For the past few years, I have been thinking about the bigger picture of management. What part do management systems (Quality, Environment, Safety, Security, etc.) play? What are controls and why do we need them? What is risk and here does it fit?
A few years ago, I attended the ASQ Audit Division conference in Reno. As I listened to the keynote presenter from South Africa, I picked up a new term: GRC. He mentioned it so casually, as if everyone knew what GRC meant. I started my quest for knowledge on GRC when I got home from the conference.
GRC is short for Governance, Risk Management, and Compliance. It's Board-speak.
When I first looked at Wikipedia, I discovered it was a software package vendors sold for automating management. Ugh! Fortunately the Wikipedia entry has been cleaned up and the introduction is now pretty good.
In my own mind, I see "Governance" as the management systems embodied by ISO 9001, 14001, etc. Risk Management is receiving a lot of attention now, especially by the ASQ. At first I thought of risk as bad and something to be eliminated. But now I see risk as uncertainty. It is the natural entropy of the universe and can be good or bad. It depends on how it's managed. My primary reference on risk management is ISO 31000, with COSO as my backup. Compliance is part of the whole monitoring and measuring function of an organization. While many interpret compliance to be restricted to legal issues and government regulations, I see it as much greater. Auditing falls under this category.
I follow the writings of two gurus in these areas, using Linked-In and RSS feeds.
- In Risk Management matters, I like the style, content, and credibility of Norman Marks. He is a regular contributor to the ISO 30111 Linked-In discussion group. But his blog postings on Governance, Risk Management, and Audit are even deeper. I have learned much from Norman.
- In GRC matters, Michael Rasmussen is excellent. Even though his firm sells research and advice, his GRC Pundit blog posts emphasise concepts, not commercial solutions. Just yesterday, Michael reminded his readers of one of the most elegant definitions of GRC I have yet to see:
The Open Compliance and Ethics Group (OCEG) defines GRC as "a capability to reliably achieve objectives [governance] while addressing uncertainty [risk management] and acting with integrity [complance]."
I can live with that definition.