Survey results: how people define GRC

In September, I asked people to describe how they would explain the term GRC to their CEO if they met on the elevator.

The results are in, and in this post I will discuss them – with no names or attribution. At the end, I draw a number of conclusions and ask for your comments.

First, this is how I would describe GRC:

The concise version:

GRC is how the various parts of the organization work together, in an orchestrated fashion, to deliver value and optimize performance, through the management of risk and uncertainty, while remaining in compliance.

The clarification:

GRC is about the whole, not the parts – not even the sum of the parts! It’s about how they work together to achieve organizational success, which may involve sub-optimizing individual pieces so that the whole is optimized.

GRC is a perspective, a way of looking at the organization and identifying issues around silos, fragmentation, poor information, and a failure to collaborate.

Optimizing GRC is not about optimizing risk and compliance, policies and procedures, or any part. It’s about the whole jigsaw, not the individual pieces. So, a GRC program focuses on orchestration, etc. A GRC culture is all about people working as a team, across all organizational boundaries; but a GRC culture is also about having a corporate culture that is able to balance the contrary ‘pulls’ of performance, risk, and compliance and deliver on them all.

Two people join me and describe GRC in similar terms:

My GRC meaning in “elevator talk” mode:

GRC is a capability set. In essence it enables an organization to establish and strive towards its objectives while staying within established legal and voluntary boundaries.

GRC enables the integration and orchestration of key processes to become a more reliable, integer and reputed organization while addressing uncertainty and capturing opportunities.

GRC means better (acute) governance, risk oversight and conformance to requirements.

and…

Being ethical is doing the right thing for the right reason even when no one is watching. The objectives of the PEOPLE, PROCESS, and TECHNOLOGY structures as defined in a “true” GRC progam improve on an Organization’s ability to define “right” and to set clear expectations and performance boundaries that are embedded into the business to maximize performance and optimize risk. The areas of governance, risk management and compliance management are particularly critical to the organization’s success in meeting its business objectives.

GRC is a collaborative approach within the organization between the oversight groups and the business operations to define what is “right”, and to set expectations to improve the ability of the business process to meet their objectives whether they are operational, strategic, financial, or compliance.

GRC is a methodology of PEOPLE, PROCESSES and TECHNOLOGY that enables a company to:
-understand and prioritize expectations;
-achieve objectives while optimizing risk and protecting value;
-operate within legal, contractual, internal, social and ethical boundaries;
-provide relevant, reliable and timely information to appropriate internal and external stakeholders; and
-enable the measurement of the performance and effectiveness of business processes in meeting the GRC objectives.

Governance is management’s transparency into operational adherence to established processes and policies, regulatory requirements, and strategic alignment with ability to monitor and require action to be taken.

Risk management is the process by which the organization sets the risk tolerance, identifies potential risks and prioritizes the tolerance for business initiatives leveraging internal controls to manage and mitigate risk. The overriding goal of risk management is to risk optimization.

Compliance management is the process that records and monitors the controls, be they physical, logical or organizational, needed to enable compliance with legislative or industry mandates as well as internal policies. It ensures that the boundaries are well set, and that the organization does indeed conduct business within them through established policies and controls. In the context of GRC, compliance is the act of adhering to, and the ability to demonstrate adherence to, mandated requirements defined by laws and regulations, as well as voluntary requirements resulting from contractual obligations and internal policies. In other words, compliance is all about identifying requirements, legal or otherwise, and taking steps to ensure that the organization addresses all of them.

My take on the OCEG model.

Seven describe GRC as essentially the same as ERM:

To me GRC is virtually synonymous with plain old Enterprise Risk Management.

and, very concisely,..

Generalized Risk Confusion

another…

GRC stands for Governance and Risk Control but it’s nothing new. Unfortunately, risk-management is still pretty much associated to solely financial management risk and not as it should to enterprise-wide risk management. Should that be the case -and it will probably take a new generation of CEOs and CFOs to be at the helm of corporations- there would not be the type of fragmentation we now have across the board in risk-management. To make it worse, people use this term simply because it makes them look as if they know what they are talking about, whereas in fact, most do not have a precise idea of what it really means. Last but not least, I think that another “malaise” affecting integrated risk-management practices and their dissemination is that SOX practitioners, who got the financial accounting and reporting “blinders”, are the ones pushing for it, and that ends-up actually leaving a lot of professionals that have a wealth of experience to contribute. I am a CPA, but got rid of my blinders many moons ago and learned of the importance of opening up to other professionals who can contribute a whole lot in terms of expertise on this subject.

and..

I think the term GRC has emerged due to the realisation that without the “G” the other elements have not achieved their full meaning and purpose; in other words there is a realisation that good governance is integral to effective risk and compliance. In particular I find the concept of “risk governance” appealing in that it signifies a strategic and higher level of focus and authority, as distinct from risk management, which is how risk is addressed on a day to day basis. At this level the governance aspects of risk should mostly be focused on setting the overall risk appetite and culture, leaving the “management” of risk to those who manage the business affairs.

So on this basis a definition of GRC would entail “an integrated, strategic approach to setting and monitoring risk appetite and culture by those govern”.

To my mind the compliance aspects can and should be treated as an operational risk, important enough to have its own subcategory but aggregated into the risk appetite just like all other risks.

The big challenge now is to help directors and those who govern to play their part in setting and monitoring the risk appetite and culture. This is a new playing field that most risk managers that I meet simply do not comprehend or have the skill set to add value, particularly when it comes to the cultural aspects. Only time will tell if GFC emerges as something other than a catchy acronym.

and..

“GRC”, standing for Governance, Risk and Compliance, is a key aspect of management at all levels in an organisation.

Governance is the creation and implementation of controls so that risk to the business is mitigated. Controls may be procedural or technical, and may also be absolute or derived. An absolute control is a yes/no test, whereas a derived control sets limits on behaviour or activity such as deciding the credit limit to be extended to a customer or exposure to a market.

Risk to a business or organisation is the likelihood of an outcome which has a negative effect. It is usually formally evaluated using the techniques of “residual risk assessment” or “failure mode effects analysis”, in which each potential risk is assigned 3 scores: severity, occurrence and detection. The severity x occurrence x detection score yields a risk priority number allowing the level of risk to the enterprise to be compared with others, and resources prioritised for the design and implementation of governance to control the risk. Residual risk is an RPN score remaining after the effectiveness of controls has been taken into account.

Compliance is the process of auditing the effectiveness of governance/controls in an organisation. It has two key aspects
– it is, in itself, a control forming part of the overall governance of an organisation and specifically addresses the risk that controls are not implemented or followed.
– it measures the effectiveness of controls and other governance measures allowing the leadership team to have visibility of the overall risk profile

GRC, then, is an holistic approach to
– the identification and prioritisation of risk
– the implementation of controls to mitigate risk to an acceptable level
– verifying that controls are both sufficient and effective

and…

The centerpiece of GRC is risk which is appropriate. Organizations and governments need to put risk management high on their to-do list. This should be the responsibility of the organization’s top management (I.e., governance). Finally, one of the greatest risks is the laws and regulations that require some form of compliance. We need to educate industry about GRC.

“GRC” means Governance Risk and Compliance and for any CEO it is to be seen at enterprise level where all categories of risks are identified, quantified, mitigated and controls are also set. Key Risk Indicators (KRI`s) indicates all relevant risk measures at enterprise level for CXO dashboards.

and finally,

GRC is a clever term that combines three phrases that sounded good together so it stuck, but represent practices that have been around for years. Roughly synonymous with ERM, the whole idea is to ensure a good risk and control framework across the organization, that takes into consideration how the business is managed (governance), identifying and managing risk and ensuring compliance with policies, laws and regulations. Nothing new under the sun, except for the GRC vendors. If there is anything that the “idea” promotes it is trying to ensure consistency and coordination between these different management areas. But again, that’s ERM.

Two people think of GRC as risk management and compliance coming together.

GRC can be defined as “a set of frameworks, processes, and activities established across enterprise to give an assurance to the top management & stakeholders that an effective governance mechanism is in place to ensure the risk and compliance functions are integrated, optimized, collaborated, and operate effectively; thus resulting in reduced efforts & costs of risk and compliance management and meeting compliance obligations of the enterprise”

and..

If I’m talking to a CEO and I’m limited by time here’s my quick elevator pitch. GRC is a three legged stool that helps the enterprise avoid business disablement.

Governance is what the organization is doing internally to mitigate risk and to comply with industry and regulatory requirements. Compliance is mostly driven by the business processes that are in practice by the organization. For example; if the organization is processing personal health information, cardholder data, or other sensitive information it’s likely there are industry and/or regulatory requirement for data security and privacy. The organization will benefit from a governance program that addresses rules for accessing and processing such information.

Risk is exactly that. Every business is subject to a certain amount of risk depending on their business models, processes and several other factors. The business should perform an annual risk assessment to better understand the following; the value of their business assets, the potential impact if weaknesses and/or vulnerabilities are exploited, and what remediation steps should be taken to mitigate risk to the enterprise. This information should make its way to the executive management team so proper actions can be taken to protect all stakeholders.

Compliance is what must be done to meet all industry and regulatory requirements. Most compliance is industry specific; healthcare, financial services, utilities, etc., all have specific compliance requirements. Certain business processes overlap industry specific requirements; for example, SOX, PCI-DSS, etc…

Viewing GRC as a three legged stool helps the CEO know that all three components are integral for business enablement. Failure to observe and manage all three components collectively will lead to dysfunction. If you want to properly balance a stool you must provide equal or similar attention to each of the three legs.

For one, the essence is Integrity.

Governance Risk and Control is the new “Mantra” for the business and economic environment!! Repeated corporate failures, frauds, accounting irregularities are all a result of inadequate governance, risk and control mechanisms!! All global economies both in the east and west are suffering from this inadequacy!! But the fundamental and root cause of all these is basic human greed!! So besides G R C we also need to have personal integrity and honesty and discipline which are fundamental traits of good citizens of society!! Society and Culture determines these values, and I do believe that economic growth and opportunities have eroded social and human values too!! Everybody needs to do some introspection and decide what one wants from life!! Time for a revolution in thinking!!

Five people think of it as the integration of separate activities to achieve efficiencies. The difference between this and my concept is that mine is more focused on total performance, which includes optimizing the top line as well.

To me, GRC is about the leveraging of common information processes, controls and systems (and people) to work together using a common framework that allows transparency and the sharing of information.

and..

GRC is a construct that allows an organization to collect and connect compliance and risk information in a way that enables better performance by increasing data usability and efficiency and better managing costs. A GRC approach allows departments to better communicate with each other, assigns and tracks accountability more efficiently, and permits on-demand reports that Boards and senior managers require.

another says:

GRC (Governance, Risk and Compliance), is the integration of three similar yet unique management processes. We do this to manage the time, money and resources more effectively by streamlining and reducing the overlap of common management systems and reducing the management time necessary to execute each activity that would otherwise be managed separately and potentially isolated from each other.

and..

Governance, Risk and Compliance activities are interconnected and all of them rely on common sets of information, methodology, processes and technology. Incoming new and pending regulations such as Dodd-Frank has heightened the need for connected governance, risk and compliance well beyond internal audit and compliance departments. The concept requires managers establishing a common, integrated discipline around regulatory requirements, policies, risks, controls, and consumer issues. GRC intends to lead organizations to better leverage information, gain operating efficiencies, and provide greater transparency into legal, regulatory, operational, and overall business risk.

This one also refers to integrity:

My point of view – GRC is nothing new. Yes, we have had an acronym for 10 years (in fact I was the first to define and model a market and label it GRC while at Forrester in 2002). The truth is that there are governance, risk management, and compliance processes in any organization – whether formal or informal.

What I tell organizations is that they have GRC whether they like it or not. GRC is part of business. Organizations have formal or informal structures, policies, practices, and processes for GRC. The question is: can they be more effective, efficient, and agile to the demands of a dynamic business environment. Most GRC areas within business are isolated and not integrated. They are scattered across the business and loaded with inefficiency, redundancy, and gaps – in truth they slow the business down. There is significant room for improvement by leveraging common processes, information, and technology across GRC areas. This is not consolidation – but integration. A federated model in which the different GRC components across the business can work together in harmony (or orchestration).

From a simple definition, to me good GRC is about INTEGRITY. The organization has made statements and commitments to how it is governed, complies with laws, manages risks. There are contractual obligations, corporate social responsibility statements, etc. Good GRC is about making sure that the organization has integrity – that what it has committed to in reports, policies, contracts, and commitments is a reality in the organization and we can measure and model it.

Three people had different ideas.

GRC stands for; Governance, Risk Management, and Controls. Therefore it implies that any management of corporations should ensure GRCs are working right and internal auditors; in their reviews emphasize on GRCs. Risk management and controls underpin Governance; if there are no robust controls and proper internal analysis and control of risks then governance fails

and..

Governance = Right people taking the Right decisions
Risk Management = Informing the Right people what are the Best Options
Compliance = Informing the Right people that they took the Correct decision

and, in some ways my favorite:

Good question to ask – I’ve heard others mention that these terms are used in so many different ways that one may be wise to define the term when using it. I also believe that as this space continues to mature, a more common understanding will emerge.

Finally, three people think this is a sham.

There’s no doubt that GRC is a fabrication of the Accounting Consultancy Industrial Complex (ACIC). It is at best, an awkward and inefficient model of corporate reality.

Here’s what I mean. It is currently serving its purpose as a construct to introduce many orgs’ executive management to the realities of technology, regulation, and probabilistic/rational decision making. A nice gateway drug. But when I see more mature organizations outgrow the prefabrication that is GRC, it’s obvious that the “authority” of the ACIC actually then serves to inhibit quality processes around risk management and decision making.

If the ACIC wants to stay relevant, they need to figure out how to foster innovation in rational business management, rather than retard it. And that will mean retiring GRC and focusing on quality in the management of risk.

and..

Great Risk Con or Great Revenue Opportunity!!

the last word (suggestion from the post) goes to:

I tend to agree with Norman that “GRC” does not mean the same thing across individuals. Given the amazingly high buzz around it, just like it is the new fashionable thing which is going to address all issues, I think that for some it stands for Growing Revenue Channel.

So what does this all mean?

I like what Lee Dittmar of Deloitte said:

In the complex and constantly changing sea of acronyms, abbreviations and other abstractions, there is one that is simultaneously met with affirmation and apathy, confirmation and confusion, and recognition and rejection.

CFO.com published an article on demystifying GRC that said it was:

An academic definition of the word ‘mess’.

I still hold to the OCEG definition and my summary (above), because I believe that it all (including and especially risk management) has to be within the context of optimizing performance, which is the essence of Governance. But this is clearly NOT the view shared by the majority of those who posted their views.

So, my conclusions are:

1. Any conversation about GRC should start with a definition that explains how the term will be used. It is impossible to have effective communications when we are thinking of it in different ways.

2. When vendors use the term in a way that helps them sell their products and services, it only adds to the confusion and heightens the feeling that GRC is just hype – a way to increase revenue.

3. I still believe that there is value in the GRC lens to identify the need to fix fragmented operations. But, attention is being taken away from ERM. If ERM is the message, say ERM and not GRC!

4. I can only hope that continued discussion will bring the community together around either a single, accepted definition or the abandonment of it – replaced by something that we can all agree makes sense.

I would appreciate your views and comments.