What is ‘G’​ in GRC?!

Creating transformation through the innovation

What is ‘G’​ in GRC?!

As many people know, GRC stands for ‘Governance – Risk Management – Compliance’ which is more or less clear until we reach the ‘G’…then we have the issue!

Compliance is pretty easy to explain. It represents the fulfilling the requirements according to a certain standard, regulation, directive etc. In other words, it is the checklist of the requirements which can be ticked as accomplished when the compliance has been achieved. No big deal!

Risk Management is a bit more complicated. Although risk management involves a very broad domain, in essence, it is quite straightforward. In itself, the organisation has to identify certain risks, based on some criteria, perform analysis and evaluation of the risks, and do risk treatments. Risk management is the continuous cycle because the treatment of the risk’s cause will reduce the risk but will have the impact of some other risks as well. So it means some kind of continuous improvement. Clear enough…no big issues!

But when we reach the Governanceugh!

I’ve tried many times to explain the GRC from different perspectives, different approaches, different angles and I was not too successful…at least, not deep in my heart.

In itself, the governance is nothing but the way how the company has been run or managed. It’s all about strategies, policies, processes, measurements, automation, improvements…and every time, whenever I was trying to explain more in a depth I was seeing that “…yeah, right!” look.

I’ll be honest and admit, after some time I’ve simply got tired and I’ve started to use the comparison which has nothing to do with IT or management…and it turns to be the most convenient explanation for the famous ‘G’ issue.

I’ve started to compare a GRC as the kitchen. Although it might sound naive, it describes quite precisely the complexity of the topic and even gives the glimpse of the proficiency which is needed for good governance. So, in that sense:

  • Compliance represents nothing but the recipe. The list of necessary requirements or ingredients needed;
  • Risk Management is the process of cooking, stirring and adding various supplements and spices depending on the environment or the process;
  • Governance is the chef.

Bon appétit.

Published on May 23, 2017 (https://www.linkedin.com/pulse/what-g-grc-zvonimir-zavacki/)