The Open Compliance Ethics Group (OCEG) has published the results of its 2020 GRC Maturity Survey, written by my good friend Michael Rasmussen. In full disclosure, Michael and I are two of the original three OCEG Fellows. This is an unpaid honor, apparently (in my case) for my thought leadership around GRC.
In fact, I have been writing about GRC for over a decade! For example, in 2009, I wrote Is there value in talking about GRC?
I believe the OCEG definition of GRC is the only one that makes any sense. Theirs is the only explanation of the value and meaning of combining the separate practices of governance, risk management, and compliance. In fact, for most so-called GRC discussions and solutions, the G is silent! Governance is not addressed (and it extends far beyond internal audit and ‘risk governance’ to include all board activities, strategic planning, performance management, legal, and more.)
In the latest OCEG report, Michael quotes the official and current OCEG definition of GRC:
“GRC is a capability to reliably achieve objectives [governance] while addressing uncertainty [risk management] and act with integrity [compliance].”
He has also modified it slightly to emphasize the need to integrate multiple functions and avoid siloed operations.
“GRC is the integrated collection of capabilities…
