Does It Make Sense to Discuss GRC?
Norman Marks, CRMA, CPA, was a chief audit executive and chief risk officer at major global corporations for more than 20 years. The views expressed in this blog are his personal views and may not represent those of The IIA.
My good friend, Michael Rasmussen, is perhaps the father of the term GRC and styles himself as the GRC Pundit. He has an excellent web site that I wholeheartedly recommend and one of his latest posts is on the subject of 2013 GRC Drivers and Trends.
But while I agree with the definition and the notion that performance is only optimized by orchestrating and integrating the consideration of risk and compliance with governance and management, I am far less sure that it makes sense to spend much time talking about GRC.
I think it only makes sense to talk about GRC when you are talking about breaking down the silos of risk management, compliance, and governance (which includes strategy-setting and performance management).
In order to have a “GRC problem”, where the problem is a lack of integration and coordination, I think you need a somewhat mature set of individual processes for risk management, compliance, strategy, and performance management!
Most organizations are less than mature in at least one of those areas.
So, while I understand the GRC term and concept, I would prefer most organizations and their management teams, at all levels, to stop thinking about GRC and focus on their business process problems in:
- Strategy-setting and communications
- Performance management
- Business information and communications
- Risk management
- Compliance management
- Information security
I welcome your views and comments.
Posted on Apr 14, 2013 by Norman Marks
Share This Article: