E-commerce Resources

In its GRC Capability Model, Red Book, 2.0 (April 2009), OCEG defines GRC as a “system of people, processes, and technology that enables an organization to:

• Understand and prioritize stakeholder expectations.
• Set business objectives that are congruent with values and risks.
• Achieve objectives while optimizing risk profile and protecting value.
• Operate within legal, contractual, internal, social, and ethical boundaries.
• Provide relevant, reliable, and timely information to appropriate stakeholders.
• Enable the measurement of the performance and effectiveness of the system.”

The definition can perhaps best be summarized as how an organization understands stakeholder expectations and then directs and manages activities to maximize performance against those expectations, while managing risks and complying with applicable laws, regulations and obligations.

GRC Functions and Processes

GRC processes are extensive, ranging from the activities of the board and executive management, through strategy setting, performance management, risk management and financial reporting, and including internal controls and IT security. OCEG’s list of functions and processes that are typically included in GRC makes this very clear:

• Governance
• Strategy and business performance management
• Risk management
• Compliance
• Internal control
• Corporate security
• Legal
• IT
• Business ethics
• Sustainability and corporate social responsibility
• Quality management
• Human capital and culture
• Audit and assurance
• Finance

Vendors Define GRC Differently

Business and IT management can get caught up in the GRC confusion. Perhaps the most common problem is when vendors of services or software market their GRC capabilities. Managers should not assume the vendor is talking about GRC as defined by OCEG. Instead, they should ask what the vendor means by “GRC.”

In my experience, companies tend to define GRC to suit the strengths of their offerings. It is important to note that no single vendor has a solution that integrates, on a common platform, enabling technology for every GRC process (as defined by OCEG). Vendors have technology for one, or several, GRC processes, but not all. When vendors call, managers should make them focus on business processes and how they help the specific situation. Do not fall into the trap of limiting the discussion to the vendor’s agenda.

And So Do The Analysts

Unfortunately, the analysts that assess the quality of software products — primarily Gartner and Forrester Research — use definitions of GRC that are not only different from the OCEG but also from each other.

For example, Gartner defines GRC management as “the automation of the management, measurement, remediation, and reporting of controls and risks against objectives, in accordance with rules, regulations, standards and policies.” Forrester’s definition is close to the OCEG’s, but does not include areas such as performance management or strategy.

So What Do You Do?

Because GRC has so many different definitions, my advice is to come up with a definition that works for you and your company. My preference is the OCEG definition. When it comes to selecting software, I always advise companies to base their decisions on their own business needs and not somebody’s definition of “GRC software.”

About the Author

Norman Marks, CPA, is Vice President, Governance, Risk, and Compliance (GRC) at SAP BusinessObjects, where he is an evangelist for the GRC market and SAPs related software. A chief audit executive of major global corporations for over 15 years, and a recognized thought leader in the profession of internal auditing, Norman is an active member of the Institute of Internal Auditors. He led the development of IIA responses to proposed rules by the PCAOB and SEC, is the editor of the Corporate Governance column in the IIAs Internal Auditor magazine, a member of the review boards of several audit and risk management publications, a frequent speaker internationally, the author of several award-winning articles, and blogs for the IIA about internal audit, risk management, governance and compliance.