GRC Resource intentionally emphasises the term “Integrated GRC”. Why is this done?
“In itself GRC is not new. As individual issues, governance, risk management and compliance have always been fundamental concerns of business and its leaders. What is new is an emerging perception of GRC as an integrated set of concepts that, when applied holistically within an organisation, can add significant value and provide competitive advantage.” PricewaterhouseCoopers (2005): 8th Annual Global CEO Survey. Bold Ambitions, Careful Choices. p. 3
Moreover, Integrated GRC does not only combine the business topics of Governance, Risk & Compliance (and many more), but also different technologies such as business intelligence, real-time applications and ERP systems. In the overall picture of Integrated GRC, a company’s GRC strategy is linked to GRC-relevant processes controlled through information technology.
So far there is no commonly accepted definition of “GRC”. Racz et al. (2010) suggest a short-definition that was based on an extensive GRC literature review and validated the definition in a survey among GRC professionals. Their definition is the only scientifically derived definition for GRC.
“GRC is an integrated, holistics approach to organisation-wide governance, risk and compliance ensuring that an organisation acts ethically correct and in accordance with its risk appetite, internal policies and external regulations through the alignment of strategy, processes, technology and people, thereby improving efficiency and effectiveness.” Racz, N., Weippl, E. & Seufert, A. (2010): A frame of reference for research of integrated GRC. In: Bart De Decker, Ingrid Schaumüller-Bichl (Eds.), Communications and Multimedia Security, 11th IFIP TC 6/TC 11 International Conference, CMS 2010 Proceedings. Berlin: Springer, pp. 106-117.
The GRC industry – software vendors, consultants, technology market research and other organisations - has suggested a myriad of different definitions. The quotes below should give readers an idea of the different viewpoints on what GRC actually is.
“The purpose of GRC is to provide sustainability, consistency, efficiency, and transparency for the multiple GRC processes in the organization. This is achieved by encouraging collaboration among the roles responsible for GRC (e.g., corporate secretary, corporate compliance, enterprise risk, audit, IT, line-of-business, investigations, legal) as well as leveraging a common framework and technology infrastructure.” Michael Rasmussen (2007)
“To be clear, there are substantially more processes than governance, risk and compliance playing critical roles in GRC. But 13-letter acronyms rarely catch on.” Mitchell, Scott L. (2007): GRC – More than three letters. OCEG GRC 360° Blog.
“Whereas ERM is more a methodology for managing the entire spectrum of risk, GRC is more a technology platform for illuminating governance and compliance risk. ‘It’s useful to think about GRC in terms of an IT platform,’ Lam says. ‘The technology helps you centralize and organize your policies, procedures, documentation requirements, risk assessment analyses and other content [for] dashboard reporting.’ Banham, Russ (2007): Is GRC ERM? Or Vice Versa? Treasury & Risk, Jun2007, pp. 48-50.
“GRC is more than a catchy acronym used by technology providers and consultants to market their solutions – it is a philosophy of business. This philosophy permeates the organization: its oversight, its processes, its culture. Ultimately, GRC is about the integrity of the organization [...].” Corporate Integrity, LLC (2007): What is GRC?
“Governance, Risk, and Compliance or ‘GRC’ is an increasingly recognized term that reflects a new way organizations focus on and manage an integrated approach to these three areas.” Wikipedia (as of 01/02/2008): Governance, Risk Management and Compliance.
Lee Dittmar (Deloitte Consulting LLP) takes a more pragmatic view on the discussion about the definition of GRC:
“Demystifiying GRC is not really about precisely defining the term GRC, per se, and it is not about dissecting the ‘G’, the ‘R’, and the ‘C’. It is about understanding the underlying business issues that gave rise to the widespread use of the term and that are discussed by most commentators on the topic. [...] Don’t get hung up on the alphabet soup or the definitional debates.” Dittmar, L. (2007): Demystifying GRC. Business Trends Quarterly, Q4 2007.
- PricewaterhouseCoopers (2004): Integrity-Driven Performance. A New Strategy for Success Through Integrated Governance, Risk and Compliance Management.
PwC’s core concepts for Integrated GRC are the “Governance, Risk & Compliance Operating Model” and “Integrity-Driven Performance”. The white paper explains these concepts in detail along supported by business examples.
- SAP (2009): An Integrated Approach to Managing Governance, Risk and Compliance.
Starting from an analysis of the four degrees of fragmentation in GRC (organisational, system, regional and internal GRC disciplines level), SAP derives a maturity model and gives advice on how to turn GRC into competitive advantage.
- PricewaterhouseCoopers & SAP (2007): Governance, Risk Management and Compliance – Sustainability and Integration supported by Technology.
This white paper focuses more on the role of technology in GRC. After an introduction to holistic GRC management it illustrates IT support of governance processes, risk management and compliance processes, compliance within business processes and compliance within approval and IT processes using SAP solutions as examples.