The heart of GRC continues to beat – but what is it?
This OCEG diagram provides a great view of GRC – what it is really all about:
GRC is about how you (a) identify the objectives, strategies, and goals of the organization, (b) optimize performance and achievement of those objectives, (c) with consideration and management of risks to achieving objectives, while (d) remaining in compliance with applicable laws and regulations.
OCEG calls this Principled Performance.
To achieve Principled Performance requires the various organizations, processes, and such involved in governance, risk management, and ensuring compliance to work together – GRC Convergence.
- Trying to optimize performance without managing risks is non-sustainable. Adverse events will happen and you will not be prepared. Opportunities will go wanting
- Focusing on performance without ensuring compliance is dangerous at best
- Trying to manage risks without understanding and relating them to the context of business strategies and objectives means that you are probably focusing on the wrong risks. We should be concerned with the risks to achieving objectives and optimizing performance
- Setting strategies without consideration of risk is dreaming
The heart of GRC is the central part of the diagram – understanding and optimizing performance against objectives. In other words, the heart of Governance.
GRC is not, as some say, Risk and Compliance. R&C out of context and without convergence with G, is futile.