Another rant on the misuse and abuse of “GRC”
Rants should be short and to the point. So:
If the G portion of GRC meant only those aspects of governance (for example culture, policies, and audit) that relate to risk and compliance (as postulated by Mr. FC of GR) then we should be talking about RC and not GRC. Any halfway-knowledgeable person could tell you that there are elements of governance in every risk framework, whether you like ANZ 4350, ISO 31000, or COSO ERM. You don’t need to add a G to RC to bring them in. If you want to talk about GRC, then talk about Governance
If we are at the point where a vendor is marketing a spreadsheet management solution (however valuable) as a GRC solution, then the term is out of control. It may perhaps be a GRC application, like GL is a financial application, but we are really stretching a point. After all, most controls are actually resident in the ERP – so SAP Business Suite and Oracle Financials are both GRC apps, right?
When a term is misused like this, it starts to have negative value. If I had my way, I would stop SAP from using the term and focus them on the real business problems we are helping with – and we address more GRC processes than any other, with possibly one exception.