I joke about what GRC means. Apart from the IIA (who talk about governance, risk, and controls), everybody knows that the acronym stands for Governance, Risk Management (or ERM), and Compliance.
My joke is that it really stands for governance, risk management, and confusion. The confusion is because while people may be able to explain the parts, they find it difficult to explain the meaning of the whole – why the three are combined and whether that combination is more than the sum of the parts.
OCEG has the only useful definition in my opinion. The latest version, which you can explore here, is:
GRC is the integrated collection of capabilities that enable an organization to reliably achieve objectives, address uncertainty and act with integrity
I surveyed people on this blog in 2011 and shared my thoughts as well as what I heard back in this post. Here is how I closed the article:
So what does this all mean?
I like what Lee Dittmar of Deloitte said:
In the complex and constantly changing sea of acronyms, abbreviations and other abstractions, there is one that is simultaneously met with affirmation and apathy, confirmation and confusion, and recognition and rejection.
CFO.com published an article on demystifying GRC that said it was:
An academic definition of the word ‘mess’.
I still hold to the…
