by  Thomas Frenehard, GRC, SAP

Student using tablet computer in classWelcome to GRC Tuesday, a new series of weekly blogs my colleagues and I will be writing on GRC topics every Tuesday on the Analytics blog site. We are launching the series from here in Orlando, at SAPinsider GRC 2014. Watch the Analytics blog every week for timely comments on risk management, control and compliance, fraud, and audit management topics.

I’ll begin the series today by introducing a glossary of GRC terms, some of which we’ll touch on as we proceed in the coming weeks.

The GRC Acronym Jungle

After finishing a discussion with a customer this morning in Orlando, I was told a Czech proverb along the lines of “Those who know many languages live as many lives as the languages they know.”

Sometimes, when I talk about GRC topics, I suspect the colleagues who share my office believe that I am using a coded language. It’s true that discussing with a “CRO the place of SoD-related KRIs within an overall ERM approach in their GRC software” can raise a few eyebrows in my every day, non-GRC life.

So today, I’d like to list all the GRC-related acronyms that are frequently used. Please, don’t hesitate to add your own – I’m interested to see how long this list can actually be!

  • ABC: Anti-Bribery & Corruption
  • AM: Audit Management
  • AML: Anti-Money Laundering
  • BCM: Business Continuity Management
  • BCP: Business Continuity Plan(ning)
  • BIA: Business Impact Analysis
  • BSI: British Standards Institution
  • CAE: Chief Audit Executive
  • CAPA: Corrective Actions and Preventive Actions
  • CCM: Continuous Control Monitoring
  • CCO: Chief Compliance Officer
  • CIA: Corporate Internal Audit
  • CobIT: Control Objectives for Information and related Technology
  • COSO: Committee of Sponsoring Organizations of the Treadway Commission
  • CRO: Chief Risk Officer
  • CSA: Control Self-Assessment
  • DRM: Disaster Recovery Management
  • DRP: Disaster Recovery Plan(ning)
  • ERM: Enterprise Risk Management
  • FCA: Financial Conduct Authority
  • FCPA: Foreign Corrupt Practices Act
  • GRC: Governance, Risk management and Compliance
  • IIA: Institute of Internal Auditors
  • IR: Integrated Reporting
  • IRM: Information Risk Management
  • ISACA: Information Systems Audit and Control Association
  • ISO: International Organization for Standardization
  • ISRM: Information Security and Risk Management
  • IT GRC: Information Technology Governance, Risk management and Compliance
  • ITIL: Information Technology Infrastructure Library
  • ITRM: Information Technology Risk Management
  • KCI: Key Control Indicator
  • KRI: Key Risk Indicator
  • OCEG: Open Compliance & Ethics Group
  • ORM: Operational Risk Management
  • ORSA: Own Risk and Solvency Assessment
  • PCAOB: Public Company Accounting Oversight Board
  • PCI DSS: Payment Card Industry Data Security Standard
  • PDCA: Plan-Do-Check-Act
  • PRM: Project Risk Management
  • RBA: Risk Based Auditing
  • RCSA: Risk Control Self-Assessment
  • SEC: Securities and Exchange Commission
  • SoD: Segregation of Duties
  • SOX: Sarbanes-Oxley Act
  • VRM: Vendor Risk Management

This is our starting point. Language is important, and we need to have words, phrases, and acronyms to express ourselves and communicate with each other.

What is “in” GRC? What is not? Can you add to this list? Do you think some of these topics don’t belong here? My colleagues and I would like to hear from you.