A Brief History of GRC

So, who wants to read about the history of governance, risk, compliance (GRC)? If you’re sitting down, don’t worry about using the entire seat, because you’ll only need the edge. However, before I delve into that, I want to talk about millennials and technology. 

The widely accepted definition of a millennial is someone born between the early 1980s and mid-1990s, and I graced this world with my presence in the early 1980s, right on the edge of the date range. So while I technically fall into the millennial category, I always felt stuck in the middle between both that and the Generation X category. There are a couple of reasons why I feel this way, but for the purposes of this tech blog, the reason I’ll elaborate on is—you guessed it!—how I interact with technology.

Fortunately, I’m not the only one who feels this way. Researchers have determined that there is a “microgeneration” of those born on the cusp of when Gen Xers and millennials meet (namely between 1977 and 1983). Rather than call it something cool, they just combined the phrases “Generation X” and “millennial” and came up with the word “Xennial”.

One of the primary things that makes Xennials different is that they are old enough to remember a world without intricate, game-changing technology. The internet was not part of my childhood, but computers existed and I could sense there was something special about using one. I remember when I was in high school and we got our first 14.4K dial-up internet modem…those of you old enough to remember can probably hear the “handshake” noises it made when connecting in your head now.

Ok, so enough with the nostalgia: What does this have to do with the history of governance, risk and compliance, you ask? Because a lot of articles I’ve read detailing the history of GRC talk about how GRC “started” in the mid-2000s. As someone who has worked in GRC for the past 12 years, I don’t totally agree with this. GRC was around far before we had advanced technological tools to automate, consolidate and manage it…we just didn’t call it GRC. Instead, the silos were specifically called out and managed accordingly: audit, risk, policy, vendor, business continuity, etc. People used pen, paper and file cabinets. This evolved to archaic spreadsheets. Then maybe they used…gasp…Lotus Notes! The point is, organizations found a way to manage these processes long before GRC technology existed. But just like how I can remember my life without a cell phone and email address, my life was made markedly easier and I was able to communicate much more quickly and operate more efficiently (in most cases!) once I had them. Except for when I was playing the “snake” game on my Nokia phone.

When GRC platforms started becoming a “thing” in the mid-2000s, there were only a few major players in the market. They focused primarily on IT: whether it be controls, policies or risk management. Additionally, with the Enron and Worldcom scandals, SOX and its myriad of financial reporting controls rapidly became platform offerings as well. As the market started expanding quickly at the turn of the decade, the concept of “eGRC,” with the “e” standing for enterprise, swept the landscape. Why settle for managing IT processes when many of the tools were capable of managing an entire organization’s governance, risk and compliance frameworks? The natural progression had begun.

Fast forward to today, and now some GRC platforms in the market can do much more than just GRC. These select few have evolved so that they are able to automate almost any business process you’re looking to manage. Furthermore, I think many people in this space have begun to realize that GRC isn’t just about the technology you use to support it. At a high level, it helps you communicate more quickly and operate more efficiently (sound familiar?) all while having an environment where information is easily shared between what were previously disparate processes. However, it all starts with having a solid procedure to begin with. So much like being a Xennial, when you know what it’s like to manage GRC processes without technology, you can really appreciate how much easier your life is when you manage and automate it with technology. Unfortunately, you still may long for the days where you had to memorize peoples’ phone numbers. If you’re interested in GRC platforms that can do more than just GRC, check out our governance, risk and compliance solution suite.

About the author