I joke about what GRC means. Apart from the IIA (who talk about governance, risk, and controls), everybody knows that the acronym stands for Governance, Risk Management (or ERM), and Compliance.
My joke is that it really stands for governance, risk management, and confusion. The confusion is because while people may be able to explain the parts, they find it difficult to explain the meaning of the whole – why the three are combined and whether that combination is more than the sum of the parts.
OCEG has the only useful definition in my opinion. The latest version, which you can explore here, is:
GRC is the integrated collection of capabilities that enable an organization to reliably achieve objectives, address uncertainty and act with integrity
I surveyed people on this blog in 2011 and shared my thoughts as well as what I heard back in this post. Here is how I closed the article:
So what does this all mean?
I like what Lee Dittmar of Deloitte said:
In the complex and constantly changing sea of acronyms, abbreviations and other abstractions, there is one that is simultaneously met with affirmation and apathy, confirmation and confusion, and recognition and rejection.
CFO.com published an article on demystifying GRC that said it was:
An academic definition of the word ‘mess’.
I still hold to the OCEG definition and my summary… because I believe that it all (including and especially risk management) has to be within the context of optimizing performance, which is the essence of Governance. But this is clearly NOT the view shared by the majority of those who posted their views.
So, my conclusions are:
- Any conversation about GRC should start with a definition that explains how the term will be used. It is impossible to have effective communications when we are thinking of it in different ways.
- When vendors use the term in a way that helps them sell their products and services, it only adds to the confusion and heightens the feeling that GRC is just hype – a way to increase revenue.
- I still believe that there is value in the GRC lens to identify the need to fix fragmented operations. But, attention is being taken away from ERM. If ERM is the message, say ERM and not GRC!
- I can only hope that continued discussion will bring the community together around either a single, accepted definition or the abandonment of it – replaced by something that we can all agree makes sense.
I was honored to be selected, along with Michael Rasmussen and Brian Barnier, to be one of the first OCEG Fellows. It was not because I was working for OCEG or in any way compensated by them. It was because I liked and recommended their definition. It was the subject of my very first blog on this site in 2009: Is there value in talking about GRC? Read more: https://bit.ly/3JltX7S