Skip to main content.

Whats wrong with GRC?

This is an opinion piece by Grant Purdy, Associate Director.

There’s nothing wrong with:

  • Ensuring consistency in decision making and governance processes across an organisation
  • Understanding that effective risk management is the foundation for good governance
  • Appreciating that achieving and assuring compliance with legislative and contractual requirements is an important input to good governance
  • Combining departments and human resources that have common skills and roles under one department
  • Using information systems to provide consistency in process, to store useful information and to improve efficiency in governance reporting.

There is a great deal wrong when:

  • People forget that the ‘R’ in GRC means risk management, not risk
  • GRC suggests that governance, risk (management) and compliance are functions when risk management is a decision support process, compliance is an outcome and good governance is an organisational attribute
  • Describing governance, risk (management) and compliance as silos leads people to think that there is no correlation or overlap between them
  • Combining compliance activities and risk management in one function leads to a compliance-based attitude and approach to risk management
  • Combining compliance, which is concerned with the avoidance of negative outcomes, with risk management leads to the latter being focussed on threats, at the expense of opportunities
  • GRC reduces attention on control design and assurance
  • People are led to believe that (non-)compliance is a kind of risk
  • Because of the term GRC, people believe that organisations should place equal weight, resources and effort on risk management, compliance management and good governance
  • People are led to believe that specialists undertake and deliver good risk management
  • People are led to believe that specialists undertake and deliver governance
  • People are led to believe that risk management is a process that an IT system can deliver for you
  • Three-letter acronyms emerge every few years for revised and improved versions of risk management and organisations are encouraged to buy this year’s flavour before they have properly implemented the fundamental processes
  • GRC is sold as an alternative to good, effective risk management
  • A self appointed group develops its own standard for risk management to advance and protect its market by selling certification to that standard
  • A self appointed group develops and promotes its own standard that does not comply with internationally agreed standards, thereby creating confusion and ambiguity
  • New flavours of risk management only elicit a response in terms of software products at the expense of improvements in the actual practice of risk management
  • The razzamatazz of constantly re-branding and re-packaging risk management for solely commercial reasons leads organisations to lose sight of the good risk management they already do and to lose focus on how they can build upon and improve that rather than throwing everything out and starting again with the new version.