I’ve been digging into results of the Business Finance 2009 GRC Maturity Study for the past week, and I keep running into what I call the GRC Paradox. I’ll explain below, after a results “appetizer”:

Survey respondents speak very highly of their developing GRC programs: 81 percent of all respondents identify their GRC capabilities as acceptable or strong. I’ll present an overview of the results in the April issue of the magazine and then a more comprehensive analysis of leading and best practices identified in the study during a May 21 webcast.

One thing is certain: If a company wants to develop and improve its GRC capabilities, it’s going to have to address the GRC Paradox when it’s time to craft the business case.

Survey respondents identify a lack of funding as the biggest impediment to their program’s success. However, elsewhere in the survey, when asked to identify their program’s most important determinant of success, funding barely rates, languishing in last place. “Tone at the top” and “people, process, and technology” are the most important determinants of GRC success, according to Business Finance survey respondents.

What gives? In talking to a range of GRC practitioners, vendors, and other experts, the reason for this disconnect became clear to me.

As EthicsPoint CEO David Childers (an early GRC pioneer) told me, companies with the most advanced GRC capabilities have moved beyond the “whack-a-mole” approach of reacting to every new regulation with a one-off (and often siloed) compliance program. Instead, these GRC leaders seek to cultivate an organizational culture that embraces principled performance, high ethical standards, and integrity. These qualitative components break down silos, help facilitate more efficient GRC structures, and better position companies to respond more easily to new and changed rules.

There’s just one problem when it comes time for a business case: A ton of money has been spent on one-off compliance efforts in the past seven years or so and, says Childers, “soft ROI — the ‘touchier, feelier’ side of compliance — just doesn’t sell. It takes hard ROI today to get a new compliance program funded.”

So, while tone at the top, a commitment to principled performance, and other softer qualities represent a necessary component of success, an effective GRC business case must show CFOs, CEOs, and the board how new investments will lead to great efficiencies by saving money. In other words, how are you going to optimize existing GRC?

Survey respondents have several answers to this and other pressing questions, as I’ll report on here, in the magazine, and in the webcasts in the weeks ahead … ###