Is There Value in the Term "GRC"?

I have blogged frequently about the concept of GRC, the definition I use (from OCEG), and why I believe there is value. For example, there was a lot of discussion here.

The IIA, ISACA, and several others have GRC conferences. But, having attended and spoken at several I am not sure there is a common understanding of what GRC represents. Is it something separate from its component parts: governance, risk management, and compliance? Is it really about risk and compliance? Is it about technology, or how to run the business better? Do oganizations have to "improve GRC" (and what does that mean)? Do they need a GRC function?

Now I want to get your views — in fact, as many views as possible on whether “GRC” is hype or real, whether you agree with the OCEG definition, and more.

Please answer the questions in this brief survey. I will share the results here.

Posted on Nov 22, 2010 by Norman Marks

Share This Article:    

  1. Norman:

    There is little value in any aspect of GRC as previously communicated and as documented in our guest blog of October 6.

    Best regards,



Leave a Reply