Home > Risk > Is there value in talking about GRC?

Is there value in talking about GRC?

December 25, 2009 Leave a comment Go to comments

GRC, which stands for “governance, risk management, and compliance”, is a buzzword that is receiving a lot of play. But everybody has a different definition of what it means – what processes and applications are included in GRC.

Personally, I like the definition from the Open Compliance and Ethics Group (www.oceg.org):

“A system of people, processes and technology that enables an organization to:

  • understand and prioritize stakeholder expectations;
  • set business objectives that are congruent with values and risks;
  • achieve objectives while optimizing risk profile and protecting value;
  • operate within legal, contractual, internal, social and ethical boundaries;
  • provide relevant, reliable and timely information to appropriate stakeholders; and
  • enable the measurement of the performance and effectiveness of the system.”

However, this set of processes is so vast it is hard to identify a process or application that is not part of GRC. Even transaction processing applications (such as included in an ERP) include controls used to ensure the integrity of the transactions being processed – and therefore have at least an element of GRC in them.

It is useful for OCEG to gather these processes together and provide guidance on best practices. They take an ethics and compliance perspective, rather than one focused on broader governance and management of the enterprise to achieve short and longer-term goals.

But does it make sense to a business person assessing software to improve governance, risk management, or compliance processes? I am not persuaded that it does.

Is it necessary or even valuable for all the applications supporting GRC processes to be integrated? Is it critical that a vendor supply every part?

Again, the GRC universe is so vast that I doubt that any single vendor will provide a solution for every nook and cranny in my lifetime. The OCEG definition of GRC includes the management of organizational strategies and performance management – perhaps the core of GRC. But very few GRC vendors (only one comes to mind) offers both.

 I also am not persuaded that every GRC-enabling application has to be integrated with every other one. For example, I would be very nervous about linking my whistleblower system to anything else – the need to safeguard its confidential information is too great.

So what does this all mean? I believe that there is so much talk about GRC that we can’t ignore it. Instead we need to:

  • Recognize there is no common definition of GRC and ask everybody who uses it just what do they mean
  • Instead of talking about GRC processes and applications, talk about the real business process problems in the enterprise
  • When assessing applications from so-called GRC vendors, realize that each has a different definition of GRC and focus on the real business process needs you have. Don’t allow the fog of GRC to get in the way
  • Recognize that the assessments of the market and solutions by analysts like Forrester Research and Gartner are based on their own (different) definitions of GRC. The components they include may not all be as important to you as they have assumed in rating vendors’ solutions

The bottom line, for me, is that we should not allow the buzzword of GRC to divert us from assessing what is needed in our business. Just because somebody includes a functionality in their “GRC platform” does not mean we have to.

  1. December 28, 2009 at 1:49 PM

    Norman, I believe that IT belongs to GRC, but people need to understand the IT SOX perspective on business. Can we think companies in operation without information technology tool?

    Since January 2004 I am IT SOX Independent Audit & Consulting and work in:
    . Establish IT governance structure;
    . Minimize IT risks;
    . Attend to SOX Compliance – Section 404;
    . Define IT controls;
    . Create measure and quality indicators

    Companies need to have focus on IT Governance and Risk controls; to attend SOX requirements is only part of the GRC.

    IT Audit has the challenge to assist management and the board and/or audit committee in the process by: Monitoring, Evaluating, Examining, Reporting and
    Recommending improvements.

    Congratulations for your blog.
    Best Regards

  2. December 29, 2009 at 1:51 PM


    Great Comments! I fully support them.

    Albert Einstein noted, “Any fool can make things bigger, more complex, and more violent. It takes a tough of genius– and a lot of courage — to move in the opposite direction.” I believe there is genius in the body of professional internal auditors. Unlike your sentiment I do believe we can see a solution in our lifetime. It should not be a vendor solution, but a set of professional standards and measurements by which governance and management can be compared – a companion to financial statements.

