Does It Make Sense to Discuss GRC?

Norman Marks, CRMA, CPA, was a chief audit executive and chief risk officer at major global corporations for more than 20 years. The views expressed in this blog are his personal views and may not represent those of The IIA.


My good friend, Michael Rasmussen, is perhaps the father of the term GRC and styles himself as the GRC Pundit. He has an excellent web site that I wholeheartedly recommend and one of his latest posts is on the subject of 2013 GRC Drivers and Trends.

I share with Michael and many others the belief that the term GRC refers to “a capability to reliably achieve objectives (governance & performance) while addressing uncertainty (risk management) and acting with integrity (compliance)”. This is the definition from the Open Compliance and Ethics Group (OCEG), of which both Michael and I are Fellows.

But while I agree with the definition and the notion that performance is only optimized by orchestrating and integrating the consideration of risk and compliance with governance and management, I am far less sure that it makes sense to spend much time talking about GRC.

I think it only makes sense to talk about GRC when you are talking about breaking down the silos of risk management, compliance, and governance (which includes strategy-setting and performance management).

In order to have a “GRC problem”, where the problem is a lack of integration and coordination, I think you need a somewhat mature set of individual processes for risk management, compliance, strategy, and performance management!

Most organizations are less than mature in at least one of those areas.

So, while I understand the GRC term and concept, I would prefer most organizations and their management teams, at all levels, to stop thinking about GRC and focus on their business process problems in:

  • Strategy-setting and communications
  • Performance management
  • Business information and communications
  • Risk management
  • Compliance management
  • Information security
  • Etc.

I welcome your views and comments.

Posted on Apr 14, 2013 by Norman Marks

Share This Article:    

  1.  In Portuguese we have a saying which we can translate to “put the finger right into the wound”. It’s something close to “hit the nail on the head” but adding that you are touching a no comfort zone.

    And I think is exactly what you did.

    I agree the GRC concept is great and sure is what any organization should aim to achieve. But as you said, most organizations are far to be such mature. So, the pragmatic way of doing things happen in real life is to address any of the big GRC areas (risk, compliance and governance) or even any GRC flavor by itself, when the opportunity arises and the organization is ready to do it. And, if you do it right, hopefully you would have the opportunity to add some additional flavors/projects towards the ultimate all-processes/areas integrated GRC “nirvana”.

  1. Norman, thank you for introducing some common sense into the debate.  Most of the time GRC is defined in such a broad way that it amounts to "everything that management does" (this includes the OECG definition, which I defy anyone to take objection to the sentiments expressed).  

    You list a number of business process problems to illustrate the breadth that people try to assign to GRC, including strategy, communications, performance management, business information and communications as well as specific bullets on risk and compliance.  We might add ethics too.  None of this need be wrong, but at the end of the day, is it not only semantics?  

    The bottom line is that a well-run enterprise needs to do all of this (and other things) well.  However unless one is setting up an organisation from scratch, many elements of GRC are already in place, even if not clumped together under that Soubriquet.  An integrated offering therefore represents a major challenge for any business to contemplate adopting, and the value proposition for dropping existing piecemeal systems and processes and replacing them with a different, integrated, all-singing-all-dancing one, is very hard to demonstrate.  So in reality I totally agree that the piecemeal approach, of upgrading capability in specific areas where the business sees greatest risk, is the only practical way forward.  

  1.  Is it my imagination or is GRC just another revenue-producing ploy to supplement the decreasing SOX-consulting revenue?  Apparently there are enough audit committees around who are unfamiliar with risk management in general (which I agree should be the focus) that they don't recognize it when it's repackaged as GRC . . .

Leave a Reply