The Institute of Internal Auditors' Tone at the Top Defines GRC and Gets It Right
The August 2010 issue of Tone at the Top includes a clear definition and discussion of the term ‘GRC’ (which stands for governance, risk management, and compliance). While the term is increasingly used by executives and board members, the concept of GRC is more often than not misunderstood. So, I for one am pleased to see the IIA share the business-oriented definition developed by the Open Compliance and Ethics Group (OCEG). This is the definition I use myself: it explains quite clearly and concisely that GRC is about how you direct and manage the organization to optimize performance, while considering risks, and staying in compliance (my paraphrase of the OCEG definition).
GRC is not about technology.
GRC is not a fad or a catchy phrase for software vendors and professional service providers to generate revenue.
- It is about running the business better.
- It is about ensuring the integration of strategy and risk.
- It is about ensuring you remain in compliance with applicable laws and regulations at the same time as you drive the business forward.
- It is about addressing the business problems created by fragmented governance, risk management, and compliance functions and/or processes and systems – problems of effectiveness and efficiency.
- It is about ensuring there is a timely, quality, complete flow of information to, from, and among those responsible for governing the enterprise, assessing and managing risks and opportunities, and assuring compliance.
I recommend a considered read of the August issue and the article. For more on GRC, visit these sites:
- The Open Compliance and Ethics Group
- Norman Marks on Governance, Risk Management, and Internal Audit (multiple posts, starting with 12/25/2009. You might want to start with that then work your way forward)
Posted on Sep 7, 2010 by Norman Marks
Share This Article: