I had the privilege of first speaking and later serving on a panel at the Institute of Internal Auditors International Conference earlier this month, held this year right here in the U.S., in Atlanta. The panel moderator asked what I thought was a particularly interesting question – “GRC is an acronym used by many but with many different meanings; what does GRC mean to each of you?” I’d like to share my response, which went something like this.
Thinking back some years, it seems the term GRC, standing for governance, risk and compliance, came about from the management consulting world, with technology firms and others quickly picking it up. The term has served a purpose in communicating available services and software solutions. At the same time, there wasn’t anything called a “GRC” unit in businesses then, and still aren’t today. And while the term sometimes is used by compliance officers, risk officers or internal audit personnel, it’s seldom used or readily understood by line executives or board members.
As for what GRC means, to me it’s a combination of related though somewhat disparate concepts. The term “governance” traditionally has been used in context of a company’s board of directors. A definition I particularly like is “the allocation of power between the board, management and shareholders.” But of course the term now is used by many professionals to encompass what senior management does to run a company, and indeed even referring to activities downstream in the management ranks. The “R” is for “risk management,” and that term is used in many different ways, from a simple risk assessment to a full-blown enterprise risk management process. And “compliance” initially was applied to adherence to applicable laws and regulations, though many users now also include adherence to internal company policies as well.
I mentioned “disparate” because GRC isn’t really one end-to-end process that companies employ. And while the elements of GRC can be related to a company’s strategic and other business objectives, they in fact relate to activities and processes at different levels of an organization. Indeed, from a technical perspective we can say that there’s overlap, in that risk management can and should be designed to address compliance as well as other categories of objectives.
What’s important in my mind is not necessarily to try to put the genie back in the bottle by getting everyone to use these terms in the same way, because that’s just not going to happen. Rather, we need to be sure when we use the terms in our organizations that we’re very clear as to exactly what we mean.
© Steinberg Governance Advisors, Inc. 2010. The information presented here does not constitute legal or any other type of professional advice. Companies are encouraged to consult legal counsel concerning their responsibilities for legal and regulatory compliance.