The Formal Definition of GRC

My thanks to my friend and colleague Michael Rasmussen for his blog today on "Why GRC and What is it?" It includes not only a discussion, perhaps stimulated by activity here, but also spells out the OCEG definition:

GRC is a system of people, processes, and technology that enables an organization to:

  • Understand and prioritize stakeholder expectations.
  • Set business objectives that are congruent with values and risks.
  • Achieve objectives while optimizing risk profile, and protecting value.
  • Operate within legal, contractual, internal, social, and ethical boundaries.
  • Provide relevant, reliable, and timely information to appropriate stakeholders.
  • Enable the measurement of the performance and effectiveness of the system.

I am sharing this for those who have not seen it before, in the hope that it will bring clarity to the discussion of whether the OCEG definition has value, or whether GRC is simply hype.

Posted on Sep 22, 2010 by Norman Marks

Share This Article:    

  1. Unfortunately it is all hype Norman and that hype will shortly be documented by us pulling together all of our prior commentary in one succinct snapshot . So your communication of above will not bring clarity to the discussion. IMHO

    Take the bullet above that GRC is a system of people, processes and  technology that "understand and prioritize stakeholder expectations" BTW you do not prioritize stakeholder expectations. You articulate stakeholder  expectations. You prioritize further down the road the business risks for obvious reasonss.

    So I ask you a very simple question- so what is the process specifically in an organization to accomplish the above? How about something as simple as reviewing  the annual report to identifiy some of the stakeholders, ask the board as well who these are, look at the business plans and other internal data. In one hour you should be able to understand who the stakeholders are. Both internal and external (unlike COSO which has neglected the external stakeholders)  Next you set meetings with the key stakeholders and or ascertain how their expectations have been rolled forward as these will be both important for the strategic objectives, the risk appetite, the risk criteria and then the identification of events that create business risk. A very important step. Do you think anyone from BP thought about the 30,000 fishermen in the Gulf as a stakeholder when they were assembling their business strategies and risk profiles? What about the millions of tourists to the Gulf coast region? I don't think so. 

    What I have described above is one tiny piece of the material in the risk management domain. So please communicate back using this one simple example within the GRC domain, what is the system in place to do this- if there even is one- how is it any different from ERM and how does it leave us any better off on this planet?

    Best regards,


  1. Arnold, I fail to understand your point. The G in GRC relates to what the board and top management do. If they are not focused on understanding and prioritizing stakeholder expectations, then they are failing in their primary duty to the organization.

    We call this process "governance".

    BTWm I don't think you "prioritize risks". Perhaps you miswrote.

    Note that stakeholders include not only shareholders but employees, the regulators, the community, etc.

  1. Norman:

    I agree with what you are defining as goverance. What I am asking for is "what is the process by which the board and top management will understand and prioritize the stakeholder expectations' I know that it is called governance but explain the steps and once you have explained the steps, point me to the red book where I can see  these steps.

    Other points are noted and acknowledged.



  1. Arnold, here are some references for you:

    Does the Red Book outline best practices for everything in GRC, including Governance? No. It only describes the principles and a methodology some have found helpful in implementing effective processes.

    Does that mean that, as you put it, the term "GRC" is bankrupt - of course not.

  1. Norman:

    Major bankruptcy- I respectfully disagree with you and as well believe that all of this will be quite demoralizing to your average internal auditor who understandably will find himself/herself shortly with an array of risk management  training needed to really be able to deliver high quality internal audit services. The last thing  they will need is two different approaches to thinking about goverance, risk and compliance

    BTW- my question is still unanswered. I asked a simple question and it should not necessitate referring me to these massive documents. You made a statement about a process and so kindly extract a copy of the process and share it. We will have more to share soon.


    Best regards,


  1. Arnold,

    1. I have shared with you some articles about how some have implemented a strategy development process. End of debate.

    2. The need to implement/audit risk management has nothing to do with the merits of the GRC way of looking at the enterprise. Nobody is saying that understanding GRC, working to address the need for harmony and the problem of fragmentation takes anything away from the need for effective ERM.

    3. GRC is not in competition with ERM.

    4. Enough has been said here. If time permits this afternoon, I will write about how companies have addressed harmony and fragmentation at

  1. Norman,

    You are ending the debate but have not answered the basic question that I asked and so I guess there is nothing further to go back on.

    You are completely wrong on points 2 and 3 above and we will lay out further our position off line

    Best regards,




Leave a Reply