Anthony Pugliese (President and CEO of the IIA) said in a recent webinar that GRC stands for Governance, Risk Management, and Compliance-slash-Control.
I am sure he said that because the IIA has the C meaning Control while the rest of the universe has C for Compliance.
This is just one of the reasons that I say that GRC actually stands for Governance, Risk Management, and Confusion.
Initially, I coined the phrase because every software solution provider that touts a GRC package has different functionalities. Add to that the issue of whether it’s about Control or Compliance.
I also heard about a caller into the SAP help desk who asked about the company’s “GRC products”. The SAP employee asked which ones the caller was interested in, as SAP at that time had a SAP GRC solutions line that included Risk Management, Access Control (often incorrectly referred to as “SAP GRC”), Trade Compliance, and Process Control. They also had a Strategy Management solution that was not included in their GRC line (even though it is fundamental to GRC capabilities – as explained momentarily).
The caller replied, “You know, GRC.”
The employee didn’t know what he wanted, or what GRC meant in practice.
Most people don’t know what GRC means. I don’t mean what the acronym stands for, that is sort of clear. But…
