Home > Risk > What is GRC and does it mean anything?

What is GRC and does it mean anything?

November 6, 2015 Leave a comment Go to comments

Note: this post has been updated with additional information and corrections from Noah Gottesman – thanks, Noah!

The IIA recently published reflections on GRC from two vendor representatives: Noah Gottesman from Thomson Reuters and Sergiu Cernautan from ACL.

The two gentlemen answered five questions posed by staff of the Internal Auditor magazine:

  • How do you define GRC?
  • What constitutes an effective GRC strategy?
  • What are the biggest compliance risks your clients are talking about?
  • How can the various compliance, risk, control, and assurance functions better align?
  • How are your compliance clients addressing regulatory fatigue and increased liability for compliance failures?

I am going to add my own thoughts on these questions, except I won’t answer the last one because I don’t have any “compliance clients”!

How do you define GRC?

It’s of more than passing interest that the IIA has its own definition of GRC: governance, risk management, and internal control. However, I agree with both interviewees that GRC stands for governance, risk management, and compliance.

We may know what it stands for, but does it actually mean anything of value?

I have been writing about this for years and will say here what I have said from the beginning: most people refer to GRC when what they really mean is risk and compliance. The G is silent. Yet, governance stands for so much:

  1. the work performed by the board and its committees, including the hiring, firing, and compensation of the CEO; the approval of corporate strategies, plans, budgets, major initiatives, and policies; the oversight of management, both sets of internal auditors, the filing of reports with the regulators, the system of internal control, and the management of risk;
  2. the work performed by the executive leadership team, including the setting of strategies and objectives; the monitoring of performance; the design of the organizational structure; and more; and,
  3. the work of the legal department and the internal audit activity – and I know there is much more I haven’t listed.

Yet, most commentators omit any reference to the G in their explanation of GRC and what it actually means.

Noah shared this in his email:

Yes, we share that the “G” is way too silent; but that is why I also blog about it:

I congratulate Sergiu Cernautan for his reference to the Open Compliance and Ethics Group definition, which is:

“GRC is the integrated collection of capabilities that enable an organization to reliably achieve objectives while addressing uncertainty and acting with integrity. It encompasses the governance, assurance and management of performance, risk, and compliance.”

This definition makes sense to me, while others seem without clarity or real value.

What Noah Gottesman says doesn’t mean anything to me. He equates GRC with “balance”, whatever that means.

This is how he explained it to me in an email today:

One, the concept of balance is similar to work-life balance, it is never perfect, it never will be, it is truly something that we all strive to achieve.
Second, balance is top-down / bottoms-up to Governance that fails in the great majority of organizations.  While so many organization discuss bottoms-up assessments, financial reconciliations, etc., etc.   In reality, the entry level or front-line personnel are being greatly ignored, if not overlooked; don’t trust me….it is evident in the number of whistle-blowing cases reported now to the SEC, because employees could not even trust their own hotlines.  [So much focus on external stakeholders and forgetting the external stakeholders.]

What constitutes an effective GRC strategy?

Frankly, this is a weird question. There has to be real meaning to the term GRC before you can have a GRC strategy. I would interpret the question as asking what would constitute an effective strategy to achieve effective GRC as defined by OCEG.

Noah gets it right.

It’s about getting the various parts of the organization to work together, in a collaborative if not integrated fashion, to achieve corporate objectives.

I enjoyed writing this metaphor to explain effective GRC in 2011.

I think an effective strategy starts with identifying the obstacles to performance today: silos, fragmented operations, failures to share and communicate, duplicative work, and so on. It continues by assessing the damage caused by each of these obstacles, prioritizing the corrective actions, obtaining buy-in from top management and all affected parties, then executing as needed.

Unfortunately, as most would, Sergiu only answers this question as it relates to risk management. For example, there is no way his response would address the failure to link corporate objectives, performance, and executive compensation.


What are the biggest compliance risks your clients are talking about?

I don’t have any compliance clients, but my experience this year is that boards are heavily focused on cyber security. Failures to protect information assets can lead to compliance failures.


How can the various compliance, risk, control, and assurance functions better align?

Gottesman gets it. To quote:

“These functions can better align by sharing their perspective of the organization and the core components of their methodology; specifically: how they view the organization, how they assess it, how they prioritize activities, how they execute on those activities, how they document results, how they determine the significance and priority of their results, and how they plan to follow up on their results.”

I would add:

  • They should recognize that they share the same objective, of helping the organization succeed
  • They can and must share the information each needs to be effective
  • They can and should support each other, for example with internal audit evangelizing the importance of risk management and providing advice on how its practice can be improved

What do you think? Do you agree with my answers?

  1. November 6, 2015 at 7:37 PM

    I’m sorry Norman, GRC just stands for another attempt to resell risk management and compliance management using a three letter acronym. Its just like ERM, BCM, SRM, ORM, IRM, BRM, RBT etc etc.

    Its notable that companies selling software have been very active in promoting the GRC confection and, indeed, they and the ‘normal’ consultancies are the major sponsors of OCEG – the home of GRC.

    If you think about it carefully and try to draw a venn diagram you will see that in fact, risk management is a significant part of good governance but there is actually no real overlap between risk management and compliance management. Indeed, we know that organisations that adopt a compliance mentality to risk management normally fail to create any true value.

    Governance is “the system by which an organisation is controlled and operates, and the mechanisms by which it, and its people, are held to account.” You can see all the synergies there with the risk management process, but where is compliance? Once an organisation says that it simply wants to comply with the law, then all we have to do is audit and check that we do.

    We should also note that the R in GRC means risk management and not risk. The sole purpose for risk management is to support decisions so that we understand and respond to sources of uncertainty for our objectives. The only uncertainty with compliance is whether we do, or do not comply with law, regulations and contractual obligations. Despite the tendency to add ‘compliance’ to ‘risk’, compliance is just a binary consideration is not a form of risk any more than reporting is one.

    It is a great shame that the C does not mean ‘control’, even though the IIA and other always get confused using that word as a noun and a verb. But I guess linking compliance to risk management sells more software.

    There’s nothing wrong with:
    − Ensuring consistency in decision making and governance processes across an organisation;
    − Understanding that effective risk management is the foundation for good governance;
    − Appreciating that achieving and assuring compliance with legislative and contractual requirements is an important input to good governance;
    − Combining departments and human resources that have common skills and roles under one department;
    − Using information systems to provide consistency in process, to store useful information and to improve efficiency in governance reporting.

    That is just good business practice and how well run organisations normally operate. But why do not have to label good management practice with three letters?

    • November 7, 2015 at 2:39 AM

      Grant – couldn’t agree more. GRC is adding complexity when it is not needed.

      Governance is about setting and achieving the organisation’s objectives within the legal and regulatory framework in which it operates. Governance therefore includes the proper management of risks which itself includes internal controls, of which compliance is a part. So all we should be really bothered about is ensuring the good governance of an organisation.

      The UK Institute of Chartered Accountants has an interesting view:
      http://www.icaew.com/en/technical/corporate-governance/dialogue-in-corporate-governance/the-principles-of-corporate-governance – and the word risk doesn’t appear once!

      Norman – I would add to your list under the alignment question:
      A clear, written list of objectives for each function, agreed by the board as encompassing all of the responsibilities necessary to ensure the board/audit committee receives opinions about the organisation’s ability to deliver good governance.

    • Norman Marks
      November 7, 2015 at 7:08 AM

      Grant, I agree with 95% of what you have said. I do believe that the OCEG definition brings out important issues, such as fragmentation, silos, failures to cooperate, and so on – but almost all so-called GRC solutions ignore the G part and confuse the risk and assurance professionals. In their desire to please the analysts, they integrate internal audit and risk management, as well as other functionalities, instead of delivering the best possible risk management technology.

  2. November 9, 2015 at 2:51 AM

    Looking at two of the latest scandals in sport (FIFA and now the IAAF – http://www.bbc.co.uk/sport/0/athletics/34758980), I wonder if one of the biggest compliance risks is that a member of the board (or members) are engaging in corrupt practices. I’ve done a very quick trawl of ‘top ten risks’ identified by various organisations and this doesn’t feature as an explicit risk, although corrupt payments are mentioned. Are boards, understandably, reluctant to admit they may have a rotten apple in their barrel?

  3. Manesh Mehta
    November 12, 2015 at 6:31 PM

    Governance is the most important item in GRC. It applies to individuals – the live ones who have inherent ability to react to every situation. If governance – that is inner thinking pattern of a person is good , there is less risk and more compliance.

  1. November 6, 2015 at 10:25 AM
  2. November 6, 2015 at 10:25 AM
  3. December 11, 2015 at 2:03 AM

Leave a Reply to David Griffiths (@ia_biz) Cancel reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: