater efficiency, effectiveness, and agility, it should be straightforward to get organizational approval and start the journey to your future state. From there, you need to take things in stages, break down the project plan, and start delivering on this vision.
T This is the official definition of GRC found in the OCEG GRC Capability Model I contributed to.