​The Institute of Internal Auditors' Tone at the Top Defines GRC and Gets It Right

Comments Views

​The August​​ 2010 issue (PDF) of Tone at the Top includes a clear definition and discussion of the term "GRC" (which stands for governance, risk management, and compliance). While the term is increasingly used by executives and board members, the concept of GRC is more often than not misunderstood. So, I for one am pleased to see The IIA share the business-oriented definition develo​ped by the Open Compliance and Ethics Group (OCEG). This is the definition I use myself: It explains quite clearly and concisely that GRC is about how you direct and manage the organization to optimize performance, while considering risks, and staying in compliance (my paraphrase of the ​OCEG definition).

GRC is not about technology.

GRC is not a fad or a catchy phrase for software vendors and professional service providers to generate revenue.

  • It is about running the business better.
  • It is about ensuring the integration of strategy and risk.
  • It is about ensuring you remain in compliance with applicable laws and regulations at the same time as you drive the business forward.
  • It is about addressing the business problems created by fragmented governance, risk management, and compliance functions and/or processes and systems – problems of effectiveness and efficiency.
  • It is about ensuring there is a timely, quality, complete flow of information to, from, and among those responsible for governing the enterprise, assessing and managing risks and opportunities, and assuring compliance.

I recommend a considered read of the August issue and the article. For more on GRC, visit these sites:



Comment on this article

comments powered by Disqus
  • IIA Quality_July 2020_Blog 1
  • IIA Online Testing_July 2020_Blog 2
  • IIA Training_July 2020_Blog 3