The survey I ran at the end of 2010 had some interesting results. You can see the report, with my summary and comments, here.
Overall, there was an encouraging level of support for the OCEG definition of GRC and the perception that their business-oriented view of GRC has value.
I was also encouraged by the consensus that GRC is far more than just risk and compliance. It is centered on optimizing performance and achievement of organizational strategies.
What does this mean for directors and executives?
Don't let consultants and vendors confuse you with talk of a new "GRC requirement" or "need to improve GRC." Focus instead on how you can optimize performance and the achievement of strategies.
Settle on a common definition of GRC within your organization (I recommend the OCEG definition). Understand that it is a lens through which you view how the business is managed and directed, and about the need for the various elements within GRC to work together — in harmony. GRC is not about technology, optimizing compliance cost, or having effective SOX and internal audit programs. The latter are just some of the aspects of GRC, but not the whole of GRC.
Don't let the consultants and vendors tell you what GRC means (in a way that suits their products and services), or what you should focus on as priorities to address within your organization.
Understand the issues that the GRC lens can help you see: silos, fragmentation, lack of harmony, lack of information, etc.
Fix what matters to your organization, not some mythical thing called GRC.
Don't be deluded into thinking you need to have a GRC officer — most organizations don't need one. They need the executives in charge of the various functions within GRC to cooperate and collaborate for the collective advantage of the business.
What does this mean for internal auditors?
The internal audit function can be a driver within the organization for a common definition and view of GRC. While there is a need to recognize the need for the different elements within GRC to work together (such as risk and strategy), it is also important to optimize the elements individually (such as risk management), including addressing the problems of fragmentation.
Consider the risks of fragmented GRC processes, silos of operation within GRC, and inadequate information to run the business. Include them in the audit plan as necessary.
The CAE can bring together the executives responsible for the various processes within GRC, so they can work together to prioritize GRC-related problems, sponsor and fund projects, and manage them to success.
What does this mean to consultants?
There is tremendous value in a common language. Embrace and publicly support the OCEG definition.
Join and participate in future OCEG guidance and thought leadership on GRC.
Recommend OCEG and the Red Book (www.oceg.org) to your customers.
What does this mean to risk practitioners?
There is no need to confuse ERM and GRC. Help executives understand that ERM operates much more effectively when there is harmony (and integration as needed) between risk management and strategy, etc.; when the problems of fragmented risk management practices are addressed; and, when the information you need to understand and address risk is timely, current, complete, and reliable
Participate in and consider leading enterprise initiatives to address the problems of silos, fragmentation, and lack of information
What do you think of the results? What surprises you?