One of my pet peeves in the GRC space is the misuse of words.

I frequently have vendors come to me and tell me that they are an enterprise risk management solution – when in fact it is obvious that what they are doing is something specific like IT risk management. My response to these vendors is to listen patiently and then ask them. . .

“you state you are an ERM solution/platform. What you have demonstrated to me is IT risk management – can you now show me how you help manage credit risk, foreign exchange risk, or perhaps many of the other domains of operational risk such as quality or supply chain risk management?”

The response is typically puzzlement and then lights go on – they retrench and understand who and what they are about. They a fresh perspective on the broader GRC.EcoSystem that they have been largely ignorant towards.

Another misuse is the use of terminology.

Currently I am at the SAP GRC 2008 conference. One product I saw demoed had a heat map that had one axis labeled probability. What they were displaying was not probability – it was likelihood. Probability is a mathematical representation of a chance of occurrence represented between 0 and 1. The product was displaying issues on a heat map with red, yellow, and green fields to represent risk levels – this is not probability. Look it up for yourself – the definition for probability is in ISO/IEC 73 which is the definitive ISO definition standard for risk management.

I have seen risk managers/officers throw vendors out of a selection process because they misrepresent what they do (inadvertently or maliciously) as well as misuse terminology. The mindset is that the vendor must not really understand risk management if they do not misuse terminology.

The misuse of terminology is not limited to vendors – professionals in general can be sloppy in the use of terms.

Part of the problem is having a good source of definitions that we can all agree with. One area that this is being worked on is within the Open Compliance and Ethics Group ( There is a committee within OCEG that is working on the GRC Taxonomy – a reference source of definitions for governance, risk, and compliance. If you are interested in working on this – please contact me ([email protected]).

In the meantime, let’s all work hard to make sure we know what we are talking about.

Leave a Reply

Your email address will not be published. Required fields are marked *