Skip to content

Governance, Risk Management, and Compliance: It Can’t Happen to Us—Avoiding Corporate Disaster While Driving Success

Governance, Risk Management, and Compliance: It Can’t Happen to Us—Avoiding Corporate Disaster While Driving Success. By Richard M. Steinberg. John Wiley and Sons,; 312 pages; $49.95.

Although its intended audience is primarily senior corporate executives and board members, this book also makes an excellent how-to manual for any security manager.
Governance, Risk Management, and Compliance deals with the principles that result in long-term success for organizations. The author presents the three top success indicators of an organization—effective organizational governance, proactive response to risk management issues, and strict adherence to compliance procedures. These components are also key to maintaining an ethical organization, and security managers need to master them.
Governance, risk management, and compliance (GRC) activities are too often thought of as the insignificant “plumbing” of an organization, explains the author, but in reality, these activities often determine whether a company wins or loses in a marketplace. Senior management teams may assume that their companies won’t have the problems they hear peers discuss or see written about in the news—in other words, they suffer from the “it can’t happen here” syndrome, but the author goes through a litany of cases to show how often it does happen.
The book points out common pitfalls to bottom-line success, such as becoming intractably overcommitted to one strategy, being reluctant to acknowledge past mistakes, and creating an environment that makes it difficult to raise concerns about critical issues. The author gives clear guidance on aligning pro­cesses and technology with organizational strategy, goals, and values. He also explains how to help protect a company from financial and reputational risk, costly litigation, and government intervention.
The author notes that risk management is not about what has happened but about what could happen and the urgent need for proactively managing the risk. He wisely reminds the reader that the single most significant driver for a company’s culture and subsequent success is not the code of conduct or other policies, but the actions of senior management in carrying out GRC.
One modest weakness about the book is that the author does not hesitate to name the failures but refrains from identifying the large companies who are most successful in applying the book’s principles.

Reviewer: William S. Cottringer, Ph.D., is executive vice president for employee relations with Puget Sound Security. He has held security management positions in the military and public and private sectors since 1962. He has authored eight books and numerous professional articles. He has been an active member of ASIS International for more than 20 years.