GORC – New and improved GRC with added O
Published as a whitepaper by the Institute of Internal Auditors (IIA), Australia in May 2021
To improve assurance, the widely used industry acronym GRC needs to be challenged and updated by adding O, for obligational awareness.
This article analyses the organisational interfaces and feedback loops through the lens of the DIKW model (Data, Information, Knowledge, Wisdom) and splits the Governance, Obligationsal awareness, Risk Management and Compliance Administration process into two streams
- top-down processes and controls and
- bottom-up monitoring, analysis, and reporting.
It also introduces the feedback loop mechanism.
There are two problems with the acronym GRC. It excludes obligations and introduces a risk-centric bias.
Risk management is concerned with managing uncertainties whereas obligations are already known. The term GRC creates a risk-centric bias by focusing on risk management, risk control and risk governance. The term GRC can create confusion and bias, increasing the possibility of decision-making errors. The term GRC should be updated to describe the totality more accurately.
By including obligations to the GRC acronym (by changing it to GORC where the O stands for Obligational awareness), risk-centric bias is eliminated by recognising the equal and parallel importance of obligations, risk and compliance.
Applying the GORC / DIKW feedback model will
- separate top-down control and bottom-up reporting and
- highlight the execution, management, control and governance interactions between the board, subject matter experts, management and staff.
History of GRC
The term GRC is relatively new. It was first presented in a scholarly article in 2007 and defined as ‘the integrated collection of capabilities that enable an organisation to reliably achieve objectives, address uncertainty and act with integrity’.
Wikipedia defines GRC as the term covering an organisation’s approach across three practices – governance, risk management and compliance where:
- Governance is the combination of processes established and executed by the board of directors that are reflected in the organisation’s structure and how it is managed and led toward achieving goals.
- Risk management is predicting and managing risks that could hinder the organisation from reliably achieving its objectives under uncertainty.
- Compliance refers to adhering to the mandated boundaries (laws and regulations) and voluntary boundaries (organisation policies, procedures, etc).
Lazily, GRC is commonly used as an acronym for Governance, Risk and Compliance. A more accurate definition would be:
- Corporate Governance – a board responsibility
- Risk Management – a management responsibility
- Compliance Administration – a staff responsibility.
The problem with GRC
The problem with the acronym GRC is that it excludes obligations where obligations are defined as ‘a legal or moral duty to do something or things that you must do or pay because of a law, rule, agreement, etc’.
Obligations are often confused with compliance. However, compliance is defined as ‘the act of obeying an order, rule, or request’. The obligation is the rule; compliance is the act of obeying the obligation.
For example, in Australia, the standard AS1851 imposes an obligation on all organisations to service their fire extinguishers every six months, every year and every five years. The act of assuring compliance is providing documentary evidence that every fire extinguisher has been serviced at these intervals.
To answer the question, ‘How do we know our organisation is complying with all our legal and policy obligations?’, Internal Audit needs two things. First, Internal Audit needs to be aware of all the organisation’s obligations; and secondly, Internal Audit needs documentary evidence that all obligations are being met.
GRC needs to be updated to GORC to include:
- Corporate Governance: a board responsibility.
- Obligational awareness: a subject matter responsibility.
- Risk Management: a management responsibility.
- Compliance administration: a staff responsibility.
GRC creates a risk-centric bias
Another problem with GRC is that it implies a risk-centric approach to assurance. The board defines the risk appetite, management analyses the risks and imposes risk controls, and staff follow the rules imposed by the risk controls.
The problem is that risk creates a bias towards uncertainties, the need to minimise, monitor and control unforeseen events, and maximise the realisation of opportunities.
Obligations are known duties, not unforeseen events or opportunities. For example, not exceeding the departmental budget is a known obligation that may be affected by unknown risks.
Obligations are an equal and parallel entity to risks.
The GORC / DIKW top-down control path
A useful approach is to apply the DIKW (Data, Information, Knowledge, Wisdom) model to GORC. From the top down:
- The board is responsible for corporate Governance. They apply their Wisdom to approve the strategy, define the risk appetite and approve the resultant policies for the organisation.
- From the risk appetite statement, senior management and appropriate specialist consultants then apply their subject matter expertise and their Knowledge, tools and techniques to define the policies to manage the risks and obligations.
- Middle management then uses this Information to develop processes and procedures that impose controls to manage the risks and codify how the obligations are to be met. Senior management approves the procedures to make sure they align with the policies.
- Staff follow the procedures and generate the compliance Data by filling in forms. This compliance data is collected as the documentary evidence that the risk and obligation controls are being applied.
The GORC/DIKW bottom-up feedback loop
Obligations imply monitoring such as a bottom-up feedback loop. Organisations already have financial feedback loops, management feedback loops for departmental and senior management, and a governance feedback loop for the board and C-Suite. In financial terms, these would be the management reports; budgets, sales targets etc; financial reports; and P&L, balance sheet and cash flow.
- Bookkeepers enter all purchase orders and invoice Data onto the financial single source of truth, making sure everything is up-to-date at all times so reports can be generated within a week of month-end.
- The finance system produces management accounting reports so department and middle managers can use this Information to track their budgets which are their KPIs.
- They and senior management apply their professional Knowledge to this business intelligence to inform their day-to-day decisions to keep everything on track and drive continuous improvement.
- The directors apply their Wisdom to the financial reports as they have a dual responsibility for the organisation’s overall performance as well as the organisation’s overall compliance performance.
Recommendations and Conclusion
Recommendation 1: Eliminate risk-centric bias by replacing the term GRC with GORC.
Recommendation 2: Use the GORC / DIKW framework during the regular systematic reviews of systems and processes to separate the top-down process and controls from the bottom-up monitoring and reporting systems and processes.
Recommendation 3: Use the GORC / DIKW framework during regular systematic reviews of systems and processes to examine the clarity and effectiveness of interactions between the board, subject matter experts, management and staff.
By simply adding a single letter to the GRC acronym and recognising the importance of obligations, the use of the GORC acronym could reframe internal auditing and eliminate risk-centric bias.
When applied, the GORC/DIKW feedback model can (a) separate top-down control and bottom-up reporting (b) highlight execution, management, control and governance interactions between the board, subject matter experts, management and staff.
I hope that in the fulness of time, there may be a shift for the definition of internal auditing to include obligational awareness at a similar level as risk management, control and governance.
Bibliography and References
‘Compliance’, Cambridge Dictionary Online, , accessed 4 April 2021
‘Definition of Internal Auditing’, IIA, , accessed 4 April 2021
‘Governance, risk management, and compliance’, Wikipedia, , accessed 4 April 2021
‘Obligation’, Cambridge Dictionary Online, accessed 4 April 2021
‘The directors role in corporate governance’, Australian Institute of Company Directors,
‘What is GRC?’, OCEG, accessed 4 April 2021
My thanks to Andrew Cox and Michael Parkinson of the IIA who helped edit the IIA Whitepaper.