Is it time to call the term “GRC” dead?
While the ‘rest of the world’ thinks of “GRC” as governance, risk management, and compliance, the Institute of Internal Auditors (IIA) uses the term to refer to governance, risk management, and [internal] control.
This is confusing. I can imagine a conversation between two people about “GRC” that continues for 20-30 minutes before they realize they are not talking about the same thing.
Taking the IIA usage first, it has meaning and relevance. While the term GRC is not used per se, the IIA’s definition of internal auditing says that internal audit provides assurance by assessing the organization’s processes for governance, risk management, and the related internal controls. So it has meaning, although (my opinion, not shared by IIA leadership) I wish they would come up with another acronym and stop confusing the greater number who think the C in GRC stands for compliance and not control.
In my experience most internal auditors, influenced presumably by consultants, software vendors, and thought leaders from OCEG, think of the C as standing for compliance and not [internal] control.
So let’s turn to the more common usage of GRC – governance, risk management, and compliance.
Earlier this year, in April, I wrote companion pieces on GRC:
Seven months on, I am starting to think that the term is becoming even more meaningless in practice.
Maybe we can ask the person who invented the term GRC. Although there is competition from PwC and others (including the founder of OCEG), it is generally recognized that Michael Rasmussen (a friend) made it popular while he was with Forrester Research. He needed a term to describe the bucket of software functionalities he was assessing and decided to use the term GRC.
The stimulus for this post and reflection on GRC is recent writing by Michael on his web site. Referring to himself as the GRC Pundit (others call him the King of GRC and he certainly has no peers), he lambasted Gartner for their ‘Magic Quadrant’ assessment of GRC solutions (I did the same, for different reasons, in an earlier post).
But it is worth noting that Paul Proctor of Gartner (not the individual responsible for their ‘Magic Quadrant’) said he hates the term GRC. He said:
“GRC is the most worthless term in the vendor lexicon. Vendors use it to describe whatever they are selling and Gartner clients use it to describe whatever problem they have.”
I love and agree with this sentiment.
To add to the confusion around GRC, Gartner has its own definition. However, the most common and most widely-recognized definition is the one from OCEG:
“GRC is a capability to reliably achieve objectives [GOVERNANCE] while addressing uncertainty [RISK MANAGEMENT] and acting with integrity [COMPLIANCE].”
We could leave it there, in a confused and confusing world.
But enough is not enough.
Gartner also has definitions and an assessment for IT GRC – whatever that is – and Michael, on his web site now refers (and sometimes gives awards to):
- Identity and Access GRC
- Legal GRC
- 3rd Party GRC
- Enterprise GRC
- GRC gamification
Now I am not being fair to Michael, because I know what he is really doing. GRC is so broad, extending from processes to setting strategy and monitoring performance, through risk management to legal case management, internal audit management, information security, data governance, and more. So, he has diced up the software landscape into categories and awarded different vendors for their excellence in individual categories.
Is there any point to continuing to talk about GRC (except within the IIA with respect to their usage) when there are so many reasons there really is none?
I am privileged to be a Fellow of OCEG. They champion the concept of Principled Performance, referring to GRC (under their definition) as a capability that enables Principled Performance. Principled Performance is defined as:
“The reliable achievement of objectives while addressing uncertainty and acting with integrity”
Perhaps we can stop (except for the IIA) talking about GRC and start talking about how we can optimize outcomes and performance, addressing uncertainty (risk management) and acting with integrity (regulatory compliance and organizational values).
What do you think?
Or should we step back and just talk separately about organizational governance, performance management, risk management, ethics and compliance, information security, and so on?
I welcome your views.