Home > Risk > Survey results: how people define GRC

Survey results: how people define GRC

In September, I asked people to describe how they would explain the term GRC to their CEO if they met on the elevator.

The results are in, and in this post I will discuss them – with no names or attribution. At the end, I draw a number of conclusions and ask for your comments.

First, this is how I would describe GRC:

The concise version:

GRC is how the various parts of the organization work together, in an orchestrated fashion, to deliver value and optimize performance, through the management of risk and uncertainty, while remaining in compliance.

The clarification:

GRC is about the whole, not the parts – not even the sum of the parts! It’s about how they work together to achieve organizational success, which may involve sub-optimizing individual pieces so that the whole is optimized.

GRC is a perspective, a way of looking at the organization and identifying issues around silos, fragmentation, poor information, and a failure to collaborate.

Optimizing GRC is not about optimizing risk and compliance, policies and procedures, or any part. It’s about the whole jigsaw, not the individual pieces. So, a GRC program focuses on orchestration, etc. A GRC culture is all about people working as a team, across all organizational boundaries; but a GRC culture is also about having a corporate culture that is able to balance the contrary ‘pulls’ of performance, risk, and compliance and deliver on them all.

Two people join me and describe GRC in similar terms:

My GRC meaning in “elevator talk” mode:

GRC is a capability set. In essence it enables an organization to establish and strive towards its objectives while staying within established legal and voluntary boundaries.

GRC enables the integration and orchestration of key processes to become a more reliable, integer and reputed organization while addressing uncertainty and capturing opportunities.

GRC means better (acute) governance, risk oversight and conformance to requirements.


Being ethical is doing the right thing for the right reason even when no one is watching. The objectives of the PEOPLE, PROCESS, and TECHNOLOGY structures as defined in a “true” GRC progam improve on an Organization’s ability to define “right” and to set clear expectations and performance boundaries that are embedded into the business to maximize performance and optimize risk. The areas of governance, risk management and compliance management are particularly critical to the organization’s success in meeting its business objectives.

GRC is a collaborative approach within the organization between the oversight groups and the business operations to define what is “right”, and to set expectations to improve the ability of the business process to meet their objectives whether they are operational, strategic, financial, or compliance.

GRC is a methodology of PEOPLE, PROCESSES and TECHNOLOGY that enables a company to:
-understand and prioritize expectations;
-achieve objectives while optimizing risk and protecting value;
-operate within legal, contractual, internal, social and ethical boundaries;
-provide relevant, reliable and timely information to appropriate internal and external stakeholders; and
-enable the measurement of the performance and effectiveness of business processes in meeting the GRC objectives.

Governance is management’s transparency into operational adherence to established processes and policies, regulatory requirements, and strategic alignment with ability to monitor and require action to be taken.

Risk management is the process by which the organization sets the risk tolerance, identifies potential risks and prioritizes the tolerance for business initiatives leveraging internal controls to manage and mitigate risk. The overriding goal of risk management is to risk optimization.

Compliance management is the process that records and monitors the controls, be they physical, logical or organizational, needed to enable compliance with legislative or industry mandates as well as internal policies. It ensures that the boundaries are well set, and that the organization does indeed conduct business within them through established policies and controls. In the context of GRC, compliance is the act of adhering to, and the ability to demonstrate adherence to, mandated requirements defined by laws and regulations, as well as voluntary requirements resulting from contractual obligations and internal policies. In other words, compliance is all about identifying requirements, legal or otherwise, and taking steps to ensure that the organization addresses all of them.

My take on the OCEG model.

Seven describe GRC as essentially the same as ERM:

To me GRC is virtually synonymous with plain old Enterprise Risk Management.

and, very concisely,..

Generalized Risk Confusion


GRC stands for Governance and Risk Control but it’s nothing new. Unfortunately, risk-management is still pretty much associated to solely financial management risk and not as it should to enterprise-wide risk management. Should that be the case -and it will probably take a new generation of CEOs and CFOs to be at the helm of corporations- there would not be the type of fragmentation we now have across the board in risk-management. To make it worse, people use this term simply because it makes them look as if they know what they are talking about, whereas in fact, most do not have a precise idea of what it really means. Last but not least, I think that another “malaise” affecting integrated risk-management practices and their dissemination is that SOX practitioners, who got the financial accounting and reporting “blinders”, are the ones pushing for it, and that ends-up actually leaving a lot of professionals that have a wealth of experience to contribute. I am a CPA, but got rid of my blinders many moons ago and learned of the importance of opening up to other professionals who can contribute a whole lot in terms of expertise on this subject.


I think the term GRC has emerged due to the realisation that without the “G” the other elements have not achieved their full meaning and purpose; in other words there is a realisation that good governance is integral to effective risk and compliance. In particular I find the concept of “risk governance” appealing in that it signifies a strategic and higher level of focus and authority, as distinct from risk management, which is how risk is addressed on a day to day basis. At this level the governance aspects of risk should mostly be focused on setting the overall risk appetite and culture, leaving the “management” of risk to those who manage the business affairs.

So on this basis a definition of GRC would entail “an integrated, strategic approach to setting and monitoring risk appetite and culture by those govern”.

To my mind the compliance aspects can and should be treated as an operational risk, important enough to have its own subcategory but aggregated into the risk appetite just like all other risks.

The big challenge now is to help directors and those who govern to play their part in setting and monitoring the risk appetite and culture. This is a new playing field that most risk managers that I meet simply do not comprehend or have the skill set to add value, particularly when it comes to the cultural aspects. Only time will tell if GFC emerges as something other than a catchy acronym.


“GRC”, standing for Governance, Risk and Compliance, is a key aspect of management at all levels in an organisation.

Governance is the creation and implementation of controls so that risk to the business is mitigated. Controls may be procedural or technical, and may also be absolute or derived. An absolute control is a yes/no test, whereas a derived control sets limits on behaviour or activity such as deciding the credit limit to be extended to a customer or exposure to a market.

Risk to a business or organisation is the likelihood of an outcome which has a negative effect. It is usually formally evaluated using the techniques of “residual risk assessment” or “failure mode effects analysis”, in which each potential risk is assigned 3 scores: severity, occurrence and detection. The severity x occurrence x detection score yields a risk priority number allowing the level of risk to the enterprise to be compared with others, and resources prioritised for the design and implementation of governance to control the risk. Residual risk is an RPN score remaining after the effectiveness of controls has been taken into account.

Compliance is the process of auditing the effectiveness of governance/controls in an organisation. It has two key aspects
– it is, in itself, a control forming part of the overall governance of an organisation and specifically addresses the risk that controls are not implemented or followed.
– it measures the effectiveness of controls and other governance measures allowing the leadership team to have visibility of the overall risk profile

GRC, then, is an holistic approach to
– the identification and prioritisation of risk
– the implementation of controls to mitigate risk to an acceptable level
– verifying that controls are both sufficient and effective


The centerpiece of GRC is risk which is appropriate. Organizations and governments need to put risk management high on their to-do list. This should be the responsibility of the organization’s top management (I.e., governance). Finally, one of the greatest risks is the laws and regulations that require some form of compliance. We need to educate industry about GRC.

“GRC” means Governance Risk and Compliance and for any CEO it is to be seen at enterprise level where all categories of risks are identified, quantified, mitigated and controls are also set. Key Risk Indicators (KRI`s) indicates all relevant risk measures at enterprise level for CXO dashboards.

and finally,

GRC is a clever term that combines three phrases that sounded good together so it stuck, but represent practices that have been around for years. Roughly synonymous with ERM, the whole idea is to ensure a good risk and control framework across the organization, that takes into consideration how the business is managed (governance), identifying and managing risk and ensuring compliance with policies, laws and regulations. Nothing new under the sun, except for the GRC vendors. If there is anything that the “idea” promotes it is trying to ensure consistency and coordination between these different management areas. But again, that’s ERM.

Two people think of GRC as risk management and compliance coming together.

GRC can be defined as “a set of frameworks, processes, and activities established across enterprise to give an assurance to the top management & stakeholders that an effective governance mechanism is in place to ensure the risk and compliance functions are integrated, optimized, collaborated, and operate effectively; thus resulting in reduced efforts & costs of risk and compliance management and meeting compliance obligations of the enterprise”


If I’m talking to a CEO and I’m limited by time here’s my quick elevator pitch. GRC is a three legged stool that helps the enterprise avoid business disablement.

Governance is what the organization is doing internally to mitigate risk and to comply with industry and regulatory requirements. Compliance is mostly driven by the business processes that are in practice by the organization. For example; if the organization is processing personal health information, cardholder data, or other sensitive information it’s likely there are industry and/or regulatory requirement for data security and privacy. The organization will benefit from a governance program that addresses rules for accessing and processing such information.

Risk is exactly that. Every business is subject to a certain amount of risk depending on their business models, processes and several other factors. The business should perform an annual risk assessment to better understand the following; the value of their business assets, the potential impact if weaknesses and/or vulnerabilities are exploited, and what remediation steps should be taken to mitigate risk to the enterprise. This information should make its way to the executive management team so proper actions can be taken to protect all stakeholders.

Compliance is what must be done to meet all industry and regulatory requirements. Most compliance is industry specific; healthcare, financial services, utilities, etc., all have specific compliance requirements. Certain business processes overlap industry specific requirements; for example, SOX, PCI-DSS, etc…

Viewing GRC as a three legged stool helps the CEO know that all three components are integral for business enablement. Failure to observe and manage all three components collectively will lead to dysfunction. If you want to properly balance a stool you must provide equal or similar attention to each of the three legs.

For one, the essence is Integrity.

Governance Risk and Control is the new “Mantra” for the business and economic environment!! Repeated corporate failures, frauds, accounting irregularities are all a result of inadequate governance, risk and control mechanisms!! All global economies both in the east and west are suffering from this inadequacy!! But the fundamental and root cause of all these is basic human greed!! So besides G R C we also need to have personal integrity and honesty and discipline which are fundamental traits of good citizens of society!! Society and Culture determines these values, and I do believe that economic growth and opportunities have eroded social and human values too!! Everybody needs to do some introspection and decide what one wants from life!! Time for a revolution in thinking!!

Five people think of it as the integration of separate activities to achieve efficiencies. The difference between this and my concept is that mine is more focused on total performance, which includes optimizing the top line as well.

To me, GRC is about the leveraging of common information processes, controls and systems (and people) to work together using a common framework that allows transparency and the sharing of information.


GRC is a construct that allows an organization to collect and connect compliance and risk information in a way that enables better performance by increasing data usability and efficiency and better managing costs. A GRC approach allows departments to better communicate with each other, assigns and tracks accountability more efficiently, and permits on-demand reports that Boards and senior managers require.

another says:

GRC (Governance, Risk and Compliance), is the integration of three similar yet unique management processes. We do this to manage the time, money and resources more effectively by streamlining and reducing the overlap of common management systems and reducing the management time necessary to execute each activity that would otherwise be managed separately and potentially isolated from each other.


Governance, Risk and Compliance activities are interconnected and all of them rely on common sets of information, methodology, processes and technology. Incoming new and pending regulations such as Dodd-Frank has heightened the need for connected governance, risk and compliance well beyond internal audit and compliance departments. The concept requires managers establishing a common, integrated discipline around regulatory requirements, policies, risks, controls, and consumer issues. GRC intends to lead organizations to better leverage information, gain operating efficiencies, and provide greater transparency into legal, regulatory, operational, and overall business risk.

This one also refers to integrity:

My point of view – GRC is nothing new. Yes, we have had an acronym for 10 years (in fact I was the first to define and model a market and label it GRC while at Forrester in 2002). The truth is that there are governance, risk management, and compliance processes in any organization – whether formal or informal.

What I tell organizations is that they have GRC whether they like it or not. GRC is part of business. Organizations have formal or informal structures, policies, practices, and processes for GRC. The question is: can they be more effective, efficient, and agile to the demands of a dynamic business environment. Most GRC areas within business are isolated and not integrated. They are scattered across the business and loaded with inefficiency, redundancy, and gaps – in truth they slow the business down. There is significant room for improvement by leveraging common processes, information, and technology across GRC areas. This is not consolidation – but integration. A federated model in which the different GRC components across the business can work together in harmony (or orchestration).

From a simple definition, to me good GRC is about INTEGRITY. The organization has made statements and commitments to how it is governed, complies with laws, manages risks. There are contractual obligations, corporate social responsibility statements, etc. Good GRC is about making sure that the organization has integrity – that what it has committed to in reports, policies, contracts, and commitments is a reality in the organization and we can measure and model it.

Three people had different ideas.

GRC stands for; Governance, Risk Management, and Controls. Therefore it implies that any management of corporations should ensure GRCs are working right and internal auditors; in their reviews emphasize on GRCs. Risk management and controls underpin Governance; if there are no robust controls and proper internal analysis and control of risks then governance fails


Governance = Right people taking the Right decisions
Risk Management = Informing the Right people what are the Best Options
Compliance = Informing the Right people that they took the Correct decision

and, in some ways my favorite:

Good question to ask – I’ve heard others mention that these terms are used in so many different ways that one may be wise to define the term when using it. I also believe that as this space continues to mature, a more common understanding will emerge.

Finally, three people think this is a sham.

There’s no doubt that GRC is a fabrication of the Accounting Consultancy Industrial Complex (ACIC). It is at best, an awkward and inefficient model of corporate reality.

Here’s what I mean. It is currently serving its purpose as a construct to introduce many orgs’ executive management to the realities of technology, regulation, and probabilistic/rational decision making. A nice gateway drug. But when I see more mature organizations outgrow the prefabrication that is GRC, it’s obvious that the “authority” of the ACIC actually then serves to inhibit quality processes around risk management and decision making.

If the ACIC wants to stay relevant, they need to figure out how to foster innovation in rational business management, rather than retard it. And that will mean retiring GRC and focusing on quality in the management of risk.


Great Risk Con or Great Revenue Opportunity!!

the last word (suggestion from the post) goes to:

I tend to agree with Norman that “GRC” does not mean the same thing across individuals. Given the amazingly high buzz around it, just like it is the new fashionable thing which is going to address all issues, I think that for some it stands for Growing Revenue Channel.

So what does this all mean?

I like what Lee Dittmar of Deloitte said:

In the complex and constantly changing sea of acronyms, abbreviations and other abstractions, there is one that is simultaneously met with affirmation and apathy, confirmation and confusion, and recognition and rejection.

CFO.com published an article on demystifying GRC that said it was:

An academic definition of the word ‘mess’.

I still hold to the OCEG definition and my summary (above), because I believe that it all (including and especially risk management) has to be within the context of optimizing performance, which is the essence of Governance. But this is clearly NOT the view shared by the majority of those who posted their views.

So, my conclusions are:

1. Any conversation about GRC should start with a definition that explains how the term will be used. It is impossible to have effective communications when we are thinking of it in different ways.

2. When vendors use the term in a way that helps them sell their products and services, it only adds to the confusion and heightens the feeling that GRC is just hype – a way to increase revenue.

3. I still believe that there is value in the GRC lens to identify the need to fix fragmented operations. But, attention is being taken away from ERM. If ERM is the message, say ERM and not GRC!

