​​Does It Make Sense to Discuss GRC?

Comments Views

​My good friend, Michael Rasmussen, is perhaps the father of the term GRC and styles himself as the GRC Pundit. He has an excellent website that I wholeheartedly recommend and one of his latest posts is on the subject of 2013 GRC Drivers and Trends.

I share with Michael and many others the belief that the term GRC refers to “a capability to reliably achieve obje​ctives (governance & performance) while addressing uncertainty (risk management) and acting with integrity (compliance).” This is the definition from the Open Compliance and Ethics Group (OCEG), of which both Michael and I are Fellows.

But while I agree with the definition and the notion that performance is only optimized by orchestrating and integrating the consideration of risk and compliance with governance and management, I am far less sure that it makes sense to spend much time talking about GRC.

I think it only makes sense to talk about GRC when you are talking about breaking down the silos of risk management, compliance, and governance (which includes strategy-setting and performance management).

In order to have a “GRC problem,” where the problem is a lack of integration and coordination, I think you need a somewhat mature set of individual processes for risk management, compliance, strategy, and performance management!

Most organizations are less than mature in at least one of those areas.

So, while I understand the GRC term and concept, I would prefer most organizations and their management teams, at all levels, to stop thinking about GRC and focus on their business process problems in:

  • Strategy-setting and communications.
  • Performance management.
  • Business information and communications.
  • Risk management.
  • Compliance management.
  • Information security.

I welcome your views and comments.

​The opinions expressed by Internal Auditor's bloggers may differ from policies and official statements of The Institute of Internal Auditors and its committees and from opinions endorsed by the bloggers' employers or the editors of Internal Auditor. The magazine is pleased to provide you an opportunity to share your thoughts about these blog posts. Some comments may be reprinted elsewhere, online or offline.



Comment on this article

comments powered by Disqus
  • IAF-PGS-Assessing-IA-Practices-August-2021-Blog-1
  • IT-General-Controls-Certificate-August-2021-Blog-2
  • CRMA-August-2021-Blog-3