The Institute of Internal Auditors' Tone at the Top Defines GRC and Gets It Right


The IIA’s Tone at the Top is a periodic publication designed (in their words) “to provide executive management, boards of directors, and audit committee members with concise, leading-edge information on such issues as ethics, internal control, governance, and the changing role of internal auditing; and guidance relative their roles in, and responsibilities for, the internal audit activity.” (Complimentary subscription is available here.)

The August 2010 issue of Tone at the Top includes a clear definition and discussion of the term ‘GRC’ (which stands for governance, risk management, and compliance). While the term is increasingly used by executives and board members, the concept of GRC is more often than not misunderstood. So, I for one am pleased to see the IIA share the business-oriented definition developed by the Open Compliance and Ethics Group (OCEG). This is the definition I use myself: it explains quite clearly and concisely that GRC is about how you direct and manage the organization to optimize performance, while considering risks, and staying in compliance (my paraphrase of the OCEG definition).

GRC is not about technology.

GRC is not a fad or a catchy phrase for software vendors and professional service providers to generate revenue.

  • It is about running the business better.
  • It is about ensuring the integration of strategy and risk.
  • It is about ensuring you remain in compliance with applicable laws and regulations at the same time as you drive the business forward.
  • It is about addressing the business problems created by fragmented governance, risk management, and compliance functions and/or processes and systems – problems of effectiveness and efficiency.
  • It is about ensuring there is a timely, quality, complete flow of information to, from, and among those responsible for governing the enterprise, assessing and managing risks and opportunities, and assuring compliance.

I recommend a considered read of the August issue and the article. For more on GRC, visit these sites:


Posted on Sep 7, 2010 by Norman Marks

Share This Article:    

  1. Hi Norman,

    My understanding of GRC leans toward Governance, Risk and Control.  Under COSO, compliance is one of the objectives that an enterprise should be striving to achieve through an effective system of risk management and control, rather than a seperate part of the system.  It occurs to me that this badging of GRC with the C as compliance is more a software vendor led approach as this more easily explains the split of their products.  I'd be interested in your thoughts on this.  Thanks.

  1. Peter, I agree with your reasoning. But PwC and the others who coined the GRC term have saddled us with it - and it does have some value. It does help us understand the need to make sure that governance (especially strategy) considers risk, that to optimize performance you need to consider and manage risk, and all of that has to be done while staying in compliance.

    I disagree that GRC is a software vendor led approach. In fact, while vendors have latched on to it, the term was invented by consultants and then pushed by analysts.

  1. Hi Norman:

    With all the respect that I have for your professional acumen, I do on this issue, disagree with you strongly and agree completely  with Peter Goodchild's comments above.

    It only adds further confusion and not clarity and if it provides any value at all, then let the next individual who writes an article on it, produce a case backed up by factual content that demonstrates clear tying together of all the points. We have  yet to see this.

    On September 5, one day prior to your blog, I penned the response which appears in next e mail below to  the Editors of Tone at the Top.

    Arnold Schanfield


    Dear Editor:

     I received your recent newsletter entitled “What GRC could mean to your organization”- Some thoughts follow:
    I submit to you the hypothesis that the term GRC and everything it entails is a myth- a charade perpetrated by the large consulting firms and other niche service providers to just try and sell more consulting services in the marketplace. It has no value and at end of the day as clarity starts to develop over risk management, it will be seen for what it is.
    Risk management is a discipline for managing uncertainty- uncertainty of all events both good and bad- the risks that are derived from this uncertainty must be assessed for their significance, likelihood and timing. Such risks are generated as well from events related to governance and compliance and these will be dealt with in the normal course of having a robust risk management framework and process in place. The stuff you say about GRC “providing a larger, over arching framework and philosophy for communicating around governance and compliance risks by leveraging technology for reporting mechanisms such as dashboards” is pure bunk. It’s not needed and is redundant. I suggest that OCEG President Carole Switzer obtain a copy of ISO 31000, study it and learn it and then network with accomplished risk management thought leaders.

    see next e mail

  1. continued from above to Tone At The Top Editor

    This should allow her to straighten out her thinking on this subject. More importantly you do the members of the internal audit profession a disservice when you publish such materials.

     If you wish to discuss further, please contact me at your convenience.
  1. Arnold, my friend,

    Sorry, but your comment reflects a lack of understanding of what we are talking about with GRC.

    The average company of size has 7 different functions performing risk management. GRC is about eliminating this kind of fragmentation. GRC is not a competitor for ISO 31000. It is about enabling effective risk management within the organization regardless of standard or framework. It is about getting the different risk functions to work together, using common frameworks and processes so that top management and the board get a holistic view of risk across the business.

    The average company also has strategy management, planning, and risk management in different parts of the organization. GRC is about the need for them to share and cooperate, breaking down the silos. Strategies, plans, and execution need to adapt to changing risk conditions. Risk management alone is ineffective in driving the company towards its objectives. Strategy and performance management without risk are equally imperfect.

    These are real problems.

    Please read the materials I refer to in the post - and we can chat here or offline.

    One last word: many vendors and consulting firms misuse the term for promotional purposes. So, if you refer to that abuse of the term GRC I have every sympathy. But, the abuse and misuse does not detract from the fact that thinking GRC brings managing and directing the business into new light.

  1. Hi Norman,

    Thanks for the response.  I agree that the objectives of GRC are admirable and certainly have value, but  I do wonder to what extent they differ from a well implemented COSO ERM.

    The COSO objective setting component identifies strategic objectives which are supported by the operational, reporting and compliance objectives.  This I would suggest is very similar to the governance part of GRC.

    COSO then requires a risk & control self assessment i.e. how do the systems and processes match to our objectives whether strategic or compliance etc.  This sounds much like the risk mgmt element of GRC.

    Finally COSO requires actions to improve the control environment to better meet enterprise objectives.  Again very similar to GRC in that control objectives of completeness, accuracy, existence and in a timely manner seem similar to those you have stated.

    Therefore, it is difficult to see how this overarches ERM?  An effective ERM process will be objective led, and as objectives are supported by processes rather than departments this should encourage the breakdown of silos.  Admittedly, in practice I've found it extremely difficult to implement as clear objective setting can be very challenging.

    If GRC is a rebadging of ERM with the aim of helping the sell to the C-Suite then it has value, otherwise all I can see are the same concepts rehashed in to a new package.

  1. Fair question, Peter.

    I agree that COSO ERM emphasizes the linkage between strategy and risk. But, it starts with strategy whereas Governance includes setting and adapting strategy. Governance also includes performance management and more.

    So while the R and C are included within ERM, not all the G is.

    For me, a large part of the value in thinking of GRC is not so much that the body of GRC is different (I think a stronger argument is that GRC is the same as Governance, when defined using a framework like King III). It's in the way of looking at the whole that is significant.

    GRC emphasizes two things: (a) fragmented processes, and (b) the need for governance, risk, and compliance to be entwined in the directing and managing of the entity.

  1. Bruce McCuaig left a comment on LinkedIn:

    "Norman, aside from the fact that it correctly reflects the current OCEG view, what is it that makes this definition "right"? Who is it "right" for? How will we benefit from this definition as opposed to others? Can you share with us your criteria for what is "right" and wrong here? It is a big, new space, so to speak. I'd have though there was a little room for discussion before dogma sets in.
    I am pleased with a business vs. a technology driven definition. But I'm not sure this definition will get the job done that we need to get done."

  1. My answer to Bruce's question is that "right" is a matter of opinion. To be honest, I struggled for months when I first heard of "GRC" - I believed it was all part of Governance. (Risk management being integral to efffective governance, and compliance being one of the aspscts of risk). But I could see that many organizations (including in my past) had issues related to entwining all three in running the business, and many have major fragmentation issues.

    So, I could see the value in this business perspective.

    I also strongly believe that the technology perspective is misleading. Whether you want to harness your horses to the OCEG definition of GRC, the COSO ERM definition, or the King definition of Governance, you are better off (IMHO)  than focusing on GRC as technology. Technology only exists to solve a business problem, and those who push a technology perspective for technology's sake have not persuaded me that they are solving a business problem. But that's another discussion.

  1. Norman/Bruce/ Peter:

    I see no value in GRC as articulated above and will be glad to further discuss this offline. The folks that are pushing it do not understand risk management well and/or they are too busy trying to generate revenue for their firm in the way of selling fancy acronyms. It will add only further confusion to the internal audit community.

    To Norman I would say- lay out a specific example of a problem in a company that GRC would solve and how it would do this and then share this and I'll demonstrate how an excellent system of risk management addresses this fully.  Also all of governance is included in risk management by definition of what risk management is.(unlike your comment of above) 

    To Peter I would say  that although COSO-ERM is not a very good framework compared to say AS/NZS 4360:2004 and now ISO 31000- it does the things you say it does and therefore makes GRC completely redundant.

    To Bruce- good question for Norman



  1. This story may help understand how I see GRC.

  1. Arnold

    I don't disagree with the definition of GRC that Norman quotes. But to your point, I believe GRC needs a value statement. My view is that the record of the GRC  community, Internal auditors, risk managers, vendors, service providers and others, in preventing avoidable corporate and strategic failures and catastrophic loss events is abysmal. If GRC, whether it turns into a movement, a profession or just a loose association  does not drive down preventable failures then it is a waste of time. Right now the odds are stacked against it.

  1. The editors and authors of Tone at the Top respect the various and diverging perspectives voiced here on Norman Marks' blog. It's a healthy debate worth having. 

    We do hold ourselves to a high standard when identifying appropriate topic sources, and emphasize our appreciation to OECG President Carole Switzer, an accomplished and respected thought-leader in the governance and risk management field, for providing her expertise and perspecitves on GRC issues.

    We are pleased that we've presented a topic worthy of such in-depth discussion and analysis and feel the publication serves as an excellent resource to members of the internal audit profession.

    Also, for an excellent review of both sides of this issue, go to Google and enter the search terms, "Why GRC Matters to the Internal Auditor" to read a recent article in Compliance Week on this topic.

    Tone at the Top

  1. Here is a link to the Compliance Week article:

  1. You make some very good points.

    The basic concepts of risk management have been around as long as people have been transacting business.  However, the methodologies people have deployed to enhance the effectiveness of their risk management processes have evolved continually since that time as risks have changed, the challenges of conducting business have become more complex and businesses have become more geographically diverse. 
    Have consultants played a role in developing methodologies that have enhanced these processes?  Probably.  Take Enterprise Risk Management.  For years this was considered a vehicle devised by consulting firms to sell more services.  Then COSO introduced its framework, Sarbanes-Oxley was born, Standard & Poor’s announced it was integrating an analysis of ERM into its own review process and companies began embracing ERM.  Is GRC a product devised by consulting firms?  Maybe. Should the “C” in GRC represent Compliance or Controls?  Do these matter?  Many people prefer to view GRC as the next step in the evolution of risk management methodologies designed as an umbrella covering the entirety of the organization to address the ever-changing risk environment, more complex challenges and a significantly more geographically diverse economy.  
    Dennis McGuffie
    Editorial Advisor to Tone at the Top
  1. In response to Peter's comment  that  "C"  wrongly stands for Compliance rather than "Control" let me note that when OCEG  says "Compliance" we do not only mean regulatory compliance, but also compliance will all voluntary requirements set by an organization  based on its values and commitments. This means compliance with laws and with established policies, procedures and controls. Controls are an important tool, just as ensuring a strong ethical culture is important. As we began to use the GRC term as far back as 2004, I would often speak to the term as really being GRCCC (compliance, culture and controls).

    It is important to note that for GRC to be effective, not only risk professionals in an organization must be involved. The goal is not only to have good risk assessments and risk management decisions performed in a vacuum, but to also tackle and address the disparate approaches to existing siloed compliance efforts. Most organizations have 12-25 different compliance silos (e.g., corruption, environmental, employment, trade, etc.) each with their own approaches. And most often, compliance professionals have no understanding of the term "controls" nor do they know how to establish a system that is measurable and on which assurance of effectiveness and performance may be provided. This failure of regulatory compliance management presents a huge risk as well as waste and addressing it is critical to successful governance.

    Thus, a large part of the goal of a GRC approach is to enhance the ability of all relevant players (IT, Internal Audit, Risk, Finance, Compliance, Legal and others) to understand and support the information needs of the others, to coordinate how risk assessments, audits, and compliance efforts are undertaken to make the best use of resources and ensure the clearest view of information needed by the governing authorities.

  1. I suspect critics of GRC (and for some reason of me personally) have not read the GRC Capability Model, which was created by committees of 200+ including principal authors of COSO and COSO ERM, experts in ISO 31000; thought leaders in risk, compliance, finance and audit; academics; and yes, advisory and technology firms.It has been downloaded more than 30,000 times free at . ISO 31000 is consistent with part but does not address all aspects of the model. Why? Because GRC goes beyond ERM improvements. Compliance mgmt is disconnected in silos  and its risk is regularly underestimated or ignored. Internal audit can't provide assurance about compliance program effectiveness or performance. There is a burning need to integrate (not consolidate) across silos, between roles and up/down to improve information reliability and flow. Technology can help but if the processes aren't right, it won't save the day. Criticizing the GRC concept is not the exclusive domain of solo risk consultants who point to ISO 31000 as the be all and end all (and use it in their own engagements). Less forward thinking compliance consultants say all we need is to follow the U.S. sentencing guidelines. Some technology companies say all we need is to use their products. And ethics professors just advocate teaching people to do the right thing. The simple fact that this occurs evidences the need for a GRC approach integrating ideas from all disciplines. Please, map ISO 31000 to the GRC Capability Model and show us that every practice in the Model is present in the standard. And if not, show us what parts of the Capability Model are not useful to improve business performance.


    Another resource for Internal Auditors is the OCEG Whitepaper: Critical Conversations – CAE at the Center, which discusses GRC and the role of the Internal Auditor. It may be downloaded from the OCEG site at
  1. Carole,

    Several things will be helpful:

    If you can point to where the process is located that was followed to "give birth to the GRC Capability model." I keep on hearing that this was created by hundreds of practitioners but where is the process?. Unlike ISO 31000 or its predecessor documents-  there was a vetting process taking input from hundreds of risk practitioners around t he globe over a three year period with numerous drafts issued until this final document was issued.

    The number of times a document is downloaded has no bearing on whether it is good or not (case in point the COSO ERM framework which was downloaded so many times and we know how good  that document is (sarcasym). So it is nice to know that GRC was downloaded 30,000 times.

    You mention that GRC does things beyond ISO but I believe that these  statements  cannot be supported. Take the issue of silos. Do you have any specifically developed case studies  that clearly demonstrate elimination of silos in organizations following GRC?

    If you take the time to read ISO 31000, ISO 31010, IEC  73 and the predecessor documents of AS/NZS 4360:2004 and  the respective handbooks, you will see that the issues of silos are well addressed and will be handled quite adeptly in ISO 31000. So I  think that these statements above have little merit.

    Continued Below




  1. Carole,

    Continued from above

    But the most important reason why GRC should be ignored completely is because your average internal auditor is at least a couple of years behind the curve ball when it comes to understanding comprehensive risk management and internal audit's role in this area with all the appropriate things that are implicit in "the fan". This requires a certain mindset. The last thing we need is "another mindset" at this juncture in time.

    Let us also not forget the myriad of technology consultants that of course have jumped on this bandwagan to try and hawk their wares under the guise of "GRC" . Not a very good thing.

    So in summary, I stand by all prior comments made on this subject matter and will be willing to discuss this further in any public or private forum. Just bring a documented case study clearly articulating what GRC has or will do and I will do the same.

    BTW- Many of the critics of GRC have published whitepapers in leading academic journals. Have your white papers been published in any leading academic journals and if so which ones?

    Arnold Schanfield

  1. Here is what leading risk/governance practitioner Grant Purdy from Australia, who has published materials in many leading academic journals has to say about GRC  

    From Grant Purdy
    Oh dear, here we go again.  What is it with your countrymen and their fads.  This seems to happen all the time: rather than confront the real problems, we go off on a tangent.  Rather than settling down to understand how to manage risk effectively, we dream up another 'product' and start off on another round of proselytising. Prevarication rules, maybe.
    I've written about GRC before.  It seems to me just another 'fad' following on from ERM, EWRM, SRM, IRM, BRM, ORM, Internal Control, etc. etc.  It seems to have been 'invented' by Michael Rasmussen when he was writing about IT systems for risk management etc. when he was a Forrester.  He then teamed up with a self appointed group who called themselves the OCEG who were mainly concerned with compliance, and they wrote the "Red Book".  Now they sell 'boot camps'!!

    continued below

  1. GRC seems to have also arisen out of an organisational convenience: where do you put risk management?  Well it seems to many companies that risk management is (just) about reporting and that is what governance is all about (so they think). And compliance, well that is just about ticking boxes and reporting isn't it?  So you can see that it makes sense to lump all this reporting stuff in one box so that one department can take it over and lesson the load on the rest of us.  Then we only get disturbed occasionally to tick some boxes on a software package to sing off that everything is wonderful.
    More seriously, compliance and (proper) risk management are poor bed fellows.  Preventative Law based on risk management makes a lots of sense (and I and a friend who is a Barrister have published a handbook on it!) but compliance checking does not.  And, of course, risk management is the foundation of good governance.
    If you draw a Venn diagram you will see the problem.  

    Continued below

  1. final from Grant Purdy
    I do believe that a compliance driven approach to risk management is one of the roots of the GFC.  It certainly helped set up the sub-prime debacle
    What GRC seems to lead to (apart from an attempt at world domination of everything that happens in an organisation) is compliance driven risk management with a heavy emphasis on reporting using a software tool.  It particularly irks me that they say the 'R' stands for 'risk', not 'risk management';  as if risk is a subset or component of something.  Risk is everywhere and associated with any activity where we make a decision to do something.  Its central, not marginal.

    Words are pretty important:  they are the coat pegs on which we hang culture and behaviour.  If we suggest that risk, compliance and governance are made of the same stuff or are three parts of a whole, then we are conveying entirely the wrong impression - of all three of them.

    Ted Dahms,  talks much more eloquently about how governance, risk management and control assurance fit together: if the 'c' in GRC has to mean anything, it should mean 'control assurance'.
     GRC will pass and is probably blowing itself out already.  It seems the next big idea is already coming over the horizon and it is ... (drum roll): 'Resilience'.
  1. And if one expert opinion is inadequate to sway opinion, how about an opinion from the leading risk/governance/internal audit practitioner  from Canada (alright perhaps he is not number one but surely in the top five and his record will speak for itself.

    Here is what John Fraser has to say about GRC

    I have tried to ignore GRC, since while on the surface it sounds impressive (i.e. put everything into one pot thereby saving money and guaranteeing assurance) I have not seen it work in practice nor can I imagine it working well.  I thought I would do some brief research and found the following gem on GRC on the Wikipedia website:
    “Analysts disagree on how these aspects of GRC are defined as market categories. Gartner has stated that the broad GRC market includes the following areas:
    • Finance and Audit GRC
    • IT GRC Management
    • Enterprise Risk Management.”

    continued below

  1. john Fraser comments-continued from above
    I also heard the head of OCEG give a speech here in Toronto a couple of years ago on GRC and it made no sense to me.  There were lots of swirly diagrams with arrows involved.
    Some specifics:
    I do not think GRC is a “complete waste of time.” I just think it is a bureaucratic and expensive way of dealing with yesterday’s problems not tomorrow’s.
    The “G” in GRC always seems to involve some lowly personnel NOT the board or CEO.
    The “R” in GRC always seems to relate to some relatively mundane low level risks and not the big ones that need attention.
    The “C” says it all.  I think GRC is primarily a compliance system.
    For it to work well would require a comprehensive bureaucratic blanketing of the organization and a change in management style back to a direct and control type of management. Maybe this could be helpful in high transaction organizations such as big banks.  Similar to continuous auditing I think it comes down to how you wish to spend your dollar for what level of assurance.  Do you need to check your kid’s homework every night or just spot check it occasionally?
    I have not seen GRC discussed other than in the context of the software to handle it!

    continued below

  1. fraser commentary continued

    I have seen little integration of strategy into the mix.
    It seems to be using a large hammer for a small part of running the business.
    I love the following quote: “I disagree that GRC is a software vendor led approach. In fact, while vendors have latched on to it, the term was invented by consultants and then pushed by analysts.” Not any mention of  a business person anywhere, do any real people want it?
    Dashboards can be a good tool.  They have been around a long time marketed as performance measurement reporting systems, but it does require a major shift in corporate culture.  Few companies wish to go this route and those that do likely will realize they are paying a lot of money for not quite what they think they are getting.
    The quote “so that top management and the board get a holistic view of risk across the business” is likely only for the routine and transactional risks of the business.

    continued below

  1. Fraser conclusion from above
    Is there a good case study of GRC at work that I can read?
    The quote “Risk management alone is ineffective in driving the company towards its objectives”  may be correct about RM but not about ERM which is entirely focused on driving the company towards its objectives.  That is what ERM is all about.
  1. Wow, there are a lot of interesting perspectives in these posts.

    First off, I want to state that I deeply appreciate the work of several individuals posting on this topic.  First off, this includes Norman Marks for his continued leadership and insight into this area.  Second, and it may be surprising, to Grant Purdy who is referenced (but has not posted directly himself) - Grant's work in risk management has been superb, this whole space has a lot to benefit from him.

    My concept of GRC has not changed over the past 8 years - though my articulation of it has improved.

    GRC, simply put, is to provide collaboration between silos of governance, risk, and compliance.  It is to get different business roles to share information and work in harmony.  Harmony is a good metaphor, we do not want discord where the different parts of the organization are going down different roads and not working together.  We also do not want everyone singing the melody as different roles (such as risk, audit, compliance) have their different and unique purposes.

    If anyone wishes to attack GRC - I challenge you to attack it on the principle I have been articulating for years.  Tell us why it is a good thing that risk, compliance, audit, finance, and other areas should not work cooperatively together?  Note this is not a restructuring of the organization.  It is getting these roles to cooperate, collaborate, and share so there is a big picture of risk and compliance to oversea that the organization is properly governed.


  1. I do not care if you like or use the acronym, there are many GRC initiatives that I get involved with that do not use the term GRC.  The goal is the same - to drive efficiency, effectiveness, and agility across risk and compliance processes to support a dynamic and extended business environment.  GRC is a lot about process improvement and sharing information and processes.  What is bad about that?

    Compliance should not drive risk.  Nor should risk drive compliance.  They both should cooperate with each other and share relevant information.  Compliance is being challenged to do periodic risk assessments for unethical/non-compliant/criminal behavior.  Audit is being challenged to do risk-based audits.  Should these roles completely reinvent risk and risk management or work with the risk management team within an organization cooperatively, to learn from the risk experts themselves, to use a framework like ISO 31000? 

    On the flip side, risk needs to work with compliance.  The current economic mess is due in part to many banks that had good credit risk policies - they knew their thresholds and appetite, and it was articulated in policy.  The issue was they were not compliant with there policies.  Risk management without a compliance program is ineffective.  Again - two different departments with their own expertise that need to work together.

    I think we all know the answer to that.  Cooperation is best. To let different areas of the business lead where they excel but not dominate the others.  But to work together in harmony - to collaborate and share information and processes so we can achieve a holistic view of risk and compliance across the business.


  1.  While the GRC term is 8 years old, I state in my teaching all the time that it is nothing new.  Organizations have been doing GRC all along.  The issue is have they been doing it efficiently (human and financial), effectively (meeting internal and external requirements), and with the proper agility (for a dynamic and extended business environment)?  Does the approach we have been taking make sense or are there better ways to do things that bring more process efficiency?

    So - my challenge to everyone on this list.  Put the GRC acronym aside and tell me why it is a bad idea to have different silos/islands of the business to work cooperatively and collaboratively together?  That is what it is about - that is the philosophy behind it.  For those that are against GRC, please defend why risk and compliance processes and information should be trapped in silos with limited to no sharing of critical information with other roles of the business?  The only answer I can come up with the latter is to protect your turf and setup political walls in the organization.  Why should risk and compliance not share and talk together.

    I have several other things I want to comment on in relation to several posts (e.g., role of technology/software, should the C be control or compliance), but I will stop there as I want to bring this foundational point forward first for discussion. 


  1. Call it GRC or ERM! I believe that fundamentally both share a common objective which is to better safeguard stakeholder interests and optimize stakeholder value. My own work on corporate defense as an umbrella term has identified 8 critical components which constitute an organization's program for self-defense, namely the management of governance, risk, compliance, intelligence, security, resilience, controls & assurance. In order to achieve the above objective these components need to be strategically managed, aligned and integrated. As these components are interconnected, interdependent and interlinked they can all have a positive or negative impact on each other's performance. Whatever approach is used must provide appropriate status to each of these components. For more on this visit:

  1. In broad terms GRC + Strategy is what boards do or should be doing. And, again broadly speaking, GRC is what an audit committee does or should be doing within its particular functional areas as a subcommittee of the board.

  1. Sean,

    I see GRC as the umbrella term that binds all these together.  The aspects of intelligence, security, resilience, controls, & assurance can all fall under the categories of governance, risk, and compliance. 

    We have discussed this before - but I see Corporate Defense as one-sided.  Organizations need both Offensive and Defensive strategies.  GRC is about linking risk and compliance to strategy and performance.  It understands that there is reason to take risk to achieve objectives.  A defensive only posture fails to grasp this as it does not integrate and be a seamless part of the offense side of business.  This is what OCEG call's Principled Performance and is what GRC is all about.

  1. Michael,

    I respect your point of view however as you are aware we differ slightly on this.

    I believe that the integration of governance, risk & compliance was a very important step in this evolutionary process, however I see it as a step rather than the final destination. I believe that many practioners within the intelligence, security, resilience, controls and assurance components do not see their activities as being in some way subordinate to the governance, risk & compliance components and hence the difficulty in the term GRC being generally accepted outside of the compliance field.  

    There are many out there who share the traditional view that the above activities only operate in a one-sided manner. In my opinion however a holistic view means appreciating the need for an appropriate  balance, and true integration involves linking these antagonistic yet complimentary opposites so that all aspects of the business (offense & defense) are focused on the dual objectives of safeguarding stakeholder interests and optimizing stakeholder value, they go hand in hand, 2 sides of the same coin etc etc.  

    As I said before I think in principle we are both in agreement, my only concern is that the term GRC can be seen as subordinating certain other important activities. 

  1. Sean,

    Again - we agree in concept but not in approach.  Governance, Risk, and Compliance are sufficiently broad terms that they are applicable to all of these areas.  Security, controls, assurance . . . I have seen all these areas use risk as well as compliance.  No doubt about it - Governance is the umbrella of all umbrellas, there is no way around that.  It as been stated by Dave Tate in this series of posts that GRC is what boards do.  It filters on down from there.  The OCEG definition, which is the only publicly vetted definition of GRC, includes strategy and performance in its definition and sufficiently unites both an offense (strategy/performance) view and a defense (security/control/assurance) view.  

    There have been comments in this series of posts, and you reiterated it, that GRC is not being generally accepted outside of the compliance field.  I AM NOT SURE WHERE THIS IS COMING FROM AS IT IS NOT MY EXPERIENCE.  Just this past week I worked with 2 very large Fortune companies that are implementing GRC strategies that are led by risk management (not compliance).  In fact, I often see the corporate compliance department behind in its understanding and acceptance of GRC.  Most of the roles that I have worked with in a GRC strategy have been Risk (both enterprise & operational), audit, finance, and IT.  I am doing a lot of work with corporate compliance but this tends to be more educational at this point - though some have moved to implement GRC strategies.

    The view that GRC is stuck in compliance is a misperception. 

  1. Michael,

    I do not dispute that governance, risk & compliance are applicable to the other critical components (intelligence, security, resilience, controls & assurance) and vice versa (e.g. business resilience looks at continuity, security, risk, compliance and intelligence etc). As all of these areas are constantly evolving it is becoming increasingly difficult to determine where one ends and another begins.  

    In my opinion all of these components should be operating at strategic, tactical and operational levels. I agree that at a strategic level all need to be in alignment with the business strategy, and this in turn filters down to the tactical planning and operational execution levels which may also include elements of performance management and the use of technology. However my point is that in the modern era we need to appreciate that the offense and defense activities have a symbiotic relationship. So I see corporate defense management as being the process of aligning all of these components with the business end of operations. I believe the OCEG red book also attempts to address this however I believe that this is more than just governance, risk & compliance while accepting that the corporate governance umbrella could be applied to include risk, compliance, intelligence, security, resilience, controls & assurance. I just feel the term GRC is a restricting umbrella which places additional focus on risk and compliance which perhaps they do not warrant. I personally belief that intelligence, security, resilience, controls & assurance objectives are of equal importance.

    I think that too much energy is being placed on trying to expand the original scope of GRC in order to achieve our common objective and is seems to be evoking unneccessary resistance in blogs such as this one, and many others.

  1. Sean,

    I am not sure what you mean by expand the original scope of GRC.  I was one of the first to use this term and my scope has not changed and has included this all along.

    I find the term Corporate Defense more limiting in scope and applicability to the integration we both agree on than the term GRC. 

  1. Michael,

    Not much point further splitting hairs on this one. I feel that ultimately we are both trying to achieve a similar (if not quite identical) objective. Whether an organization chooses to call their program ERM, GRC, CDM or otherwise I believe they can still leverage from the good work being done in all of these areas. From an organization's perspective the objective is to better safeguard stakeholder interests and optimize stakeholder value.

    Thanks for sharing your perspective and I look forward to keeping up to speed with your own ongoing good work in this area.   




  1. I think GRC is over used and often misunderstood. That's why I avoid talking about "GRC" and speak of strong corporate governance, effective risk management, and compliance and how they must be working harmoniously to be effective.

    The "other" Marks! Ha. 

  1. Here is what governance thought guru Dr. Ted Dahms has to say about GRC. Enjoy!

    Hi all

     I, like John have tried to ignore GRC as another meaningless fad but I see it rears its ugly head again. It is a pain to have to use creative energy to debunk such errant nonsense.
    Reading the attachments to Arnold’s Email it is clear that proponents do not understand the relationship between risk, governance and compliance, i.e. the focus of risk management is not the management of risk but the achievement of objectives. My position is that risk management is the process that delivers sound governance and resilience and these conceptual linkages are fully set out in my 2008 and 2009 paper on the publications page of my website. It’s not rocket science and AS/NZS ISO 31000:2009 underpins it with simplicity and clarity.
    Standards Australia’s handbook HB 254:2005 entitled “Governance, risk management and control assurance” sets out how risk management may be implemented to provide sound governance, i.e. control assurance (I am currently revising this HB in line with AS/NZS ISO 31000:2009).
    What is called for is greater advocacy effort on our part aimed at legislators and professional bodies for groups such as directors, company secretary and internal audit. This would be designed as immunisation against mindless fads.

    continued below

  1. Dr. Dahms-continuation
    I like the Einstein quote included by John —
    “Any fool can make things bigger, more complex, and more violent.  It takes a touch of genius — and a lot of courage — to move in the opposite direction.”
    Albert Einstein
    Strangely I find it difficult to convince clients of my conceptual view because of its simplicity – they can’t believe it is that simple i.e. the linkage of risk to objectives and all the advantages that flow from that simple step.
    Kind regards
    Dr Ted Dahms
    Principal Consultant
  1. The  thing which bothers me the most about the GRC Capability Model Book is that I think it was created entirely for commercial reasons and not to fill any intellectual vacuum.

    As we already had AS/NZS 4360:2004 in place with HB 436 and now ISO 31000, ISO 31010, IEC Guide 73 and almost released HB 158 for ISO 31000- anyone reading these guides and spending time thinking about them will know and understand that the silos Michael Rasmussen refers to, will be eliminated through adept application of the principles in these documents. We have a comprehensive case on this that has been written about at the Harvard Business School. It is called ERM at Hydro One. Buy it. Read it. Treasure it. It is gold. It will stand up to any scrutiny. I am using it in my teaching and seminars. Is there one single documented case on GRC? I asked this question earlier in the e mail string and still have not received a response.

    Unlike the intellectual rigor that was accorded to development of ISO 31000, I wonder what steps were taken in development of the GRC Capability Model to ensure that there were no conflicts of interests/ self interests. Many of the sponsors and participants in creation of this document are in this business. Internal Auditors will be well advised to stay away from this and focus on continuation of development of internal audit and risk skills from proven thought leaders in this profession.

    Arnold Schanfield


  1. and words on GRC from Risk Management Guru- Felix Kloman

    Arnold:  Michael seems to see "risk" as a separate "silo" unto itself. It may be just that is some organizations, but the idea behind AS/NZ 4360 and ISO-31000 is that the mental approach to uncertainty and risk must be firmly implanted within every sector of an organization.  So, if that is the goal of GRC, I can support it. But, unfortunately, GRC seems to try and bring three pieces of a puzzle together. Governance, as so many have pointed out, is the primary responsibility of the governing board. Compliance with relevant laws, regulations and rules (external and internal) is an audit and legal responsibility. Anticipating possible futures and adapting to them is the responsibility of everyone in an organization. So lumping G and R and C together may well mislead us.

    As Frost wrote, try another path.

    I don't have Norman's blog address (or the time to monitor it!) but if you'd like to post this on my behalf, please do so.

  1. I have to say that without  good governance, risk management suffers and without risk management compliance suffers.  This is the waterfall concept I have wrote and lectured about for years.

    Moreover, if you ever do an autopsy on a failed company you will more likely than not uncover the governance process was broken. When I speak of governance I speak of communication and trust, transparency and disclosure, business practices and ethics, risk management, monitoring, boards or directors and committees, and legal and regulatory.  I also believe and teach the culture is the driving force behind ensuring the attributes I previously referred to work in a harmonious manner.


  1. I think that part of the problem with concepts like GRC is that they can obfuscate what are in essence fairly simple concepts. So rather than talking about managing risk we have ERM, IRM, ORM etc etc. One of the most important things about risk management is that it is everyone's responsiblity. That means everyone must be able to understand what it means. If you have to translate the concept before applying it I think that is a problem. When working with busy stressed teams that's a very hard sell (and if it doesn't work at the team level then I don't think it works at all) likely to be rejected. 

    Better to start with objectives (what are you actually trying to achieve) and processes (how are you trying to acheive that), and then focus on what could go wrong and what could be done better, plan how to achieve those aims plus how can you prove you are doing the right thing to an outsider. This applies at every level of any organisation, can be started easily without huge amounts of training and technology and then grown into whatever works for the organisation.

    The regimented OECG approach looks great for auditors, but I'm not sure how applicable it is for the average organisation. It's just too big and too complicated.

  1. GRC certainly represents the organisational compromises that often take place where one group or area is given all the unpleasant reporting-type duties in an attempt to reduce the burden on the rest of the business and free it up to make money.  This expedient, unfortunately leads to poor risk management, poor governance and, I am sure, poor compliance.  Better it seems to me is when risk management and compliance have separate 'champions' whose role is to encourage the business to integrate the necessary decision-support practices into their day to day activities thereby promoting good governance.  
    I am sure there are some who will say that this is the intent of GRC but I'm afraid, that message gets lost in the babble of software salesmen and those who want to peddle a new panacea for happy organisations that involves getting more for less effort.
    Colleagues, if you buy some new process or apparatus purely on the basis of the advertising or its packaging, you will often feel let down when you open the box and discover that what is inside is quite simple and ordinary that still requires a lot of diligent hard work to yield the claimed results.  This is my major objection to GRC or any other of the three letter acronyms that the market keeps inventing to re-package what is just good management practice.  There are no secrets in the box to good risk management; we've known what has to be done for years.  However, some of us would still rather buy a new box every year than put some effort into using what we already have.
  1.  ISO 31000 contains the consolidated wisdom of many 1000's of risk management practitioners, accumulated over 15 or more years.  However, it comes in a humble wrapper and there are few secrets inside:  just common sense and good practice.  Buy it once and never be seduced by fancy packaging and three letter acronyms again.

  1. After reviewing this dialogue there are several points I would like to interject;

    1) The acronym "GRC" was coined several years before SOX and COSO ERM or ISO 31000. 

    2) GRC orinigated as a way to categorize a broader set of integrated data, process, resource and application functionalities than just learning management, issue management, policy and procedure management, control management, assessment management, risk management, document management and process reporting so that business people could find solutions to help manage these activities more efficiently and effectivley and vendors could package them that way.

    3) GRC is simple term to provide a reference point for a simple concept - coordination.

    4) GRC was initially meant to be a somewhat vague set of principles or strategies that were consistent with the 7 elements of an effective compliance program as defined in the US FSG chapter 8, not a fully defined checklist of practices. This essentially was to provide a different way of operationalizing, formalizing and improving on the practice of loosley dissiminating responsibilities for risk and compliance management without really understanding who was doing what or knowing how well the company was doing at-large without adding up simply adding up losses and legal expenses.

  1. 5) The simple vaguley created term GRC has created an entire industry for associations, certifications, practitioners, consulting firms and software and hardware vendors and has been repurposed to resemble whatever form best suites the users purposes.

    6) From that sense, everyone in this discussion is correct given their perspective and point of reference that best suits them but where it really matters is in the companies that are making improvements in the level of involvement by their board and sub-committees, improved efficiencies in execution of duties, ability to meet and manage the expectations of their regulators and getting employees and other third-parties doing what is expected on their behalf in an agreed upon manner.

    7) My recommendation is to focus on being honest about what you are selling if you are a software or hardware vendor. If you sell a risk and control management application, say that - you are not a GRC solution, etc. The risk and compliance solution and service buyers in the market today are much more informed about the benefits of getting tools to solve one risk or compliance problem that can be used later to solve additional risk or compliance problems and can clearly tell the difference between tools that provide integrated solutions or just provide taegeted functionality to support a more limited set of roles.

  1. 8) Standards like COBIT, ISO 27002, ISO 31000, ITIL, etc are not precluded or excluded by coordinating across different areas of risk and compliance responsibilities under a "GRC" approach. The OCEG maturity model was put together to help provide guidance in how coordination can help simplify and improve efficiencies by taking a coordinated approach and helps a person understand where the different disciplines intersect as an aid in coordinating.

    9) There is no underlying scheme or black magic that would be revealed if someone were to play the "GRC" redbook in reverse. Everyone realizes that to govern, manage risk and manage compliance, there are many moving parts and depending on your stakeholder perspective, you will see these parts through your own personal lense - that is not a bad thing as long as you recognize that and stay open to learn and work more closely with the people that use different lenses. When that happens you have coordination - GRC.

  1. 10) At the end of the day, risk, compliance and the importance of company leadership involvement in how the company manages their behaviors and decision making, has been hieghtened exponentially over the last 10 years for a whole host of reasons - laws, regulations, law suits, and yes - the creation of ERM and GRC. This has created business and career opportunities that had not existed to this degree, ever. We can continue to debate the merits of definitions of standards and approaches or we can design, develop, sell, implement, educate, etc. practices and solutions that truly help our new age society and ourselves as individuals. The discussions are fun intellectual excersizes but don't solve any real problems and don't win any arguments. We believe what we believe based on our own experiences. What we need to do is continue to learn and keep moving forward on the journey.

    Which I would add in closing is that good governance, risk and compliance practices are a journey, not a destination.

    Best wishes to all.

  1. Brett,

    I do not wish to be condescending to you or to anyone for that matter on this exciting blog stream that has been started by the thought leader of thought leaders- our good friend Norman Marks but I read much of what you had said above and it makes little sense to me.

    You say for example "we believe what we believe based on our own experiences" Well if we believe what we believe based on only our own experiences, then we deserve what we get which is ususally nothing. From my perspective, I prefer to believe based on the experiences as well of a very smart group of folks whose names have been articulated above: Felix Kloman, Grant Purdy, Dr. Ted Dahms, John Fraser and there are some others. But these are really the giants in this field and their qualifications and experiences and publications say it for themselves.

    Reread the above quote from Albert Einstein

    Any fool can make things bigger, more complex, and more violent.  It takes a touch of genius — and a lot of courage — to move in the opposite direction.”

    That is all this GRC stuff is. Do yourself a favor and start improving your internal audit and risk management skills. Get yourself a copy of ISO 31000 

    Arnold Schanfield

  1. Arnold, you have made my point. You are fighting to find the exact words and descriptions that you find most pallatable given your perspective. I have been a chief compliance officer and have built the coordinated organizations, processes and developed and implemented technology to support them. I have also worked for a industry leading GRC solutions provider and consult and teach at a graduate level on the same topics being discussed. I am friends with many of the commentors in this discussion including Norman. If you honestly believe that ISO 31000 alone will provide the guidance necessary to help an auditor, compliance professional, regulatory affairs, risk professional, security professional, privacy professional, investigations, and the list goes on - design and implement the organization, processes and supporting technology that is needed in most complex and heavily regulated organizations today, we obviously disagree. The Albert Einstein quote you repeated is precisely what the "GRC" approach is intending to encourage - simplify the complex mess of disparate systems, processes and organizational silos to improve efficiencies, effectiveness in managing risk and compliance responsibilities.

  1. Perhaps you as well as some of the other GRC naysayers have not actually been a chief compliance or risk officer in the last 10 years. While there are many factors which comprise a successful business today, continuing to throw the management of risk and legal obligations over the fence to whomever seems most appropriate and allowing them to address them however they feel, is no longer going to give a company a fighting chance.

    Disclaimer: Some of these comments may have been exagerated slightly to express a point or perspective. Readers should not expect to see every term, alternative solution or approach expressed in this or any other guidance deveopled by any individual or group of professionals regarding industry terms, approaches, or solutions even if they have sucessfully applied them in practice or specifically or otherwise specified or indicated theory.

    Whether or not you recognize my experience and perspective as an IT Professional, a Chief Compliance Officer, an industry recognized thought leader on the subject or not, I have been in the trenches of a public company that was heavily regulated. I have worked with dozens of peers on solving real compliance and risk problems. I also monitored the creation, development and finalized publication of ISO 31000 as well as many other "industry standards". Is ISO 31000 better guidance on the subject of enterprise risk management than what "we" had previously, absolutley but, it still takes hands and feet to apply within the context of a business and it must be integrated within the culture, goals and objectives of the each respective business.

    You wouldn't happen to be a Taurus would you?

    TAURUS (April 20-May 20). It's a fine day to be oblivious to the opinions of others. It's likely you are working in a realm or manner to which few people can relate. Only a fool criticizes what he doesn't understand.

  1. All:

    The people posting here are, by and large, people I know personally and for whom I have respect. The opinions they express are the result of experience, as practitioners and consultants for many years.

    Please give others the respect they are due. No more personal attacks or disparagement.

    My ask is that each of you listent to each other's opinions and comments and respond the way you would like them to respond to you.


  1. “Men and nations behave wisely once they have exhausted all the other alternatives.”
    - Abba Eban (1915-)

    Norman, thank you for bringning up this point.

    My applogies to Arnold and the rest of the group if I overstepped professional boundaries.

  1. Brett

    If you send me your private e mail, I will be pleased to continue discussion offline. 



  1. Arnold,

    OCEG is a 501(c)(3) public charity. We are not controlled by any consulting or software firm.  Anyone can register at to become a free basic member and use our resources, participate in polls and attend free webinars. Six pages in  front of the  Red Book list everyone who helped to write it. The majority of these people are senior inhouse business executives. Others areleaders from PRIMIA, COSO, The Conference Board, the U.S. Sentencing Commission, universities and other organizations. The committee for version 2.0 was chaired by these four esteemed individuals:

    Mr. Larry Harrington, CPA, CIA
    Vice President, Internal Audit, Raytheon Company (Professional Issues Committee – IIA)
    Mr. Brad Jewett
    Vice President, Enterprise Risk Management, BMC Software (Formerly during this process - Director, Enterprise Risk Management, Microsoft Corporation)
    Mr. Scott Roney, Esq., 
    Vice President, Compliance and Ethics, Archer Daniels Midland Company
    Mr. John Steer
    Partner, Allenbaugh Samini LLP (Vice Chair US Sentencing Commission, 1999-2007)    



    History of  OCEG’s GRC Capability Model
    Spring 2003 – OCEG Executive Advisory Board discusses the need for guidelines to improve ability to see organization’s risk and compliance profiles and information flow to governing authority.
    Summer 2003 – Invites to  wide range of individuals with expertise in risk management, compliance, internal and external audit, finance, and other relevant disciplines to join a Steering Committee to draft  the OCEG Foundation guidelines.
    Fall 2003 – Fall 2004  - Steering Committee drafted Foundation. Several meetings (several days in length) as well on online sessions.
    Winter 2004 - Initial draft  distributed to about 200 reviewers and changes made by the Steering Committee.
    Spring 2005 - OCEG released  “Application Draft” for use in organizations and for public exposure and comment.
    Fall 2005 - Beta test in six companies (Dell, Archer Daniels Midland, Staples, Wachovia, Qwest, Gevity) with gap analysis of Foundation practices compared to company practices, assessing the value of the approach. 
    2006 – Continued feedback on Application Draft and revisions by Steering Committee
    Spring 2007 – OCEG released v. 1.0 of the OCEG Foundation
    Summer 2007 – Expanded Steering Committee and additional committees formed to begin v. 2.0 (renamed the GRC Capability Model).
    Fall 2007 –Fall 2008 – Committees met several times to prepare a public exposure draft (released in August 2008) and review final changes
    April 2009 – OCEG published v. 2.0
  1. Carole,

    If you wish to discuss this off line, I will be pleased to do so.  Please reach out to me.But the one comment I will make is that I stand behind all prior comments on this subject matter above. GRC was not needed given what we already have out there and in the end analysis does not fill any intellectual void.


  1. I will be writing over two or three comment boxes:

    I feel I ought to be staggered by the tone of some of the comments on this blog, but unfortunately I am not. I am constantly disappointed that the ISO Taleban are unable to debate in a civilized manner the pros and cons of alternate articulations of important business issues. ISO has NOT uttered the last word on risk management. They have not produced an eternal truth that stands equal to the great eternal books produced by mankind. It is but a high level sysnthesis of current thinking led by a comparatively small group. It is subject to national lobbies each of which seeks to influence - quite correctly, that is what the ISO organisation is all about - and it is not a pure play intellectual thought leadership piece. It has some inconsistencies, illogicality and some downright daftness. However, if anyone dares to utter criticism, the ISO Taleban seek to shut down criticism, or even discussion, saying that ISO31000 is a perfect articulation of risk management.

    I beg to differ: it is one articulation of risk management. As Professor John Adams of UCL said of Turnbull (an other, but even more flawed articulation of risk management) it is no more than a Rohrschach blot: interpet into it what you already believe. There are more ways to implement ISO31000 than you could shake a stick at, and many of them would be just plain wrong, non-sensical and empty headed.

  1. Page 2

    To suggest that Risk Management and ERM are the summit of intellectual thinking for management and they need do nothing else is arrogant tosh. I have been writing on, consulting on and generally involved in this space for a long time as well. I simply do not believe that everyone else should be below me because I am involved in ERM. There is a lot of empty-headed nonsense involved in a lot of risk management right now. Risk matrices are often dangerous, and whether or not they are explicitly included in ISO31000, you will find plenty of ISO31000 compliant companies who use them. ISO31000 is largely silent on risk appetite (OK the Taleban use a slightly different term then MIGHT be interpreted as Risk Appetite, but sorry guys: in the anti-Orwellian spirit of 1984 you cannot control my language). ISO31000 does little to move companies away from a version of risk management that is prevalent right now which is the form that is at best data-lite, and at worst data-vacuous.

    The ISO Taleban would do their cause much more good if they occasionally shut up and listened to others, many of whom have helpful innovations and thoughts to bring to the subject.

  1. 3rd and last page

    For what it is worth, I would also like to reject out of hand the depiction of my friend Carole Switzer as portrayed in some comments. I have not known her for very long, but I regard her as thoughtful, insightful and providing great leadership in an important area.

    The bottom line as far as I am concerned is that I don't much like the "C" in GRC. But "G" is much, much broader than "R". I would prefer to use the term Assurance for the compliance bit, but I know that does not translate across the Atlantic. For goodness sake, the petty vindictiveness in some of the comments we have seen on this discussion depresses me beyond all measure. Get past the language, debate the issues and let's do what we all want to do, which is help to improve organisational performance and resilience for the benefit of society at large.

    Kind regards, including to my friends in the ISO Taleban (who have also objected to criticisms that I and my BS31100 friends have made of ISO31000). Let's try and move this subject matter forward.


  1. "The only thing a non-conformist hates more than a conformist is another non-conformist who doesn't conform to the prevailing standard of non-conformity." - Unknown

    We are all trying to break new ground here but at the end of the day we all share the same broader objective which is to better safeguard stakeholder interests and optimize stakeholder value.

    It will be far more difficult to get others to accept our message of the need for organizational silos to collaborate, share information and work together in harmony if we cannot first apply such a message in practice among ourselves.

    Surely it is in all our best interests to move this message forward with a united front.

  1. Well stated Sean. 

  1. I'm not sure if Richard thinks I'm a member of the Taliban but I believe that there are still parts of ISO 31000 that require improvement.  No code can be perfect and one produced through a process of international consultation and collaboration will always involve compromise.

    However, I do respect that a document produced, not by the 30+ representatives on the ISO working group, but by 100's of their colleagues on mirror groups with the input of 1000's of other contributors over a 5 year period, should have some credibility and respect.  Britain always fielded three delegates (unlike Australia!) to the ISO working group and the present ISO standard reflects in no small way the views of BSI and the British mirror groups.

    For the record, Australia and New Zealand supported Britain in arguing for risk appetite to be retained in ISO 31000.  However, the middle Europeans argued against it and their term 'risk attitude' was adopted instead.  Compromise is inevitable in standardisation.

    It is a shame that BSI jumped the gun and published BS 31100 based on an early draft of ISO 31000.  If it had waited, then Britain would now have one, not two risk management standards.

    I hope that as we start to think about the revision of ISO 31000, we can build upon our practical experiences in implementing (rather than talking about) ISO 31000, BS 31100, etc. so that the next version reflects our learnings rather than our theories.

    Osama bin Purdy

  1. My sense is we get too tangled up in the semantic debate and lose sight of the real issues sometimes - this discussion stimulated me to start a long postponed blog - Thank you ! My thoughts at


Leave a Reply