Its 10 years since my first blog post in December, 2009; Is there value in talking about GRC? remains a relevant question especially as so many vendors put a GRC label on their software. I’ve written about GRC 97 times since then.
But, thankfully, most practitioners have moved on to focus on those elements of GRC that are meaningful to them rather than trying to implement software for “GRC”. Depending on their role and responsibilities, that may mean risk management, compliance, internal audit, information security or cyber, etc. Sometimes, but not always, one software solution will be the best choice for several areas; but almost never will it be the right choice for every area of GRC.
Of my 689 posts (not including this one), the most viewed is from 2011, Just what is risk appetite and how does it differ from risk tolerance?, which has been viewed a massive 69,617 times (10% of which were in 2019).
But I want to talk about progress in practices since that first post. These will just be highlights.
Risk management
While the great majority of practitioners continue to follow traditional practices (such as developing a list of top risks that is reviewed periodically, perhaps on a heat map), an increasing number recognize that this is a failing practice and have moved on. They recognize that risk management…
