I'm often asked how a GRC initiative or GRC need can be identified and what it is about. Actually this is a difficult question to answer without starting to talk for hours. Very often GRC is solely connected with the management of financial and IT controls. However this is only part of the truth. Companies take many approaches to GRC initiatives depending on their specific needs and concerns: their environmental programs, manufacturing processes, supply chain risks, HR policies, health and safety controls, or even a combination of these topics.
The acronym GRC rather stands for a certain approach how to address those needs than for a specific topic. If you talk about risks and how to handle them, about measures to ensure internal control or external compliance, about controlling processes to avoid exceptions, about how to conduct and document audits and questionnaires - than it is more than probable that the issue at hand needs a GRC approach.
Today more than often customers see the need for (and the benefits of) aligning their various GRC programs or even tackling the issue more broadly with e.g. enterprise risk management and corporate compliance management. Here the beauty of a generic approach shows up and beats all single topic quick solutions. Even more a single GRC software solution is needed. To cite Chris McLean of Forrester "The more complicated the program, the more likely it is to need GRC software to support it."
