What Is GRC, and Why Does It Matter?
If you've seen the movie A Few Good Men, starring Jack Nicholson, Tom Cruise, Demi Moore, and Kevin Bacon, you'll likely remember the courtroom scene where Bacon's character asks a witness if a military manual includes the term “code red.” He receives the desired reply: “No, sir,” indicating that a code red—a punishment allegedly used on a soldier—doesn't exist. But Cruise's character counters by asking where the manual provides the location of the mess hall or other realities of military life, also receiving the desired response: “Well, Lieutenant Kaffee, that's not in the book either, sir.” Cruise successfully makes the point that although there's no specific, tangible place to look for a code red, this does not mean that a code red doesn't exist.
Why this diversion to Hollywood? The same applies to the term governance, risk management, and compliance. You've probably never seen any company with a unit or function called governance, risk management, and compliance, or GRC for short. But certainly that doesn't mean GRC doesn't exist.
Indeed, it does exist and has tremendous impact on a company's ability to succeed. It may sound extraordinarily boring, conjuring up thoughts of insignificant plumbing deep in the recesses of an organization. But that's just not the case. GRC, in fact, is extremely important to every company, influencing virtually everything done from strategy formulation and implementation to every kind of operational ...