Home > Risk > The heart of GRC continues to beat – but what is it?

The heart of GRC continues to beat – but what is it?

This OCEG diagram provides a great view of GRC – what it is really all about:

GRC is about how you (a) identify the objectives, strategies, and goals of the organization, (b) optimize performance and achievement of those objectives, (c) with consideration and management of risks to achieving objectives, while (d) remaining in compliance with applicable laws and regulations.

OCEG calls this Principled Performance.

To achieve Principled Performance requires the various organizations, processes, and such involved in governance, risk management, and ensuring compliance to work together – GRC Convergence.

  • Trying to optimize performance without managing risks is non-sustainable. Adverse events will happen and you will not be prepared. Opportunities will go wanting
  • Focusing on performance without ensuring compliance is dangerous at best
  • Trying to manage risks without understanding and relating them to the context of business strategies and objectives means that you are probably focusing on the wrong risks. We should be concerned with the risks to achieving objectives and optimizing performance
  • Setting strategies without consideration of risk is dreaming

The heart of GRC is the central part of the diagram – understanding and optimizing performance against objectives. In other words, the heart of Governance.

GRC is not, as some say, Risk and Compliance. R&C out of context and without convergence with G, is futile.

  1. Larry Brown
    June 17, 2010 at 7:31 PM

    Sounds like COSO ERM, Norman. (Though I am a fan of OCEG’s Illustrated Series.)



  2. Dan Clayton
    June 21, 2010 at 4:33 AM


    I beg to differ. It may be the intent of COSO ERM, but it is not the illustration. The challenge that both COSO ERM and the OCEG’s Red Book fail to effectively meet is the definition of good management. How should things work on the business side? How are basics like objectives, accountability, and measurements implemented and balanced in the best way. Whithout this standardized understanding of good management, there is little way to create environmental context, and the value of risk awareness is significantly less. Solve the definition for Good management and then integrate these models into it and we will be 90% there!

    I believe that is what should be focused on.


  1. June 17, 2010 at 10:09 PM
  2. June 17, 2010 at 10:11 PM
  3. June 18, 2010 at 11:56 AM
  4. March 4, 2011 at 11:47 PM

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: