Lately, you could read some blogs and listen to webinars and various GRC experts (primarily from the US) who claim that "Everybody (read: every organization) does GRC".
Nice try, but I will not jump on that train - and claim the opposite instead: No, not everybody does GRC! My rationale is easy: As long as an organization has not started integrating its governance on all levels with its risk management and compliance efforts it does not do GRC or may even call it that way!
So, why would GRC experts say so? I assume they want to remove mental obstacles within organizations ("No, GRC seems very advanced, that's nothing for us.") and encourage them not to give up but continue on their journey towards higher and higher integration. So, it's for a good purpose, I see that, but definitely misleading wording whith regard to the original idea of GRC.
I apologize to my faithful followers that this seems to be a quite academic discussion among GRC consultants, and believe me, I normally wouldn't argue such kind of statement in this blog but I think it is important to intervene at this point in order to avoid spreading of something that would be a big misunderstanding - for the benefit of both academics, consultancy business and practitioners.
The point with the concept called GRC is that it is (and always has been) integrated by nature. So, e.g. having a risk policy is risk management but not GRC as long as it is not linked into all relevant decision making processes. What else would be the point with working with corporate governance, risk management and compliance in silos (it's true, everybody does or has done THAT) and call that a concept with a strange new name?
True is instead that everybody does GRC who has started to integrate processes and structures across the areas of governance, risk management and compliance. And getting started with that is easy, in fact!
This is my message: integrate, integrate, integrate! Silo-work is no GRC!
Check yourself, do you do GRC?:
- Is your strategy and strategic planning (and its follow-up) based on complete and updated risk and opportunity analysis?
- Do all risk and control functions (ERM, internal control, compliance, internal audit) start off their work from a common risk language and a common view on the organization's exposure to risk?
- Are both opportunities and risks taken into account when it comes to decision making at all levels?
These would be clear characteristics of your GRC-work, and you would have come far in your GRC-journey! Congratulations!
A last word to my dear colleagues: Not everybody does GRC but everybody who integrates does GRC! Could we agree upon that?
Have a nice summer!!