    Rather than using another framework developed by us analysts, we should be looking at how the best governance bodies are run, and the best executive teams operate. This is open information in the business management profession. We should let managers and governance members define capability/ maturity models that we can then apply our analytical skills to in standardization. This is simple!!! It seems like IA needs to simply acknowledge we do not know more than the business, but we can take what is happening and make it better through analysis and professional comparison. GRC is another attempt to let us analysts define the world. I my career I had to transition from an Auditor to a Director of Knowledge Management. We are a company composed of 300 Internal Auditors. The CIO I report to had to re-train my focus to effectively see how operations are developed and mature over time. In his words, Internal Auditors can tell you where to start and whether the end product is good, but they are horrible at planning out and building anything. I see his point. Why fight it? Let’s use our skill to help Governance and Management standardize what is already recognized by them as good practice! Let’s use their capability and maturity models to illustrate vulnerabilities compared to a standard, and peers! Simple and valuable.

  3. Jay Somasundaram
    January 3, 2010 at 4:17 PM

    When I studied management over thirty years ago, I learned that there were two major schools – Managerial (which I would now call left brain) and Human Resources(right brain). At that time, the Managerial approach was epitomised by our textbook, (by Koontz and O’Donnell) that taught five principles – planning, organising, directing, staffing, directing and controlling.

    Then, as now, the left brain approach has been dominant. More recent Left brain developments such as TQM and six sigma have added definite value. To me, GRC is just another way of carving up the ‘Left brain’ pie, and ends up under-emphasising certain important elements of the pie while over emphasising others.

    Right brain approaches have always been rather woolly and hard to grasp. More recent developments such as ethics, culture and leadership identify important issues, but are still woolly and hard to grasp.

    Of course, every one coming up with new models claim to integrate both approaches. I don’t think they do. Perhaps there is an intrinsic incompatibility.

  4. March 8, 2010 at 3:38 PM

    We can make any word (or acronym) mean anything we want. Over time, the same word assumes modified or even new meanings. I find GRC acronym to be narrowly focused, seemingly arbitrarily named , cognitively dissonant (“governance” is a broader function and does not belong to the list – although both “risk” and “compliance” form part of the broader governance function). Risk and compliance primarily deal with preserving value. Governance, and I am thinking primarily of corporate governance, seeks to both create and preserve value.

    I have no problem with defining a management discipline focused primarily on preserving value, as per OCEG’s definition. However, I believe, that we then also need a complementary, management discipline for creating business value. This is analogous to having a defensive and an offensive line in American football.

    In my mind, either OCEG embraces this broader notion by modifying its definition for GRC as per my suggestion below or we need to form a new organization to establish this category. Governance would not belong to either of the two disciplines, but would serve to unify them.

    Proposed modifications to broaden the OCEG definition:

    A system of people, processes and technology that enables an organization to:

    * understand and prioritize internal and external stakeholder expectations;
    * set business objectives that are congruent with values, risks and possibilities;
    * achieve objectives while optimizing risk and trust profiles to create and preserve value;
    * operate within legal, contractual, internal, social and ethical boundaries;
    * cultivate operating conditions that allow the organization to adapt and evolve in ways that sustain value creation activities;
    * provide valid (relevant, accurate, reliable and timely) information to appropriate internal and external stakeholders; and
    * enable the measurement of the performance and effectiveness of the value creation and preservation system.

    So, although I do not disagree with Norman’s comment that “this set of processes is so vast”, I disagree that “it is hard to identify a process or application that is not part of GRC”, as per my comments above.

    In summary, if integration of management disciplines to preserve business value is a valid the objective, then so is integrating management disciplines that create business value. If one were to put both in the same category, it would be valid to refer to it broadly as “corporate governance and business management”. Since this would be simply restating the obvious, I favour the defensive and offensive lines approach, where one integrated discipline focuses on preserving value, while the other creates value. But what to call it?

  1. March 7, 2011 at 2:51 PM
  2. December 17, 2019 at 7:51 AM
  3. July 8, 2020 at 3:24 PM
  4. July 8, 2020 at 4:05 PM

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: