A Word From the GRC Guru on 2011: His Gripes and Expectations

Michael Rasmussen, perhaps the most respected and influential individual when it comes to GRC, has written an interesting blog: GRC 2011: Gripes and Directions.

I thoughly agree with several of his points:

"What frustrates me is when vendors ignorantly communicate GRC as being about technology – technology is the enabler for GRC to achieve agility, efficiency, and effectiveness. GRC itself is broader than technology and should align with process and strategy."

  • I would expand on this and say that too many use the term GRC without really understanding what it means; but, it helps them position their products and services.

"I am tired of seeing vendors come into buyer situations telling them they have the best and most adaptable solution out there – it slices, it dices, it does your laundry.  Good night – GRC is about solving problems, generic answers do not cut it."

"As my friend Norman Marks has commented, you can go to a conference and hear a dozen or more definitions of GRC."

  • Michael and I are both OCEG Fellows and support their business-oriented definition of GRC. I fear that too many are defining GRC in a way that suits their business needs, without an understanding of what the term means (per OCEG).

"I see growing interest in ERM being driven by the board down and one focused and integrated into strategy and performance."

You can see I have selected perhaps half of Michael's gripes and predictions. I will add two of my own:

  • Too few realize that GRC is all about how you understand stakeholder needs, optimize performance against their expectations, manage risk, and remain in compliance. This means that risk management is within the context of strategy and the optimization of performance. Too few realize that the name of the game is optimizing performance in according to strategy. Looking at GRC and not considering the management of strategy and performance is making a major mistake.
  • GRC depends on management and the board having the information necessary to run the business; it must be reliable, timely, current, and complete. Why is this essential ingredient (included in the OCEG definition of GRC) not addressed when consultants and vendors talk about GRC?

Enough for now. What do you think?

Posted on Jan 19, 2011 by Norman Marks

Share This Article:    

  1. To Norman's addition on performance.  Join my group on LinkedIn (GVP) Governance, Value Management and Performance (type in GVP in groups).  Managing (GRC) risk and compliance is not the end game.  It is about managing to create and preserve value through proper strategy and performance.

  1. I completely agree. In addition to Mr. Marks' and Rasmussen's thoughts, GRC should be about collaborating with Management and others. All too often, consultants and others are speaking a different language. When you distill GRC down to its basics - it is "What is your risk?" and "How much risk are you willing to accept?" Be a consultant, not an auditor!
  1. This basis for griping is not limited to GRC.  I could easily have said much of the same about ERM, especially when it comes to hearing multiple definitions at a conference on both GRC AND ERM.  One gripe I have is with those who seek to position ERM as a subset of GRC.  To the contrary, I do not view either as a subset of the other.  Until we can arrive at a concensus on the differences between GRC and ERM, and a willingness that that one does not own sole rights to the other, I susepct we will continue to see continuing turmoil in both camps seeking a definition to which all can subscribe.

  1. To add another angle to this discussion, many of the professionals who enter the information security audit field today are from the networking background, who see IT security more as a technology implementation than from a GRC perspective.

Leave a Reply