It has been nearly four years since I originally defined the GRC market for professional services and technology solutions. While PricewaterhouseCoopers was the first (to my knowledge) to use the acronym GRC, I was the first industry/market analyst to define a market for products and services and call it “GRC.” In fact: I have been referred to as the “Father of GRC”.
A New Year combined with starting my own company – that provides strategic direction in governance, risk, and compliance – has allowed me to wipe the slate clean and redefine the GRC market landscape.
However, I first need to get on my soapbox and list some grievances:
- GRC is not exclusively about technology! What a buzz I have created – every software vendor in the world seems to be defining a GRC market message. The issue is that there is a growing perception that GRC = technology. My formula, however, would be GRC > (is greater than) technology . A solid GRC strategy will contain a technology enablement, but GRC is bigger and broader than just what technology can provide.
- GRC is not exclusively Sarbanes-Oxley! Another trap GRC falls into is that individuals equate it with SOX. GRC is not just about solving SOX compliance issues. GRC strategies may get off the ground in a company with SOX – but it needs to have a broader vision to be truly GRC.
- GRC is not exclusively about enterprise risk management (ERM)! ERM is an important part of GRC, but ERM is just one leg of the three leg stool. ERM is about measuring and monitoring risk across the enterprise. This may include, among many other areas, governance-related risk as well as legal and compliance risk. However, GRC is broader than ERM in all that it ties together.
- GRC is not about a single role owning all things GRC! There is no Chief GRC Officer – at least none that I am aware of. GRC is about multiple roles in the organization working together – collaborating – to provide a holistic and integrated approach to GRC that includes the Corporate Secretary and Board of Directors and dives down into the weeds of quality, health & safety, security, etc.
To further explain – GRC is about collaboration between roles in the organization who share information, integrate frameworks, and provide reporting on GRC issues in order to get the big picture of what the organization is up against. Organizations implementing GRC strategies continually tell me they are aiming for four benefits to the business. . . .
- Sustainability. Organizations demand a sustainable process and infrastructure for ongoing risk and compliance processes that are not going away.
- Consistency. Organizations require that multiple roles in the organization start working together in an integrated framework.
- Efficiency. The line-of-business is fighting back because of redundant assessment and audit processes looking for similar information for different purposes.
- Transparency. Business demands transparency across key performance and risk indicators so they can monitor the organization’s health, take advantage of opportunity, and avert or mitigate disaster.