Q&A: GRC Explained: A New Way of Looking at Risk

  • by Laura Casasanto, Former Managing Editor
  • January 13, 2011
Is the real meaning and importance behind governance, risk, and compliance (GRC) a vague notion in your company? We talked to SAP’s own Norman Marks to get his views on the subject and hear his definition of GRC.

Norman Marks is a vice president at SAP and an evangelist for GRC. Before he went to SAP, he had worked as a head of internal audit, chief risk officer, chief compliance officer, and chief ethics officer. He led internal audit departments for global corporations for 20 years. He’s a thought leader in several areas of GRC, including risk management and internal audit. “I try to bring to the table some ideas and suggestions for how people can run their organizations better,” he says, “whether it be risk management, governance, compliance, or internal auditing, and try to move thought and then practice forward through debate and sharing.”

Marks has won numerous awards for his writing and is on the board of multiple periodicals. He’s a blogger for the Institute of Internal Auditors in addition to being on their Professional Issues committee, where he helps develop guidance in interpreting standards and best practices and in running internal audit functions. He speaks globally on topics surrounding governance, risk, and compliance and how they relate to the business. We spoke to Marks about his views on the often complex area of GRC and to hear how GRC processes, or the lack thereof, can affect your business.

What does GRC mean to you?

NM: I’d been a practitioner for many years, including running internal auditing groups for 20 years, before SAP asked me to be an evangelist for GRC. I said yes and started asking what GRC is. It’s not something you often see within an organization. You don’t usually see anything labeled a GRC process or a GRC department (although SAP has one, which is interesting). So I started thinking, “What is this? Is this something very new, or is it just a new perspective on the way people run their business?”

This has been a journey for me, of trying to figure out what GRC is. It’s very clear that there is no generally accepted single definition of GRC other than that it stands for: governance, risk, and compliance. So the words stand for something but what’s the meaning behind it? I stumbled across the definition used by the Open Compliance & Ethics Group (OCEG). The way I would summarize it is that GRC is about the need for activities related to governance, activities related to risk, and activities related to compliance to come together. It’s talking about what we call harmony between different activities within an organization and it’s talking about breaking down silos.

Laura Casasanto

Laura Casasanto is a technical editor who served as the managing editor of SCM Expert and Project Expert.

See more by this author


No comments have been submitted on this article. 

Please log in to post a comment.

To learn more about subscription access to premium content, click here.