« Business Matters | Main | PCI compliance, building the base »

June 04, 2008


Michael Rasmussen

Burton Group - you have it wrong. GRC is not about a single role or group in the organization but an approach to providing a common infrastructure and collaboration across roles for GRC.

Table of Contents

Organizations Embrace GRC Principles
The Governance, Risk, and Compliance (GRC) market is in significant momentum as organizations embrace collaboration across silos of GRC and generally recognize that something needs to be done. However, defining GRC can be difficult, is often misunderstood, and organizations struggle to grasp where to start.

The following standard definitions are used to define the components of GRC:

 Governance is the culture, policies, processes, laws, and institutions that define the structure by which companies are directed and managed.
 Risk is the effect of uncertainty on business objectives; risk management is the coordinated activities to direct and control an organization to realize opportunities while managing negative events.
 Compliance is the act of adhering to, and demonstrating adherence to, external laws and regulations as well as corporate policies and procedures.
GRC is About Organizational Collaboration
GRC is more than a catchy acronym used by technology providers and consultants to market their solutions – it is a philosophy of business. This philosophy permeates the organization: its oversight, its processes, and its culture. It is about individual GRC roles across the organization working in harmony to provide a collaborative view of governance, risk, and compliance. It is about collaboration and sharing of information, assessments, metrics, risks, investigations, and losses across these professional roles.

Organizations are approaching GRC to get an enterprise view of risk and compliance with a specific need to identify interrelationships in today’s complex and distributed business environment. This requires that GRC initiatives involve a federation of professional roles – the corporate secretary, legal, risk, audit, compliance, IT, ethics, corporate social responsibility, finance, quality, environmental, health and safety, line of business, and others – working together in a common framework, collaboration, and architecture to achieve:

1 - Sustainability. Organizations demand a sustainable process and infrastructure for ongoing risk and compliance processes that are becoming more onerous. Further, organizations need to sustain their risk and compliance management practices on a continuous basis as business is changing rapidly – point in time assessments are no longer good enough.

2 - Consistency. Organizations require that multiple roles in the organization start working together in an integrated framework. Business roles of governance, risk, and compliance need to understand how their roles fit into the big picture. GRC is getting everyone to play out of the same playbook.

3 - Efficiency. The line-of-business is fighting back because of redundant assessment and audit processes looking for similar information for different purposes. GRC aims to ease the burden on the business by leveraging common processes, assessments, and information.

4 - Transparency. Business demands transparency across key performance and risk indicators so they can monitor the organization's health, take advantage of opportunity, and avert or mitigate disaster. Corporate performance management is tightly related to risk management.

Trent Henry


Thanks for your comments. In our observation, vendor messaging around "GRC" tools is not in keeping with what you're saying. First, I think you are claiming that "GRC" is a framework or philosophy for better communication across an organization. But I'm having trouble reconciling that claim with your document's proposal that GRC is a market. As you well know, one reason we as an analyst community try to categorize things is so that clients can more quickly shortlist a potential set of solutions for a given business problem. Not perfect, by any stretch, but helps to limit scope of investigation. The problem with "GRC" is that a massive number of vendors has glommed on to the term, rendering it unhelpful as a market- or product-category definer. Second, the "enterprise view of risk" that you describe is actually something that Burton Group advocates. We just happen to think that "GRC" gives a false sense of progress in this area. In fact, because of the market confusion, "GRC" has created the very silos we'd like to see avoided: "IT-GRC," "audit GRC", "enterprise GRC," "operations GRC," etc.

Carole Stern Switzer

Luddites Live Again
As the President of the Open Compliance & Ethics Group (OCEG), the only non-profit think tank dedicated to helping organizations design and implement GRC systems (and by that we don't just mean technologies), I have followed this thread of discussion with great interst. It seems to me that those who criticize the concept of GRC are just missing the point.

GRC is not a dashboard, a technology solution, or a buzzword for compliance at all cost. Nor is it just ERM on steroids, as some would say. Nor is it a fad - just another acronym to drive consulting engagements.

GRC represents a paradigm shift in approach to business management and governance of an enterprise. It is a philisophical and structural view of how an enterprise can use its resources (human, technological and financial)to ensure that the organization meets its objectives while staying with the boundaries set by both law and choice of the board and the C-suite.

GRC is about ensuring that the organization has clearly established objectives and the means to meet those objectives efficiently and effectively - identifying risk and ensuring compliance with both external requirements and internal policies and procedures. It is not just about ensuring compliance; it is about achieving what OCEG calls Principled Performance.™

The IT tools being created to help in that effort - the GRC solutions or parts thereof -- are an essential piece of this puzzle but they are not the puzzle.

Having integrated GRC requires establishing the strategy, controls, policies/procedures, measures AND technologies to ensure that consistent and accurate information flows up, down and across the organization, enabling true governance.

Without an integrated approach to risk, consistency of approach to compliance efforts across silos, and an ability to gather and parse the same information for multiple purposes, its not "good governance", its only guessing governance.

OCEG began to drive the discussion about integrated GRC and develop the process model that details GRC structure more than 5 years ago. This discussion and process predated any development of IT solutions for GRC management.

Since then, hundreds of experts (legal, audit, risk, compliance, ethics, finance, quality, IT, and others) have contributed to creation and ongoing refinement of the OCEG Framework and thousands more have reviewed it when in public exposure drafts and used it since it became final three years ago.

Next month, OCEG will be releasing Version 2.0 of its GRC Capability Model, which is at the heart of the OCEG Framework. Anyone register at oceg.org can download Version 1.0 of the Red Book and will be notified when Version 2.0 is available for review and comment.

To close, I have to note that OCEG, through the work of our Technology Council, has been developing an IT for GRC Blueprint that indicates over 80 categories of solutions that support various aspects of GRC. Those who refuse to see that an integrated GRC approach is a positive maturation in business management and governance that must and will be served by ever evolving technologies are simply the Luddites of our day.


Good, here they have given some idea of GRC and discussed about the components of the same.

But my known definition about GRC is, "Governance, Risk Management, and Compliance or "GRC" is an increasingly recognized term that reflects a new way in which organizations can adopt an integrated approach to these three areas. However, this term is often positioned as a single business activity, when in fact, it includes multiple overlapping and related activities within an organization, e.g. internal audit, compliance programs like SOX, enterprise risk management (ERM), operational risk, incident management, etc."


The comments to this entry are closed.

  • Burton Group Free Resources Stay Connected Stay Connected Stay Connected Stay Connected

Blog powered by Typepad