My good friend, Michael Rasmussen, is perhaps the father of the term GRC and styles himself as the GRC Pundit. He has an excellent website that I wholeheartedly recommend and one of his latest posts is on the subject of
2013 GRC Drivers and Trends.
I share with Michael and many others the belief that the term GRC refers to “a capability to reliably achieve objectives (governance & performance) while addressing uncertainty (risk management) and acting with integrity (compliance).” This is the definition from the Open Compliance and Ethics Group (OCEG), of which both Michael and I are Fellows.
But while I agree with the definition and the notion that performance is only optimized by orchestrating and integrating the consideration of risk and compliance with governance and management, I am far less sure that it makes sense to spend much time talking about GRC.
I think it only makes sense to talk about GRC when you are talking about breaking down the silos of risk management, compliance, and governance (which includes strategy-setting and performance management).
In order to have a “GRC problem,” where the problem is a lack of integration and coordination, I think you need a somewhat mature set of individual processes for risk management, compliance, strategy, and performance management!
Most organizations are less than mature in at least one of those areas.
So, while I understand the GRC term and concept, I would prefer most organizations and their management teams, at all levels, to stop thinking about GRC and focus on their business process problems in:
- Strategy-setting and communications.
- Performance management.
- Business information and communications.
- Risk management.
- Compliance management.
- Information security.
I welcome your views and comments.