In this short series of blog posts relating to Lean GRC, I have covered the first two major Lean Principles: "eliminate waste" and "focus on individuals who add value." These are two key concepts that form the foundation of "Lean Thinking."

The third Lean Principle is to "use pull value to drive demand." Let's look at this principle that is deeply rooted in Lean Manufacturing, and see if it has parallels for professionals managing GRC programs.

Traditional production involves the use of "push" demand fulfillment "" the item is manufactured and stored in inventory before an explicit demand has been made. There is one clear advantage to this approach "" forecasts are bound to be wrong, and push manufacturing helps provide a buffer against incorrect forecasts (or unseen demand). But, there are very significant downsides to it also. It often results in:

• wasted inventory




• high carrying costs




• incipient quality problems

Lean Thinking emphasizes using "pull" demand to satisfy demand. Value is delivered at the point and time of demand, increasing timeliness and consistency of information, and minimizing non-essential work. So, manufacturing would produce a component or finished product when there was an established demand, rather than an anticipation of a demand. This is all well and good, but how might this relate to GRC?

Lean GRC supports this model. When a "demand" exists for risk and compliance information, that need can be met at the point of demand. For example, risk assessment information can be provided at the point of need within larger business processes. This requires not only a centralized repository of risk and compliance information that is widely accessible, but also a set of common risk practices across the organization. The accountability for risk remains in the business organization to which the risk applies, but centralization of risk information enables the use of it across organizational boundaries. Also, risk assessments, terminology, and metrics should be consistent so that everybody is "speaking the same language," and measuring their risk using common methods.

Here's another potential example. There may be a case where there is a risk of unethical behavior either among a set of people, or within certain business processes (for example, vendor payments, gifts to foreign customers, etc). In these cases, reminders of corporate ethical policies can be embedded within processes where potentially unethical behavior might arise.

It may be a little odd at first to think of "Pull" demand fulfillment in the case of GRC, since there is not a physical object that is being manufactured. Still, information and activity related to risk and compliance are very "high value" elements, and the ability to provide them at the point of demand can have significant benefits for an organization.

*LeanGRC is a trademark of OCEG.


(Want to learn more about CA's approach to Lean Thinking? Check out our Lean IT site for more info.)