How is GRC different from effective management?
When you look at the components of GRC (using the OCEG definition, as discussed in previous blogs), you will see:
- Understanding the objectives of the stakeholders
- Developing and implementing strategies to achieve them
- Managing and monitoring performance to optimize results
- Understanding and managing risk in working towards achievement of objectives
- Staying in compliance with applicable laws and regulations
Aren’t these the primary functions of management, with oversight from the board?
If so, why do we need to talk about “GRC”?
For me, when you talk about GRC or the OCEG concept of “principled performance”, it means looking at the same activities but through a different lens.
It focuses on the need to optimize performance, but brings out the importance to success of risk management, and the potential for non-compliance to result in failure. It also enables the identification and elimination of silos, redundancy, and gaps in risk management and compliance (e.g., where seven different groups within the organization are independently assessing risks, without anybody looking at the holistic picture of risks facing the business).
What do you think? Is this a good enough reason to use the term “GRC”? Is there another difference I am overlooking?