Home > Risk > GRC Confusion

GRC Confusion

In 2008, SAP asked me to take a leadership position in talking about GRC. I was ready for a change, as my company (Business Objects, where I had led both internal audit and risk management as a vice president) had been acquired by SAP. While I had been offered an interesting opportunity in a risk management role with the company, I was less than enthusiastic about it.

I had enjoyed speaking at IIA and other conferences and seminars over the years, and the idea of making that a full-time job was appealing.

First, I had to find out what they meant by GRC!

In all my years as a risk and audit executive, I had never heard about it.

I knew what governance, risk, and compliance were individually, but I was not familiar with this acronym and why people wanted to combine three separate activities into a single expression.

SAP had a suite of programs they called GRC. But they were limited to tools to help manage user access to its ERP, maintain trade compliance (I make no comment on their own recent trade compliance problems), perform risk management, and comply with SOX. They also had a strategy management solution, but it was managed separately without integration with the solutions in “GRC”.

SAP also had a GRC department that focused on risk management, SOX compliance testing, and high-level information security oversight. The Senior Vice President of GRC also chaired their policy management committee.

These situations were not the answer to “what is GRC?” – in a way that made sense. Why the three in combination?

I found the answer in the work of the Open Compliance and Ethics Group. They have a definition of GRC that makes sense.

GRC is the capability, or integrated collection of capabilities, that enables an organization to reliably achieve objectives, address uncertainty, and act with integrity; including the governance, assurance and management of performance, risk, and compliance.

In other words, it is about achieving objectives – together.

While this makes business sense, it is not accepted by everybody.

In fact, when I did my own study of what GRC meant, I found a useless plethora of definitions and understandings.

That led me to writing and talking about the fact that GRC should stand for Governance, Risk Management, and Confusion.

I also pointed out that the G in GRC was silent in most cases, because few if any GRC departments and even fewer GRC “platforms” have functionality to help those with a governance role: the board, executive management team, legal, strategy, and so on.

I first started blogging about this in 2009 (when I was in my new role at SAP). I closed that post with (emphasis added):

So, what does this all mean? I believe that there is so much talk about GRC that we can’t ignore it. Instead, we need to:

  • Recognize there is no common definition of GRC and ask everybody who uses it just what do they mean.
  • Instead of talking about GRC processes and applications, talk about the real business process problems in the enterprise.
  • When assessing applications from so-called GRC vendors, realize that each has a different definition of GRC and focus on the real business process needs you have. Don’t allow the fog of GRC to get in the way.
  • Recognize that the assessments of the market and solutions by analysts like Forrester Research and Gartner are based on their own (different) definitions of GRC. The components they include may not all be as important to you as they have assumed in rating vendors’ solutions.

The bottom line, for me, is that we should not allow the buzzword of GRC to divert us from assessing what is needed in our business. Just because somebody includes a functionality in their “GRC platform” does not mean we have to.

In a second post, I suggested a common English variation of the OCEG definition:

I like to think of GRC as how a company is managed and directed to achieve the strategies and goals of the stakeholders, considering risks and staying within compliance boundaries of applicable laws and regulations.

I could have said it even more simply: it’s effective, thoughtful, management for success.


Have people learned in the dozen years since?

I don’t think so.

People call themselves GRC professionals without any responsibility for governance activities. For the most part, they seem to be risk practitioners, compliance professionals, or internal auditors. Few have more than one part of GRC in their job description.


PwC recently published “Next generation digital GRC”. Do they understand and have a useful way of talking about GRC? Look at how they start, with a quote from their Asia Pacific leader:

Throughout the last decade, the concept of governance, risk, and compliance has been viewed as a supporting function. However, more than ever, businesses are evolving to respond to shifting market dynamics, new digitally enabled competitors and changing customer expectations. Addressing these emerging challenges requires companies to rethink how to integrate GRC in order to build trust and enhance their market competitiveness. Otherwise, businesses cannot successfully manage rising uncertainty, complexity, and ambiguity around today’s regulatory and geopolitical environments.

GRC should not be considered a “supporting function”. It is how you manage for success! This is a pure sales pitch, IMHO. If this is your idea of GRC, I will let you read the PwC piece but I am not going to excerpt anything here.

The value of thinking about GRC is, as I have said in the past, that it makes you ask how everybody is working together to achieve success.


Who is a GRC practitioner?

The clearest answer is the CEO. He or she has all the dimensions of G, R, and C.

But another answer is that instead of only people who have all of G, R, and C, its anybody that has at least one part of that combination. That means pretty much everybody is a GRC practitioner.

Or is it a silly expression? Should we instead talk about risk practitioners, compliance professionals, internal auditors, strategic planners, attorneys, board members, information security personnel, and so on? In other words, focus on what people are responsible for rather than tagging them with an expression that signifies nothing?


I welcome your thoughts.

  1. Timo Warming
    May 31, 2021 at 2:20 PM

    Hi Norman,

    In my opinion, being a GRC practitioner is not about the role or responsibility somebody has in an organization. It’s about what the organization and the people want to achieve.

    For example:
    Are professionals responsible for G or R or C, and do they want to reliably achieve objectives, while addressing uncertainty, and acting with integrity?
    Then yes, these people are GRC practitioners.

    Is there a CEO, who is responsible for all three dimensions of GRC, but is (in practice) not acting with integrity?
    For me, that’s not a GRC practitioner.

    • Norman Marks
      May 31, 2021 at 2:55 PM

      Then that is the option where everybody (should be/is) a GRC practitioner.

      • Antonio Salas
        June 1, 2021 at 5:19 PM

        But, is not everybody also participating in the internal control system? If we think on this way, probably we can find similarity

  2. steve fowler
    June 1, 2021 at 5:11 AM

    Hi Norman, you know my view on this already:
    (a) TLAs (three letter acronyms) are a BAD IDEA to begin with. They spread confusion and misunderstanding.
    (b) Surely, GRC must stand for Goals, Risk and Culture as business strategy/goals and business values/culture must be more important than those other things that begin with G and C? By defining GRC my way, we firmly position risk management as a decision making and business strategy discipline, rather than as something that sits with legal…….

  1. May 31, 2021 at 10:46 AM
  2. June 2, 2021 at 1:04 AM

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: