Amen to our buddy Paul Proctor, who starts a post, Why I hate the term GRC, with “GRC is the most worthless term in the vendor lexicon.” I couldn’t agree more. 10 years later I still don’t know what it means. Besides everything, as Paul explains:
Vendors use it to describe whatever they are selling and Gartner clients use it to describe whatever problem they have. For seven years I have battled this monolithic term and I fear I’m losing the battle. The alternative is to try to bring some clarity to its usage by defining some boundaries.
Unfortunately boundaries aren’t going to help. As long as Risk or Compliance (the R and C of GRC) continues to have budget line items, we will have both vendors and users dumping whatever they can into the GRC bucket. It’s a funding strategy that has worked for years, and unless there is some miraculous movement away from regulation it will be successful for years to come.
Then Paul tries to put GRC tools into a box. Good luck with that. But he makes a good point: “Buying a tool to solve your GRC problems is putting the cart before the horse. For example, if you don’t have risk assessment, buying a GRC tool is not going to give it to you.”
I applaud this attempt to provide some sanity to the idiocy of GRC. But that’s too positive and constructive for me. I would rather just bitch about it some more. Which I think I did…