Why is GRC an Important Topic?

By Norman Marks (@normanmarks) Jul 7, 2010 Comments

1 comment

In May, I wrote about the fact that there is no commonly accepted definition of GRC. While it is understood that the acronym stands for Governance, Risk Management and Compliance, each consultant and vendor — to the consternation of practitioners — seems to use a different definition to explain the meaning of GRC. As important as defining GRC is the question, "why talk about it at all?"

Defining GRC

I suggested the definition developed by the Open Compliance and Ethics Group (OCEG). In its GRC Capability Model, Red Book 2.0 (April 2009), OCEG defines GRC as a “system of people, processes, and technology that enables an organization to:

Understand and prioritize stakeholder expectations.
Set business objectives that are congruent with values and risks.
Achieve objectives while optimizing risk profile, and protecting value.
Operate within legal, contractual, internal, social, and ethical boundaries.
Provide relevant, reliable, and timely information to appropriate stakeholders.
Enable the measurement of the performance and effectiveness of the system.”

The definition can perhaps best be summarized as how an organization understands stakeholder expectations and then directs and manages activities to maximize performance against those expectations, while managing risks and complying with applicable laws, regulations and obligations.

Putting it even more simply and focusing on the essence of GRC, it's how you run the organization to optimize results. To do this on a sustainable basis, you must manage risks and ensure compliance.
I prefer this definition for a couple of reasons:

It has credibility, as it is independent from any single vendor or service provider. It was developed by a team with representatives from practitioners working within organizations as well as software vendors and business consultants. (Full disclosure requires that I tell you SAP is a charter member of OCEG, and I am an OCEG Fellow).
GRC is not about technology. It is about certain business issues, common to organizations of all forms (public and private, for-profit and not-for profit), in all industries, and all geographies. This definition takes that business perspective.

(Editor's Note: You can read more on the topic of GRC from Norman Marks, starting with What is GRC?)

Why Talk About GRC?

There are two primary reasons why a discussion around GRC has value.

1. The Inter-relationship of Governance, Risk Management and Compliance

Leadership at OCEG talks about something they call “Principled Performance”.

Principled Performance™ is a management discipline that enables an organization to clearly define its principles and goals, determine how it will address risks and uncertainties, and grow and protect value. Achieving Principled Performance™ demands the clear articulation of objectives and the methods by which you will establish and stay within mandatory and voluntary boundaries of conduct while driving toward those objectives.

They have linked the drive towards optimized performance to the management of risk, while emphasizing the importance of remaining in compliance with laws, regulations and society’s expectations for conduct. Who can argue that unbridled focus on rewards without consideration of risks and obligations is unacceptable — and unsustainable in the long term?

The need to relate performance, risk and strategy is further illustrated by several problems that became evident during the financial collapse and economic crisis: