Home > Risk > IIA Research Foundation report only adds to confusion about GRC

IIA Research Foundation report only adds to confusion about GRC

A new report published by the IIA Research Foundation, Contrasting GRC and ERM: Perceptions and Practices Among Internal Auditors, is not to blame for the confusion about GRC that it reports. The confusion existed before this report highlighted (and to some extent added to it).

It raises the question of why we should continue to talk about GRC as if we all share the same understanding of what it means, when we clearly don’t.

For a start, the document (influenced by an academic advisor whom I normally respect but on this topic is way off base) can’t seem to decide whether the “C” in GRC stands for compliance or control. While many of us think it should stand for control, it doesn’t. That debate ended a long time ago. It stands for compliance and, given the roots of the term, that is appropriate.

To see how bad the confusion is, just look at any GRC thought leadership paper (from other than OCEG, Michael Rasmussen, or me) and replace the term GRC with risk management. I would bet that the paper would make more sense that way.

In fact, most of the published work on GRC has either been about risk management or the combination of risk and compliance. Governance is rarely in the picture except for the oversight by the board of risk and compliance.

The IIA Research Foundation is free to IIA members, so download it for yourself and see whether it helps understand GRC or simply confirms that the world remains confused by the term.

I still think there is some value in thinking about GRC (see my explanation here), but in practice we should stop focusing on GRC as it is getting in the way of fixing risk management, organizational governance, and compliance. See this discussion for details.

Do you agree? If so, are we tilting at windmills?

How did a term whose meaning we don’t agree on become so firmly established?

I welcome your views and commentary.

  1. July 31, 2013 at 12:12 PM


    Honestly, the term risk management suffers with the same issue. There are multiple meanings and definitions of risk management. Tons of them. In fact, there is more variance in the term risk management or ERM than there is in GRC. Granted the R in GRC is risk management. But the acronym of GRC has less variance in definition that ERM or risk management.

  2. Lawrence Ellefson
    July 31, 2013 at 2:14 PM

    And as you and I have discussed before, Norman, it’s not just the acronyms that are confusing, it’s the various definitions of the components (what is a risk and how is it defined), that is also an issue. There are AICPA standards, IIA standards, ISO standards, not to mention individual requirements that individual organizations wish to enforce internally. I wonder if the acronyms and standards haven’t compromised the ability to get the work completed in a timely and consistent manner.

  3. Jacquetta Goy
    August 15, 2013 at 3:07 PM

    I’ve just read the report and was concerned at not only how muddled the survey respondents appear to be, but also the researchers. I thought it most surprising that a 2013 research report on ERM and GRC referenced OCEG only once and ISO31000 only in passing. Why they felt that a new definition for GRC was required I am really not sure given that the OCEG definition works very well and is generally accepted.

    I also found that the separation between ‘risk’ and ‘ERM’ in the report was strange. I have tried hard to move my own organization to stop talking about ERM and start thinking about managing risk because I think that the use of acronyms is a barrier but some of the discussion in this report to me was quite nonsensical. There is no need to have complex diagrams with different categories for ‘risk’ ‘ERM’ and ‘residual risk’ as although there may be debate as to whether GRC is a useful content surely there is no dispute that the ‘R’ is for risk, whether you call that ERM or not. Indeed one of the definitions of ERM given in this report was for ‘risk management’ rather than ERM in any case (and why quote the Council of Standards Australia and not ISO31000?) which just goes to show even the authors do not really think that there is a fundamental difference. Again there was absolutely no need to invent yet another definition.

    Having chosen to redefine the two concepts and then later describing ERM as a process and GRC as a structure I then found it completely inexplicable when they asked survey participants to assess the maturity of both ERM and GRC using exactly the same scale, which was quite clearly only about risk management. The inference made from this was that respondents didn’t differentiate, when in reality the researchers did not provide an appropriate scale for assessing the maturity of GRC.

    I felt that this report was more likely to increase confusion than to address it. Plus the dropout rate seemed very high with almost 35% of those opening the survey getting no further than 4 out of over 50 questions. Oh and it seems to me rather a poor show to reference someone’s job title and get it 5 years out of date!

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: