RedirectingRedirecting GRC Resource » Integrated GRC

Integrated GRC

GRC Resource intentionally emphasises the term “Integrated GRC”. Why is this done?

“In itself GRC is not new. As individual issues, governance, risk management and compliance have always been fundamental concerns of business and its leaders. What is new is an emerging perception of GRC as an integrated set of concepts that, when applied holistically within an organisation, can add significant value and provide competitive advantage.” PricewaterhouseCoopers (2005): 8th Annual Global CEO Survey. Bold Ambitions, Careful Choices. p. 3

Moreover, Integrated GRC does not only combine the business topics of Governance, Risk & Compliance (and many more), but also different technologies such as business intelligence, real-time applications and ERP systems. In the overall picture of Integrated GRC, a company’s GRC strategy is linked to GRC-relevant processes controlled through information technology.

GRC Definitions

So far there is no commonly accepted definition of “GRC”. Racz et al. (2010) suggest a short-definition that was based on an extensive GRC literature review and validated the definition in a survey among GRC professionals. Their definition is the only scientifically derived definition for GRC.

“GRC is an integrated, holistics approach to organisation-wide governance, risk and compliance ensuring that an organisation acts ethically correct and in accordance with its risk appetite, internal policies and external regulations through the alignment of strategy, processes, technology and people, thereby improving efficiency and effectiveness.”  Racz, N., Weippl, E. & Seufert, A. (2010): A frame of reference for research of integrated GRC. In: Bart De Decker, Ingrid Schaumüller-Bichl (Eds.), Communications and Multimedia Security, 11th IFIP TC 6/TC 11 International Conference, CMS 2010 Proceedings. Berlin: Springer, pp. 106-117.

The GRC industry – software vendors, consultants, technology market research and other organisations - has suggested a myriad of different definitions. The quotes below should give readers an idea of the different viewpoints on what GRC actually is.

The purpose of GRC is to provide sustainability, consistency, efficiency, and transparency for the multiple GRC processes in the organization. This is achieved by encouraging collaboration among the roles responsible for GRC (e.g., corporate secretary, corporate compliance, enterprise risk, audit, IT, line-of-business, investigations, legal) as well as leveraging a common framework and technology infrastructure.” Michael Rasmussen (2007)

“To be clear, there are substantially more processes than governance, risk and compliance playing critical roles in GRC. But 13-letter acronyms rarely catch on.” Mitchell, Scott L. (2007): GRC – More than three letters. OCEG GRC 360° Blog.

“Whereas ERM is more a methodology for managing the entire spectrum of risk, GRC is more a technology platform for illuminating governance and compliance risk. ‘It’s useful to think about GRC in terms of an IT platform,’ Lam says. ‘The technology helps you centralize and organize your policies, procedures, documentation requirements, risk assessment analyses and other content [for] dashboard reporting.’ Banham, Russ (2007): Is GRC ERM? Or Vice Versa? Treasury & Risk, Jun2007, pp. 48-50.

“GRC is more than a catchy acronym used by technology providers and consultants to market their solutions – it is a philosophy of business. This philosophy permeates the organization: its oversight, its processes, its culture. Ultimately, GRC is about the integrity of the organization [...].” Corporate Integrity, LLC (2007): What is GRC?

“Governance, Risk, and Compliance or ‘GRC’ is an increasingly recognized term that reflects a new way organizations focus on and manage an integrated approach to these three areas.” Wikipedia (as of 01/02/2008): Governance, Risk Management and Compliance.

Lee Dittmar (Deloitte Consulting LLP) takes a more pragmatic view on the discussion about the definition of GRC:

“Demystifiying GRC is not really about precisely defining the term GRC, per se, and it is not about dissecting the ‘G’, the ‘R’, and the ‘C’. It is about understanding the underlying business issues that gave rise to the widespread use of the term and that are discussed by most commentators on the topic. [...] Don’t get hung up on the alphabet soup or the definitional debates.” Dittmar, L. (2007): Demystifying GRC. Business Trends Quarterly, Q4 2007.

White Papers