IIA Research Foundation report only adds to confusion about GRC
A new report published by the IIA Research Foundation, Contrasting GRC and ERM: Perceptions and Practices Among Internal Auditors, is not to blame for the confusion about GRC that it reports. The confusion existed before this report highlighted (and to some extent added to it).
It raises the question of why we should continue to talk about GRC as if we all share the same understanding of what it means, when we clearly don’t.
For a start, the document (influenced by an academic advisor whom I normally respect but on this topic is way off base) can’t seem to decide whether the “C” in GRC stands for compliance or control. While many of us think it should stand for control, it doesn’t. That debate ended a long time ago. It stands for compliance and, given the roots of the term, that is appropriate.
To see how bad the confusion is, just look at any GRC thought leadership paper (from other than OCEG, Michael Rasmussen, or me) and replace the term GRC with risk management. I would bet that the paper would make more sense that way.
In fact, most of the published work on GRC has either been about risk management or the combination of risk and compliance. Governance is rarely in the picture except for the oversight by the board of risk and compliance.
The IIA Research Foundation is free to IIA members, so download it for yourself and see whether it helps understand GRC or simply confirms that the world remains confused by the term.
I still think there is some value in thinking about GRC (see my explanation here), but in practice we should stop focusing on GRC as it is getting in the way of fixing risk management, organizational governance, and compliance. See this discussion for details.
Do you agree? If so, are we tilting at windmills?
How did a term whose meaning we don’t agree on become so firmly established?
I welcome your views and commentary.