April 14, 2013
Does It Make Sense to Discuss GRC?
My good friend, Michael Rasmussen, is perhaps the father of the term GRC and styles himself as the GRC Pundit. He has an excellent website that I wholeheartedly recommend and one of his latest posts is on the subject of
2013 GRC Drivers and Trends.
I share with Michael and many others the belief that the term GRC refers to “a capability to reliably achieve objectives (governance & performance) while addressing uncertainty (risk management) and acting with integrity (compliance).” This is the definition from the Open Compliance and Ethics Group (OCEG), of which both Michael and I are Fellows.
But while I agree with the definition and the notion that performance is only optimized by orchestrating and integrating the consideration of risk and compliance with governance and management, I am far less sure that it makes sense to spend much time talking about GRC.
I think it only makes sense to talk about GRC when you are talking about breaking down the silos of risk management, compliance, and governance (which includes strategy-setting and performance management).
In order to have a “GRC problem,” where the problem is a lack of integration and coordination, I think you need a somewhat mature set of individual processes for risk management, compliance, strategy, and performance management!
Most organizations are less than mature in at least one of those areas.
So, while I understand the GRC term and concept, I would prefer most organizations and their management teams, at all levels, to stop thinking about GRC and focus on their business process problems in:
- Strategy-setting and communications.
- Performance management.
- Business information and communications.
- Risk management.
- Compliance management.
- Information security.
I welcome your views and comments.