Home > Risk > The GRC Survey: The results are in

The GRC Survey: The results are in

February 1, 2011 Leave a comment Go to comments

The survey I ran at the end of 2010 had some interesting results. You can see the report, with my summary and comments, here.

Overall, there was an encouraging level of support for the OCEG definition of GRC and the perception that their business-oriented view of GRC has value.

I was also encouraged by the consensus that GRC is far more than just risk and compliance. It is centered on optimizing performance and achievement of organizational strategies.

What does this mean for directors and executives?

  • Don’t let consultants and vendors confuse you with talk of a new “GRC requirement” or “need to improve GRC”. Focus instead on how you can optimize performance and the achievement of strategies
  • Settle on a common definition of GRC within your organization (I recommend the OCEG definition). Understand that it is a lens through which you view how the business is managed and directed, and about the need for the various elements within GRC to work together – in harmony. GRC is not about technology, optimizing compliance cost, or having effective SOX and internal audit programs. The latter are just some of the aspects of GRC, but not the whole of GRC
  • Don’t let the consultants and vendors tell you what GRC means (in a way that suits their products and services), or what you should focus on as priorities to address within your organization
  • Understand the issues that the GRC lens can help you see: silos, fragmentation, lack of harmony, lack of information, etc.
  • Fix what matters to your organization, not some mythical thing called GRC
  • Don’t be deluded into thinking you need to have a GRC officer – most organizations don’t need one. They need the executives in charge of the various functions within GRC to cooperate and collaborate for the collective advantage of the business

What does this mean for internal auditors?

  • The internal audit function can be a driver within the organization for a common definition and view of GRC. While there is a need to recognize the need for the different elements within GRC to work together (such as risk and strategy), it is also important to optimize the elements individually (such as risk management), including addressing the problems of fragmentation
  • Consider the risks of fragmented GRC processes, silos of operation within GRC, and inadequate information to run the business. Include them in the audit plan as necessary
  • The CAE can bring together the executives responsible for the various processes within GRC, so they can work together to prioritize GRC-related problems, sponsor and fund projects, and manage them to success

What does this mean to consultants?

  • There is tremendous value in a common language. Embrace and publicly support the OCEG definition
  • Join and participate in future OCEG guidance and thought leadership on GRC
  • Recommend OCEG and the Red Book (www.oceg.org) to your customers

What does this mean to risk practitioners?

  • There is no need to confuse ERM and GRC. Help executives understand that ERM operates much more effectively when there is harmony (and integration as needed) between risk management and strategy, etc.; when the problems of fragmented risk management practices are addressed; and, when the information you need to understand and address risk is timely, current, complete, and reliable
  • Participate in and consider leading enterprise initiatives to address the problems of silos, fragmentation, and lack of information

Learn more. OCEG will have a webcast on this and another GRC study on February 3rd. Register here: https://www1.gotomeeting.com/register/562257481 

What do you think of the results? What surprises you?

  1. February 1, 2011 at 5:06 PM


    Excellent survey, thanks for sharing the results. In my opinion regarding GRC in India, it is still underdeveloped. In a number of organizations, the various functions of GRC operate in silos, and there is very limited information flow. For example, compliance may not know what IT security team is doing, etc. The second problem, where attempts are made to integrate, it is done more on paper rather than in spirit. Common action plans for implementation may not be developed.

    Another challenge is that most of the functions are still highly dependent on excel rather than specialized GRC software. Lastly, the GRC functions are not considered very signficant by senior management, they are taken as a headache to be borne. Hence, the GRC heads hardly have any say in management decision making. A rather pathetic situation, and some may consider that in multinationals with global guidelines for GRC the situation is better. However, it is nearly the same, depends on the management. Some leave the GRC best practices at the borders of their own country and come to India with the idea that all that stuff is useless.

    So not much credit can be given to the GRC functions. In India some senior managers state the unwritten and undiscussable rule that internal auditors are required to issue the report which senior managers would like to read. Here indepedence is compromised completely, and some pleasant reports stating a couple of B and C category risks are highlighted.

    In such cases, the vale of GRC function to prevent fraud or manage risks is about nil.

    Sorry to give such a dismal picture, but that is the story in quite a few organizations.

    Kind regards,


  2. February 3, 2011 at 10:29 AM

    Very interesting and useful piece of work. Thanks for sharing it.

    It never ceases to amaze me the range of responses or interpretations of such an important aspect of an operation from, apparently, well informed individuals! Keeping it simple and determining what the business is and needs rather than being “led” by external parties sounds like good advice to me. Unfortunately many companies may have the will but not necessarily the way (or means) to execute.
    This item may be of interest:

    Updated: Enterprise Risk Management & Complexity analysis http://wp.me/p16h8c-W

    From a “complexity perspective” talk of so many silos, roles, functions, processes, etc. just communicate huge scope for, confusion, errors and omissions, barriers to unilateral GRC adoption or application. Heaping complexity onto already complex operations will, almost inevitably, have the opposite of the desired effect!

    If more companies, starting at C level, gained a greater understanding of the drivers of complexity and robustness within their “system” and its ecosystem (stakeholders), the risks and opportunities of the inter-connections to networks and domains become more readily understood and managed.

    Thanks again


  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: