The relationship between IT GRC and Enterprise GRC
In every story on GRC, it is stated that the worlds of IT GRC and EGRC are moving together, that these worlds are integrating. In fact, I don't believe that's true. I believe they always have been one, but vendors' marketing somewhat polluted the discussions creating two perceived separate markets. There are obviously some specifics in IT GRC that are less dominant in EGRC. A term like vulnerability is standard in IT GRC, but rarely heard in EGRC. Although it adds some logical structure, it also adds complexity for many non-experts. I've seen EGRC implementations with risk triggers, causes and consequences; makes a lot of sense for the expert, difficult for business users. Here is just one example where companies need to decide on a clear and integrated risk language. But that's not just for IT GRC.
Another typical element of IT GRC is its reliance on data, much more than EGRC, in my belief simply because the availability of data is so much better and there is a lot of value in that data. Definitely an area where EGRC needs to learn from the IT GRC practices. Types of data to include are not only transactional data, permissions data, configuration data and logs, but also unstructured data, like (social) media for reputation risk monitoring for instance.
IT GRC has always been part of EGRC. The languages have moved closer, and will have to move closer yet for people in different teams to understand one another, and to leverage one another's results. Proper tooling can already take care of the technical integration between the various risk initiatives: ERM, OpRisk, IT Risk, regulatory compliance, policy management, internal control over financial (and other) reporting. Now the business processes need to be aligned. The alignment between IT GRC and EGRC is as required the same as the alignment between ERM and ORM, between Policy Management and Regulatory Compliance, between ICFR and Audit, between (etc-).