Michael Rasmussen, perhaps the most respected and influential individual when it comes to GRC, has written an interesting blog, "GRC 2011: Gripes and Directions."
I thoughly agree with several of his points:
"What frustrates me is when vendors ignorantly communicate GRC as being about technology — technology is the enabler for GRC to achieve agility, efficiency, and effectiveness. GRC itself is broader than technology and should align with process and strategy."
- I would expand on this and say that too many use the term GRC without really understanding what it means; but, it helps them position their products and services.
"I am tired of seeing vendors come into buyer situations telling them they have the best and most adaptable solution out there – it slices, it dices, it does your laundry. Good night – GRC is about solving problems, generic answers do not cut it."
"As my friend Norman Marks has commented, you can go to a conference and hear a dozen or more definitions of GRC."
- Michael and I are both OCEG Fellows and support their business-oriented definition of GRC. I fear that too many are defining GRC in a way that suits their business needs, without an understanding of what the term means (per OCEG).
"I see growing interest in ERM being driven by the board down and one focused and integrated into strategy and performance."
You can see I have selected perhaps half of Michael's gripes and predictions. I will add two of my own:
- Too few realize that GRC is all about how you understand stakeholder needs, optimize performance against their expectations, manage risk, and remain in compliance. This means that risk management is within the context of strategy and the optimization of performance. Too few realize that the name of the game is optimizing performance in according to strategy. Looking at GRC and not considering the management of strategy and performance is making a major mistake.
- GRC depends on management and the board having the information necessary to run the business; it must be reliable, timely, current, and complete. Why is this essential ingredient (included in the OCEG definition of GRC) not addressed when consultants and vendors talk about GRC?
Enough for now. What do you think?