GRCS: What's in a Name?

Lora Bentley

It's funny how the labels we use for things change over time. The things we're describing don't really change, but how we describe them does. A pocketbook became a purse and then, in some circles, is now just "a bag."


A few years ago, we talked about application service providers; now it's all about software-as-a-service. Terminology comes in and goes out of fashion almost as swiftly as clothes and accessories do.


The focus of this blog, governance, risk and compliance (GRC) is no exception. Three years ago I covered compliance. Compliance then morphed into risk management, and then into GRC. Now, Bloor Research's Philip Howard is calling for another name change. He's right. It's probably time for the next label.


He argues that GRC doesn't really account for external attacks or internal attacks in the form of "fraud, malicious damage or information theft." Why? Howard says, simply, "GRC, treated literally and in its entirety, is too big for most (any) vendors to handle, so they've cut it down into silos that they can treat."


But we all know that silos are bad when it comes to IT. So Howard suggests that GRC should instead be called GRCS, or Governance, Risk, Compliance and Security. It makes sense to me, because GRC and security have been inextricably intertwined from day one. Why not treat security in the same "bundle"? I'm interested to see Howard develop his take on the subject in the days to come

Add Comment      Leave a comment on this blog post
Aug 2, 2009 11:18 AM Marcia E Marcia E  says:

Interesting thought, but I wonder if this doesn't lump stuff together at the risk of diluting the point of Data Governance? Compliance, risk and security has to do with protection of the data - things on the "must do" list. However,  data governance has, from a business sense, has a ton to do with data quality too - that is making sure that the data is fit for use. Better protection may be a piece of it, but more effective marketing, better customer service, etc. are perhaps an even more important aspect for governance.

There's a new white paper I read recently that points out that, while all the news is about data protection, there are issues with over-limiting access to data too. You can check it out:

If we lose sight of data governance as a way to make data more effective, we risk losing sight of these types of concerns, and we lose a lot.


Post a comment





(Maximum characters: 1200). You have 1200 characters left.




Subscribe to our Newsletters

Sign up now and get the best business technology insights direct to your inbox.