How do you spell GRC?
When I was a small child of about 9, growing up (allegedly – many say I never grew up) in England, I had a long car trip with my parents and younger brother.
He had just started kindergarten school and was upset that we had excluded him from our game of “I Spy”. For those of you with incomplete educations, this is a game where one person sees something and announces “I spy, with my little eye, something beginning with the letter….”. Then everybody gets to guess what it is. “I Spy” is a game that helps young children improve their language and spelling skills.
Anyway, my brother was going to throw a fit so we let him play. He started: “I spy, with my little eye, something beginning with the letter L”.
All three of us guessed repeatedly, only to hear that we didn’t have the right answer. After a while, we gave up and asked him what the correct answer was. He shouted “window” with a laugh.
We were stunned and tried to explain that ‘window’ didn’t start with the letter L. I told him that the word ‘window’ didn’t even have an L in it. My smart little brother replied that the L was ‘silent’!
So what does this all have to do with GRC?
Well, sometimes I feel like people believe that GRC starts with the letter R, and that the G is silent. I received this in an email today from a PhD student studying GRC:
“Looking at the common GRC understanding, compliance deals with the reporting of company risks and how they are assessed. Governance (in the GRC-context) ranges from frameworks and measures for a GRC strategy to creating a risk-awareness in the company. From this perspective, risk management can be seen as the fundamental part of GRC, or at least as the first step, gathering the relevant information (i.e. risks) for the following compliance and governance measures.”
No, GRC starts with the letter G – and Governance is arguably the most important part of GRC. It is where oversight of the company exists, where strategies and goals are defined, where risk appetite is established, and where performance is monitored. Risks should be defined within the context of their potential to impair the achievement of strategies and goals. Compliance is something that has to be achieved, and is potentially both a constraint on performance and a risk that has to be managed.