Is it time to call the term “GRC” dead?
While the ‘rest of the world’ thinks of “GRC” as governance, risk management, and compliance, the Institute of Internal Auditors (IIA) uses the term to refer to governance, risk management, and [internal] control.
This is confusing. I can imagine a conversation between two people about “GRC” that continues for 20-30 minutes before they realize they are not talking about the same thing.
Taking the IIA usage first, it has meaning and relevance. While the term GRC is not used per se, the IIA’s definition of internal auditing says that internal audit provides assurance by assessing the organization’s processes for governance, risk management, and the related internal controls. So it has meaning, although (my opinion, not shared by IIA leadership) I wish they would come up with another acronym and stop confusing the greater number who think the C in GRC stands for compliance and not control.
In my experience most internal auditors, influenced presumably by consultants, software vendors, and thought leaders from OCEG, think of the C as standing for compliance and not [internal] control.
So let’s turn to the more common usage of GRC – governance, risk management, and compliance.
Earlier this year, in April, I wrote companion pieces on GRC:
Seven months on, I am starting to think that the term is becoming even more meaningless in practice.
Maybe we can ask the person who invented the term GRC. Although there is competition from PwC and others (including the founder of OCEG), it is generally recognized that Michael Rasmussen (a friend) made it popular while he was with Forrester Research. He needed a term to describe the bucket of software functionalities he was assessing and decided to use the term GRC.
The stimulus for this post and reflection on GRC is recent writing by Michael on his web site. Referring to himself as the GRC Pundit (others call him the King of GRC and he certainly has no peers), he lambasted Gartner for their ‘Magic Quadrant’ assessment of GRC solutions (I did the same, for different reasons, in an earlier post).
But it is worth noting that Paul Proctor of Gartner (not the individual responsible for their ‘Magic Quadrant’) said he hates the term GRC. He said:
“GRC is the most worthless term in the vendor lexicon. Vendors use it to describe whatever they are selling and Gartner clients use it to describe whatever problem they have.”
I love and agree with this sentiment.
To add to the confusion around GRC, Gartner has its own definition. However, the most common and most widely-recognized definition is the one from OCEG:
“GRC is a capability to reliably achieve objectives [GOVERNANCE] while addressing uncertainty [RISK MANAGEMENT] and acting with integrity [COMPLIANCE].”
We could leave it there, in a confused and confusing world.
But enough is not enough.
Gartner also has definitions and an assessment for IT GRC – whatever that is – and Michael, on his web site now refers (and sometimes gives awards to):
- Identity and Access GRC
- Legal GRC
- 3rd Party GRC
- Enterprise GRC
- GRC gamification
Now I am not being fair to Michael, because I know what he is really doing. GRC is so broad, extending from processes to setting strategy and monitoring performance, through risk management to legal case management, internal audit management, information security, data governance, and more. So, he has diced up the software landscape into categories and awarded different vendors for their excellence in individual categories.
Is there any point to continuing to talk about GRC (except within the IIA with respect to their usage) when there are so many reasons there really is none?
I am privileged to be a Fellow of OCEG. They champion the concept of Principled Performance, referring to GRC (under their definition) as a capability that enables Principled Performance. Principled Performance is defined as:
“The reliable achievement of objectives while addressing uncertainty and acting with integrity”
Perhaps we can stop (except for the IIA) talking about GRC and start talking about how we can optimize outcomes and performance, addressing uncertainty (risk management) and acting with integrity (regulatory compliance and organizational values).
What do you think?
Or should we step back and just talk separately about organizational governance, performance management, risk management, ethics and compliance, information security, and so on?
I welcome your views.
Leave a Reply
Norman Marks on Governance, Risk Management, and Audit 
GRC isn’t the only place that Gartner misses the mark. Since 2006, we’ve written about their shortcomings to understanding continuous controls monitoring (CCM), which are technologies from CaseWare Monitor, ACL’s A/X, Oversight Systems and more. These tools combine data analysis together with workflow and visualization to provide actionable business insights. For more, see Rutgers World Continuous Auditing and Reporting Symposium. ( http://raw.rutgers.edu/28wcars )
IMHO both Normans dialogue and I know Mike Rs views are hugely relevant, informing and stimulating. I became interested in GRC around 2006.
My take on it really just focuses on the links between the G, the R and the C (more like G|R|C. 😉
So what I mean is that I don’t think solutions in this space; whether they be services or products, should market themselves as such unless they are about ‘linking’ Governance, Risk Management and Compliance together to create something more in than just the sum of the parts.
There seems to be so much argument and frustration that GRC is used as a bucket and, with due respect to OCEG, just authoring a neat definition does not a true solution make.
Thanks again Norman for a view that is illuminating and thought provoking.
Thank you Norman, stimulating as ever.
My view is that GRC is a helpful concept to address a meaningful problem – the problem being the very old one of “how do you run a business properly?”.
This meaning, however, is too broad for any one interest group to grasp, which is precisely why the IIA get it wrong. Auditors are trained to talk about internal controls, but aren’t trained in the same environment as other people who manage risks. Not just Insurance people, but Project Managers too and Quality Management professionals.
The reality is that once you get some Quality professionals in the same room as Internal Auditors, they immedialtey see they are doing th same job but with different language. Once they get over the delight of finding fellow friends in adversity, they quickly realise this is job-threatening, so reinvent the things that divide them. I’ve seen it happen.
We need the GRC concept to keep bringing organisations back to the basic need to identify risks (I still think Opportunities as well as Threats) and to manage them effectively and with visibility. This means deploying all sorts of skills to address risks in all areas, including Quality, Internal Audit, Health Safety and Environment, Projects, Mergers and Acquisitions, Strategic Planning – the list goes on. This needs GRC systems of many types but also needs flexible skill groups that can overcome organisational silos to be deployed effectively.
That’s how to run a business properly.
Hope this helps – good luck.
GRC is not dead. Proclaiming GRC as dead is stating that governance, risk management, and compliance are dead and not needed. As I have mentioned time and time again, every organization does GRC whether they call it GRC, some other term, or do not have a name for it. Every organization has some approach to governance, risk management, and compliance. GRC is a way of measuring the maturity of the organization in these areas and how they integrate, collaborate, and align with each other. In your last paragraph you still describe GRC – “Perhaps we can stop (except for the IIA) talking about GRC and start talking about how we can optimize outcomes and performance, addressing uncertainty (risk management) and acting with integrity (regulatory compliance and organizational values).”
OK, GRC is dead, long live GRC. I do not get it. Norman, you focus more energy on this topic of an acronym when the focus should be on how to improve organizations. Yes, I use the term GRC and I think it is a good term. I think it has a natural flow from the governance setting objectives, risk management helping to understand uncertainty and therefore define boundaries and paths to meet those objectives, and compliance making sure we are staying within boundaries and on the defined path. You take that away with some other term and you lose the components and process and how they work together. Yes, we can just roll everything up under governance. Some may call it ERM. I think GRC is the best, most logical, and the term that shows the relationship.
Great post Norman. Clearly no-one is saying that the functions of governance, risk and compliance are no longer relevant or have a lower priority, its just the capitalised “GRC’ has passed its sell by date for all the reasons above. I was at a meeting yesterday where the acronym was used in a discussion of issues, and I asked what it meant to this organisation. After a little discussion, the answer was ‘I don’t really know’. And that is a common theme . . Avoiding the term makes discussions on the topics much clearer and forces more clarity of thought (IMHO)
I concur
I’ll support your assertion Norm. I’ve never like the GRC concept believing that it’s application to most business structures challenges reality. I would suggest we don’t need ERM, or SRM either and would urge we all simply acknowledge that if risk management was practiced in its most comprehensive form from the jump, we wouldn’t be treading water in this alphabet soup.