Monty Python on governance, risk, and compliance

Guest Post from Riskczar

I read too much about what GRC needs or what ERM needs but far too often suggestions read like my favourite Monty Python skit (a lot of easier said than done steps):

Alan Well, last week we showed you how to become a gynecologist. And this week on ‘How to do it’ we’re going to show you how to play the flute …but first, here’s Jackie to tell you all how to rid the world of all known diseases.
Jackie Hello, Alan.
Alan Hello, Jackie.
Jackie Well, first of all become a doctor and discover a marvellous cure for something, and then, when the medical profession really starts to take notice of you, you can jolly well tell them what to do and make sure they get everything right so there’ll never be any diseases ever again.
Alan Thanks, Jackie. Great idea. How to play the flute. (picking up a flute) Well here we are. You blow there and you move your fingers up and down here.

So when I read very articulate comments like these from the blog Corporate Integrity, it makes me think of how you play the flute:

Risk management does not happen in a vacuum … The board and management have to clearly define and communicate the culture of risk taking, acceptance, tolerance, and appetite. … Once a proper culture of risk management is defined – including risk tolerance, and appetite – this gets established and communicated through policies and procedures.

… organizations need to establish an enterprise committee to initiate a collaboration on defining, communicating, and managing a culture of risk in their environment. The goal is to define and communicate a culture of risk, establish it in policy and procedures, and monitor adherence to staying within boundaries of risk tolerance and appetite.

Again, easier said than done. I am not criticizing this approach, I actually agree 100% with what he writes, it’s just very difficult to execute.

Telling someone how to play the flute is not the same as teaching him or her how to play the flute, which take a lot of time, patience and practice. And telling business leaders or organizations what boards and committees need to do is not the same a getting buy in, getting them to do it and being successful at it.

About these ads
Explore posts in the same categories: Compliance, Governence, Risk

Tags: ,

You can comment below, or link to this permanent URL from your own site.

One Comment on “Monty Python on governance, risk, and compliance”

  1. Phil Wilson Says:

    Great comments RiskCzar,
    I certainly agree that changing business and corporate culture is like the old string analogy… you can’t push a piece of string, you need to pull it. Or, as the well known business engineer Michael Hammer put it, “the soft stuff is the hard stuff”.

    Right now I am helping to roll out my company’s education and audit work program on GRC convergence and oversight. What a similar challenge to migrating a company’s culture towards integrating risk management into the everyday business model!

    Luckily, we have done our homework on human change management and have devoted a good portion of the content to making sure that participant’s understand the challenge that is before us in dealing with the “soft stuff” (human change).


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s


Follow

Get every new post delivered to your Inbox.

Join 664 other followers

%d bloggers like this: