top of page

To GRC or not to GRC?

That seems to be the question at the moment!

Thought leaders Michael Rasmussen and Norman Marks continue to provide an excellent commentary on the challenges of improving organizational performance through a focus on better management of risk and all that that entails...(for there is much!).

As a software vendor, we are all too aware of the perils of trendy acronyms which are used to classify, categorize and pigeonhole products such as ours. ERM held sway for a while before being ousted by GRC and/or EGRC - what's next we wonder?

In their defence, acronyms will always have their place to condense and encapsulate what can be a broad range of concepts, structures and processes. Particularly for new entrants to a management field - they can provide a much needed marker in a bewildering landscape of frameworks, consultants and software solutions.

But that's really all they are. They do not explain what,how,when,who, and definitely not why!

'Twas ever thus...

Who doesn't yearn for an answer, or better still, an end, to complexity? The danger of acronyms is their illusory capacity to make things seem clearly packaged and therefore manageable with less time and effort than seemed necessary to begin with.

The realm of governance, risk and compliance is vast, infinite and has always been with us. The difficulty has always lay in defining it, opimizing its management and especially in communicating its value to an often sceptical audience who would rather being doing a "proper job"!

The appeals and edicts of commentators such as messrs Rasmussen and Marks are valuable and ultimately should be read as reminders about the following:

  1. Acronyms such as 'GRC' are not a shortcut to successful outcomes in any field. Use them, but don't let them rule your decision making. Jumping on a bandwagon will only take you in one direction - someone else's!

  2. The factors involved in the success of any organization are complex - get over it. Take the time to understand the full scope of concepts, structures and processes that matter where you work.

  3. You can't boil the ocean - even with millions of dollars of fantastic software! Ensure your organizational strategy guides how you scope what GRC means to you. Do 3 things well, not 103 things poorly.

  4. Don't lose sight of what unites your target audience and moves them to action. "GRC" may mean nothing to them, however many times it appears in your powerpoint slide.

Finally - it's all about uncertainty! If you think your framework, consultant, or latest software acronym has everything covered, you're probably in the wrong job...

bottom of page