Skip to Content

A couple of weeks ago, I wrote about an article on GRC that appeared in a publication of the Institute of Internal Auditors (you can see my discussion here). I really liked the article, which used the definition of GRC developed by the Open Compliance and Ethics Group (BTW, I strongly recommend their site for information about GRC:

However, my post attracted a host of comments – many of which are by people who believe GRC is all hype, used by consultants and software vendors as a way to sell their products.

Those of you who are interested in the topic of GRC, perhaps assessing whether there is value in GRC solutions for your organizations, might find the discussion useful – and I certainly welcome your joining in the debate.

I decided to summarize my own views yesterday, in this post.

My friend and colleague at OCEG (we are both OCEG Fellows) Michael Rasmussen followed up with his own blog post (see here).

What does this all mean for SAP customers? My advice:

  • Understand the OCEG definition of GRC and the perspective it brings to looking at the business
  • When you are discussing “GRC”, whether internally or with a vendor, insist on getting a definition. It’s impossible to have a rational discussion when you are using different languages
  • Instead of thinking about a “GRC solution”, think about what you need for your organization: what are your business needs. GRC is too all-encompassing to have real meaning, except in the sense that it shines a light on the needs for harmony between the various components of GRC, and for the elimination of silos
  • Understand how SAP has offerings that not only address many of the business needs individually, but are designed to work together – in harmony – and enable best-run GRC processes

You can see more in How does SAP enable world-class GRC processes?.

To report this post you need to login first.


You must be Logged on to comment or reply to a post.

  1. Gretchen Lindquist

    In my opinion you have presented a false dichotomy. “Is the value of “GRC” clear, or is it hype” implies that it is one or the other. I would say no to both. The meaning of GRC is apparently not clear, and that may be a function of unclear communication, as well as compliance quite logically meaning different things in different industries and different business models. But in my estimation neither is it hype; certainly, to any business who has suffered loss of their export license due to running afoul of export control laws, there is little confusion of the compliance failure, and to the organization recovering from internal or external fraud, risk management is more than “hype.”

    I invite anyone interested in this topic to my session on Sustainable Compliance at TechEd Las Vegas, SCI107, on Tuesday, October 19, where we will explore what it means and getting there from here, wherever “here” might be for your organization.


    1. Marilyn Pratt
      Sounds like a good place to continue to debate live.  Perhaps you can “channel” Norman at your session whose expertise and thought leadership are valued in this arena.  Your customer experience Gretchen: priceless.
    2. Norman Marks Post author
      Gretchen, you raise some interesting points.

      I agree that if GRC is not clearly understood, then it is hard to say whether it is hype or not.

      On the point that people have suffered from compliance or risk management failures, I would prefer that we call those as compliance or risk management failures rather than a broader failure in GRC. Looking at it another way, I prefer people to focus on their particular problem that try and address the larger and massive that is GRC.

      When people push GRC instead of risk management, are they hyping their product as doing more than it really does? Are they implying it solves the issues behind corporate governance failures?


  2. Damodar Ramana
    May be with my pro comments readers may think that I am a consultant for GRC. I am responsible for complaince in my organsization I work. Based on my experience and the issues I come across, GRC is at a infant stage in the industry and we have a long way to go, specially when it will become mandatory from all regulations with reference to process and financial related issues. The importance of GRC will be well undertood.

Leave a Reply