Do all these acronyms make you want to run and hide?
Do they help anybody understand and then implement effective processes and practices for managing risk?
Does it make sense for a risk officer to call themselves a GRC person? How about an audit, compliance, InfoSec/cyber, or risk practitioner? Are they all GRC practitioners?
What is a “GRC function”?
Let me see if I can make some sense of the technobabble.
I will start with GRC and then move on to ERM, IRM, and CRM before touching on ORM, SRM, TPRM, and the rest.
X
This is how Google’s AI answered the question, “what is GRC?”
GRC stands for Governance, Risk, and Compliance. It represents an integrated approach to manage an organization’s operations, ensuring they align with strategic goals while addressing risks and adhering to regulatory requirements. OCEG, a non-profit think tank, is known for pioneering GRC as a unified framework. [1, 2, 3, 4]
[1] https://www.workiva.com/resources/what-is-grc-governance-risk-compliance
[2] https://crmsindonesia.org/publications/grc-governance-risk-management-compliance-a-set-of-capabilities-for-embracing-esg-towards-sdg/
[3] https://www.oceg.org/
[4] https://www.oceg.org/solutions-council-join/
You can debate who invented the term, but it was probably either Scott Mitchell of OCEG or Michael Rasmussen (an…
