Just what is GRC? Please share your definition
This morning, I read about yet another conference on GRC. I have seen a “GRC Summit”, “GRC Conference”, and a conference to discuss moving from “SOX to GRC”.
I read about people saying we need a “GRC program”, a “GRC organization”, a “GRC platform”, and so on.
Others say that GRC is a meaningless term, just vendor hype to sell services and products.
As you know, I advocate the OCEG definition of GRC and explained my views in this post.
But what do you think? Please share with us all your brief explanation of what GRC means to you. How would you explain it to your CEO?
PS – if you prefer to comment in another forum, such as a LinkedIn group, please put it here so more people can view it. I will do so for you if necessary, so everybody from all groups can see all comments.
Leave a Reply
Norman Marks on Governance, Risk Management, and Audit 
One individual has responded (on LinkedIn) that GRC means Governance, Risk, and compliance. I am asking what the term GRC means. Why use the term GRC instead of talking about its elements, or just risk and compliance?
To me GRC is virtually synonymous with plain old Enterprise Risk Management.
Hi Norman
To me, GRC is about the leveraging of common information processes, controls and systems (and people) to work together using a common framework that allows transparency and the sharing of information.
GRC stands for Governance and Risk Control but it’s nothing new. Unfortunately, risk-management is still pretty much associated to solely financial management risk and not as it should to enterprise-wide risk management. Should that be the case -and it will probably take a new generation of CEOs and CFOs to be at the helm of corporations- there would not be the type of fragmentation we now have across the board in risk-management. To make it worse, people use this term simply because it makes them look as if they know what they are talking about, whereas in fact, most do not have a precise idea of what it really means. Last but not least, I think that another “malaise” affecting integrated risk-management practices and their dissemination is that SOX practitioners, who got the financial accounting and reporting “blinders”, are the ones pushing for it, and that ends-up actually leaving a lot of professionals that have a wealth of experience to contribute. I am a CPA, but got rid of my blinders may moons ago and learned of the importance of opening up to other professionals who can contribute a whole lot in terms of expertise on this subject.
Hi Norman
I think the term GRC has emerged due to the realisation that without the “G” the other elements have not achieved their full meaning and purpose; in other words there is a realisation that good goverance is integral to effective risk and compliance. In particular I find the concept of “risk governance”appealing in that it signifies a strategic and higher level of focus and authority, as distinct from risk management, which is how risk is addressed on a day to day basis. At this level the governance aspects of risk should mostly be focused on setting the overall risk appetite and culture, leaving the “management”of risk to those who manage the business affairs.
So on this basis a defintion of GRC would entail “an integrated, strategic approach to setting and monitoring risk appetite and culture by those govern”.
To my mind the compliance aspects can and should be treated as an operational risk, important enough to have its own subcategory but aggregated into the risk appetite just like all other risks.
The big challenge now is to help directors and those who govern to play their part in setting and monitoring the risk appetite and culture. This is a new playing field that most risk managers that I meet simply do not comprehend or have the skill set to add value, particularly when it comes to the cultural aspects. Only time will tell if GFC emerges as something other than a catchy acronym.
I’d respond to the hypthetical CEO like this:
“GRC”, standing for Governance, Risk and Compliance, is a key aspect of management at all levels in an organisation.
Governance is the creation and implementation of controls so that risk to the business is mitigated. Controls may be procedural or technical, and may also be absolute or derived. An absolute control is a yes/no test, whereas a derived control sets limits on behaviour or activity such as deciding the credit limit to be extended to a customer or exposure to a market.
Risk to a business or organisation is the likelihood of an outcome which has a negative effect. It is usually formally evaluated using the techniques of “residual risk assessment” or “failure mode effects analysis”, in which each potential risk is assigned 3 scores: severity, occurence and detection. The severity x occurrence x detection score yields a risk priority number allowing the level of risk to the enterprise to be compared with others, and resources prioritised for the design and implementation of governance to control the risk. Residual risk is an RPN score remaining after the effectiveness of controls has been taken into account.
Compliance is the process of auditing the effectiveness of governance/controls in an organisation. It has two key aspects
– it is, in itself, a control forming part of the overall governance of an organisation and specifically addresses the risk that controls are not implemented or followed.
– it measures the effectiveness of controls and other governance measures allowing the leadership team to have visibility of the overall risk profile
GRC, then, is an holistic approach to
– the identification and prioritisation of risk
– the implementation of controls to mitigate risk to an acceptable level
– verifying that controls are both sufficient and effective
Quoting the last poster:
GRC, then, is an holistic approach to
– the identification and prioritisation of risk
– the implementation of controls to mitigate risk to an acceptable level
– verifying that controls are both sufficient and effective
I agree. But, this is the same definition we have been using for at least ten years for “Enterprise Risk Management”.
We have an expression for this in Dutch, I hope it does not loose too much in translation:
“Old wine in new bottles”.
GRC can be defined as “a set of frameworks, processes, and activities established across enterprise to give an assurance to the top management | stakeholders that an effective governance mechanism in place to ensure the risk and compliance functions are integrated, optimized, collaborated, and operate effectively; thus resulting in reduced efforts & costs of risk and compliance management and meeting compliance obligations of the enterprise”
Please see this post for a review of everybody’s comments (including those left in LinkedIn) and my conclusions:
https://normanmarks.wordpress.com/2011/10/05/survey-results-how-people-define-grc/