In 2008, SAP asked me to take a leadership position in speaking about GRC. I was ready for a change, as SAP had acquired my company (Business Objects, where I had led both internal audit and risk management as a vice president). While I had been offered an interesting opportunity in a risk management role with the company, I was less than enthusiastic about it.
I had enjoyed speaking at IIA and other conferences and seminars over the years, and the idea of making that a full-time job was appealing. But first I had to find out what they meant by GRC.
What Is GRC?
In all my years as a risk and audit executive, I had never heard about it.
I knew what governance, risk and compliance were individually, but I was unfamiliar with the GRC acronym and unclear why people wanted to combine three separate activities into a single expression.
SAP had a suite of programs it called GRC. But they were limited to tools to help manage user access to its ERP, maintain trade compliance (I make no comment on its own recent trade compliance problems), perform risk management and comply with SOX. It also had a strategy management solution, but it was managed separately without integration into the "GRC" solutions.
SAP also had a GRC department that focused on risk management, SOX compliance testing, and high-level information security oversight. The senior vice president of GRC also chaired its policy management committee.
None of these situations answered "what is GRC?" in a way that made sense. Why combine the three?
The answer appeared in the work of the Open Compliance and Ethics Group. Its definition: "GRC is the capability, or integrated collection of capabilities, that enables an organization to reliably achieve objectives, address uncertainty, and act with integrity; including the governance, assurance and management of performance, risk, and compliance."
In other words, it is about achieving objectives — together.
While this makes business sense, it is not accepted by everybody. In fact, when I did my own study of what GRC meant, I found a useless plethora of definitions and understandings, which led me to write and speak about the fact that GRC should stand for: Governance, Risk Management and Confusion. Also noteworthy is the fact that the "G" in GRC was silent in most cases, because few if any GRC departments and even fewer GRC “platforms” have functionality to help those with a governance role: the board, executive management team, legal, strategy, and so on.
Related Article: Information Governance Is Boring But Necessary
The State of GRC Over 10 Years Ago
I first started blogging about this in 2009 (when I was in my new role at SAP). I closed that post with (emphasis added):
So, what does this all mean? I believe that there is so much talk about GRC that we can't ignore it. Instead, we need to:
- Recognize there is no common definition of GRC and ask everybody who uses it just what do they mean.
- Instead of talking about GRC processes and applications, talk about the real business process problems in the enterprise.
- When assessing applications from so-called GRC vendors, realize that each has a different definition of GRC and focus on the real business process needs you have. Don't allow the fog of GRC to get in the way.
- Recognize that the assessments of the market and solutions by analysts like Forrester Research and Gartner are based on their own (different) definitions of GRC. The components they include may not all be as important to you as they have assumed in rating vendors' solutions.
The bottom line, for me, is that we should not allow the buzzword of GRC to divert us from assessing what is needed in our business. Just because somebody includes a functionality in their "GRC platform" does not mean we have to.
In a second post, I suggested a common English variation of the OCEG definition:
I like to think of GRC as how a company is managed and directed to achieve the strategies and goals of the stakeholders, considering risks and staying within compliance boundaries of applicable laws and regulations.
I could have said it even more simply: it’s effective, thoughtful, management for success.
Related Article: Are You Too Risk Averse?
The State of GRC Today
Have people learned in the dozen years since?
I don’t think so.
People call themselves GRC professionals who don't have any responsibility for governance activities. For the most part, they seem to be risk practitioners, compliance professionals or internal auditors. Few have more than one part of GRC in their job description.
GRC Is Not a 'Supporting Function'
PwC recently published "Next generation digital GRC." Does it understand and have a useful way of talking about GRC? Look at how it starts, with a quote from its Asia Pacific leader: "Throughout the last decade, the concept of governance, risk and compliance has been viewed as a supporting function. However, more than ever, businesses are evolving to respond to shifting market dynamics, new digitally enabled competitors and changing customer expectations. Addressing these emerging challenges requires companies to rethink how to integrate GRC in order to build trust and enhance their market competitiveness. Otherwise, businesses cannot successfully manage rising uncertainty, complexity, and ambiguity around today’s regulatory and geopolitical environments."
GRC should not be considered a “supporting function,” it is how you manage for success. This is a pure sales pitch in my opinion. If this is your idea of GRC, I will let you read the PwC piece but I am not going to excerpt anything more here.
The value of thinking about GRC is, as I have said before, that it makes you ask how everybody is working together to achieve success.
Who Is a GRC practitioner?
The clearest answer is the CEO. He or she has all the dimensions of G, R and C.
But another answer is that instead of only people who have all of G, R and C, it's anybody who has at least one part of that combination. That means pretty much everybody is a GRC practitioner.
Or is it just a silly expression? Should we instead talk about risk practitioners, compliance professionals, internal auditors, strategic planners, attorneys, board members, information security personnel, and so on? In other words, focus on what people are responsible for rather than tagging them with an expression that signifies nothing?
I welcome your thoughts.