It’s amazing how much disagreement there is on what GRC means. Pretty much everybody agrees it stands for Governance, Risk Management, and Compliance. But the variety of views on what processes and enabling technology fit under that broad heading is astounding.
I have presented my view, which is that we should standardize on the OCEG definition, in my personal blog at http://normanmarks.wordpress.com/. The OCEG definition is:
“A system of people, processes and technology that enables an organization to:
- understand and prioritize stakeholder expectations;
- set business objectives that are congruent with values and risks;
- achieve objectives while optimizing risk profile and protecting value;
- operate within legal, contractual, internal, social and ethical boundaries;
- provide relevant, reliable and timely information to appropriate stakeholders; and
- enable the measurement of the performance and effectiveness of the system.”
I welcome your views on this, either here or on my personal blog site.
I have also been writing in my personal blog about Continuous Auditing and Monitoring. I believe that many customers are having difficulty implementing this because they are not taking a top-down and risk-based approach – and have blogged about that on SCN previously. My personal blog discusses some of the pitfalls companies have to navigate in selecting tools for continuous auditing. It goes on to describe how SAP’s solutions address our customers’ needs – recognizing that a complete solution will often need multiple tools from a variety of sources.
Do you agree, and can you share your personal experiences with this subject?
Finally, today I posted a blog on the linkage between Strategy and Risk. Fortunately, SAP customers can meet the need to link risk and strategy (e.g., how to manage risks to key strategies, goals, and objectives) as the SAP BusinessObjects solutions for Strategy Management and Risk Management are integrated this way.
Do you agree with this as a critical need? Have you been able to implement effective processes for risk-adjusted strategies?