I recently attended and spoke at MIS Training Institute’s Governance, Risk, and Compliance 2009 conference held in Orlando.  My speaking opportunity consisted of a one-day workshop on GRC for individuals focused on audits and assessments.  Nine “students” representing different industries, geographies, and functions (IT, IT audit, and risk management) attended the eight-hour class.  When facilitating a workshop such as this, I always leave with new knowledge and insights into how organizations are addressing GRC tasks.

I consistently find more and more professionals not only know what the GRC acronym means, but also how it applies to their respective companies.  That is progress when compared to a few years ago when the acronym first appeared.  Today, many professionals, including myself, see GRC as at least three distinct disciplines, which are closely related but generally owned by many different functions in the typical enterprise.  This is a debatable position, but I believe everyone realizes GRC must be addressed, and the best way to do that is in a comprehensive way, cutting across organizational silos.

To my surprise, I actually met two people who work in a function with an official title called “Governance, Risk, and Compliance.”  This was a pleasant revelation – because we’re just beginning to see companies naming a single person (or group of people) responsible for GRC, and assigning titles to match - and I continued to probe to understand the makeup of these functions.  Both companies come from different industries and different countries.  However, their GRC functions mirrored each other in their composition of professional talent.  As one may suspect, the functions consist of individuals with a wide array of skills – internal audit, IT, business, legal, and risk management.  This is not a shocker as the discipline of GRC requires many different talents and true collaboration between all departments in the enterprise. 

Other takeaways from the conference served to validate some common views.  Much of the GRC business case and rationale for tackling GRC as “one” rather than three distinct disciplines is focused on time savings by eliminating redundant activities.  Today’s typical company is focused on compliance, risk management, and overall governance but addresses these with a silo mentality.  This generally means lots of information is collected by different functions but the silos do not communicate with each other.  The first step to holistic GRC typically involves the following silos - internal audit, legal, risk management, IT, and operations - sharing and centralizing their and information in order to put the entire puzzle together in a meaningful manner.  When this occurs, many of the redundant activities are eliminated and internal resources can focus on other initiatives.  Of greater importance in this scenario, holistic GRC delivers a more complete picture of an organization’s GRC posture, providing leaders with better information to make decisions. 

Based on my observations and in speaking to the attendees at the event, it’s clear to me that the concept and principles of GRC are relevant and here to stay.  Executives, boards of directors, and institutional investors expect companies to comply with regulations, manage risk, and govern the enterprise regardless of the acronym used.  Every conference or event I attend includes a GRC element and seems to create more momentum for companies to address GRC as an enterprise initiative.