4. I can only hope that continued discussion will bring the community together around either a single, accepted definition or the abandonment of it – replaced by something that we can all agree makes sense.

I would appreciate your views and comments.

    October 5, 2011 at 11:52 AM

    You will never be able to gain clarity or have others understand this until such time as either a case is produced with very specific things that can demonstrate GRC in action. Long long memos that unfortunately will not improve this situation one iota

  2. Norman Marks
    October 5, 2011 at 11:54 AM

    Arnold, I wish I could point you to a study I did myself or a company I know personally. But OCEG did a survey that you can find on their web site. They found that fragmentation and silos abound, but when companies start a program to address them they obtain significant benefits – generally more than they anticipated.

  3. Mike Corcoran
    October 5, 2011 at 2:57 PM

    Norman, I like your opening definition. Not sure where it fits but need something on innovation as that is what will also help us humans thrive.

  4. Brett
    October 5, 2011 at 4:52 PM

    To my colleagues on the topic of GRC, When I was began a new role back in 2001 as a Corporate HIPAA Program Director with over 20 years of IT experience, I was initially tasked with the goal of establishing compliance with HIPAA EDI, Privacy, and Security regulatory requirements. The “corporate” position meant that I was a non-lawyer who was recently hired into the corporate holding companies legal department by the Chief General Counsel to clarify regulatory requirements and make sure that all of the covered components of the legal entity came into compliance.

    Once I understood the requirements, I realized that the 9 autonomously operating companies I was responsible for getting to work together to address the requirements would be required to have the same Notice of Privacy Practices and consistent policies and procedures, the approach was going to require an innovative solution.

    Quite simply, we would need policies developed by a committee representative of each company. Next, they needed the flexibility to craft procedure to comply with the policies that aligned with their business however, the procedures and subsequent forms and checklist for each business unit needed to be related to the policies to help with corporate visibility and oversight. We also needed some way of pushing the communication and attestation process out respective of the business unit, department, user group, and role or roles of individuals as well as other training.

    Given my IT background, I began looking for application solutions that would help me automate the development, organization, and provide accessibility of these documents, manage the training and monitoring as well as give me information I needed at a corporate level to report to executives on the effectiveness of our program.

    After scouring the earth for a solution all ready built with these minimum capabilities, I partnered with a technology company and a very large consulting/audit company to enhance the software companies application that was originally built for EH&S Safety training and policies and procedures to develop the capabilities I needed. At the same time, I said, there will be other companies that need this type of solution but I know from my searching, there is nothing specific to search on to find this type of product. A product that provides central visibility, with distributed responsibilities as well as the other features and functions to manage these compliance risks, and manage compliance. This software vendor happened to be a client of Forrester and Michael Rasmussen was the primary analyst. The discussion then went from this simple concept to the acronym “GRC” by way of my discussions with the consulting/account firm, the software company, and Michael who began writing and expanding on this initial business approach that would need automation to fully appreciate.

    Other things like assessments and surveys, incident and case management, risk repositories and the like continued to fit into the same approach as the approached matured over time.

    GRC is what it is, no more and no less. It produced business benefits that far exceeded what I could have imagined and one could include the arguments and dollars spent on trying to define or debate its purpose or relevance. It is hard to define because it varies from company to company. I personally feel that to argue its validity is to miss the whole point entirely.

    The discussions and debates should not be about GRC but about the pros and cons of changes in business so that extraneous costs are greatly reduced, that the right hand knows what the left hand is doing and that they are both doing what you want them to do.

    It is about good processes, organization function, and technology that supports the businesses needs and goals.

  5. October 6, 2011 at 1:14 AM

    A wise man (either Norman Marks or Michael Rasmussen) once explained GRC this way:

    Risk management identifies, analyzes and treats risks. Governance includes policies and procedures that are part of some risk treatment actions. Compliance is ensuring the governance requirements are met.

    This makes sense to me. However, reality is that the elements are often silo’s within a company and this leads back to your clarification – It’s about how these silo’s work together to achieve organizational success, which may involve sub-optimizing individual pieces so that the whole is optimized – and may I add – to avoid silo thinking!

    Thanks for your inspiring thoughts!

    • Ck6
      October 7, 2011 at 6:00 AM

      Thomas, you left out “monitor” in your definition of risk management, and I believe that is the area for discussion. Whether the exercise is risk management, compliance or governance, monitoring established procedures (compliance and governance) or operations (risk management) is the key to success.

      As Norman has identified and several have commented on definitions are critical. I believe the world is to large to ever develop one common set of definitions in any area. Take accounting standards as an example. Not only do you have IFRS and USGAAP, but at the grassroot level you have individual account partners applying their interpretation of one of the standards.

      However, within an organization definitions must be agreed in order to ensure attainment of corporate goals. When we are asked to assist in developmentment and implementation of an enterprise risk management program, the initial work is developing an organizational wide set of risk management definitions.

      Commonality is gained through forums such as this allow disparatepirate individuals from differing areas to exchange ideas which will eventually become accepted norms/definitions.

  6. October 6, 2011 at 6:12 AM

    I agree that GRC is a clever term that has helped sell software but has brought nothing new to the work of managing risk. I have yet to find a single person that can identify a single aspect that wasn’t already part of a holistic ERM framework.

  7. Mark Daoust
    October 6, 2011 at 1:03 PM

    Great read….

    “An academic definition of the word ‘mess”. (I’ve had this feeling, after meeting with 4 of the client’s Divisional Directors, each with a different understanding of the mission)

    Generalized Risk Confusion (Was this person a Board Member?)

    I prefer the OCEG definition, however, I appreciate the many thoughtful comments and will return to read them again as I digest the differing threads of reasoning…

  8. Ian Drewer
    October 7, 2011 at 9:00 AM

    Perhaps we might take Norman’s conclusion number 3 to heart (with slight modification) — “ERM” may be interpreted as “Embeded Risk Management” or as “Enterprise Risk Management”. Lets stick to that; it remains essentially comprehensible, relevant and realisable objective.

    Furthermore, if “Embedded” and “Enterprise” (as in whole entity) are taken together, we have a simple picture of an ideal management approach — in which “risk management” is an inherent part of every activity, control and exploitation of risk both have their place and “silos” are avoided. There is nothing in this terminology that in any way constrains the effort to financial or fiscal risk and nothing to exclude either where inclusion is appropriate.

    Practice in this way MUST incorporate governance, compliance, monitoring, audit etc., none need special identification or separation from the overall embedded, enterprise-wide, effort

    GRC is a term invented for the sake of invention; Get Real Comrades — we don’t need another expression of this kind so dump it before it the contamination spreads.

  9. October 12, 2011 at 5:36 AM

    Norman, very insightful comments posted. When you first posted your question I think I responded with the meaning of the acronym GRC in our company which stands for Group Risk Committee. If I now browse through the various comments and I unpack the standing agenda and mandated scope of our “Group Risk Committee” is touches on and links to various of the discussions/views and perspectives posted here and again good to see that the world of Risk is alive and active………and more so that our GRC is talking and doing the right stuff 🙂

  10. June 2, 2014 at 9:53 AM

    Most of the times the surveys are carried out for some manufacturing or
    service company. The rate could vary depending on your background,
    expertise, exposure to industries, and educational credentials.

    Remember this service is free and you should not
    be charged to gain access to this list.

  1. October 6, 2011 at 6:34 PM
  2. March 1, 2012 at 7:42 AM
  3. August 18, 2013 at 11:24 AM
  4. October 14, 2013 at 10:03 PM
  5. June 29, 2014 at 12:00 AM

Leave a Reply to ARNOLD SCHANFIELD Cancel reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: