Governance, risk and compliance (GRC) refers to an organization's strategy for handling the interdependencies among the following three components:
The term GRC was coined in 2007 by OCEG -- formerly the Open Compliance and Ethics Group -- a nonprofit think tank. GRC emerged as a discipline in the early 21st century when companies recognized that coordinating the people, processes and technologies they used to manage governance, risk and compliance could benefit them in two ways. A synthesized approach would help ensure their organizations acted ethically. It would also help them achieve their business goals by reducing the inefficiencies, miscommunication and other perils of a siloed approach to governance, risk and compliance.
Any size organization can use GRC. Developing a GRC discipline is especially important for large organizations that have extensive governance, risk and compliance requirements and where programs that meet these requirements often overlap.
The three components of GRC are defined as follows:
These three activities traditionally functioned more or less separately. In a GRC approach, each of the three components continues to interact with and support existing business functions, but the intersection of the three is where the benefits become apparent.
As businesses grow increasingly complex, they need a way to effectively identify and manage key activities in the organization. They also need the ability to integrate traditional distinct management activities into a cohesive discipline that increases the effectiveness of people, business processes, decision-making, technology, facilities and other important business elements.
GRC achieves this by breaking down the traditional barriers between business units, requiring them to work collaboratively to achieve the company's strategic goals. GRC is one of the components of a well-managed organization in the 2020s.
If properly implemented, GRC policies, practices and software offer the following benefits:
However, if GRC isn't properly implemented or if senior management support for GRC is minimal, potential issues can emerge. Problems include high costs related to reduced risk visibility, reduced performance due to weak risk visibility and fragmentation across the organization's departments and workforce.
GRC software combines applications that manage its core functions into a single integrated package. It enables an organization to pursue a systematic, organized approach to managing a GRC strategy and implementation. Instead of using siloed applications, administrators can use a single framework to monitor and enforce rules and procedures. Successful installations help with risk mitigation, reduce costs incurred by multiple installations and minimize complexity for managers.
Effective GRC software includes risk examination and risk assessment tools that identify links to business processes, internal controls and operations. GRC software identifies the processes and tools that control those risks and integrate the single, multipoint and enterprise-wide software the business currently uses.
GRC software also provides a structured approach for compliance with legal and regulatory requirements, such as those specified in the Sarbanes-Oxley Act, General Data Protection Regulation, or occupational health and safety regulations.
Other features offered in GRC platforms include operational risk management, IT risk management, policy, audit management, third-party risk management, issue tracking and document management.
GRC software products are available from numerous vendors. Products accommodate virtually any type or size of organization, including those with multiples lines of business.
However, GRC software can be confusing for businesses because the market is replete with many types of products, including the following:
GRC tools are increasingly cloud-based, but on-site systems are available, as are freeware options. GRC vendors are incorporating automation and artificial intelligence technologies, including machine learning and natural language processing, to help organizations keep abreast of new and evolving risks and to make GRC tools more user-friendly.
Some examples of GRC products are the following:
GRC software implementation typically involves complex installations that include vendor negotiation and coordination of data between the vendor's technical team and multiple departments in the organization, including business, IT, security, compliance and auditing.
Major challenges include integrating data and other relevant information from internal departments and external organizations into useful GRC information and ensuring all GRC system users are properly trained to obtain maximum benefit from the software.
Changes in the corporate culture might be needed to accommodate the collaborative nature of the new GRC system. Periodic testing of GRC software is essential to ensure internal departments are using it properly. Like other critical systems, GRC software must be added to technology disaster recovery (DR) plans to ensure it remains operational in a disruptive event.
The following tips can help organizations deploy GRC:
Once in place, GRC dashboards and data analytics tools can help administrators identify an organization's risk exposure, measure progress toward quarterly goals or quickly pull together an information audit. Good governance -- defined as effective, ethical management of a company at the executive level -- is treated as an objectively measurable commodity. Data retention and risk management are converted to similarly measurable metrics. Compliance with standards and regulations can be further assured as GRC software examines existing activities against standards and regulations and identifies areas for improvement.
GRC software, therefore, can satisfy the needs of multiple stakeholders, including the following:
When embarking on a GRC program, it's beneficial to establish a benchmark from which to plan and execute the program. A maturity model is one possible approach, as it defines the stages an organization can progress through to achieve a suitable level of GRC excellence.
The basic GRC maturity model in Figure 2 can be expanded and modified into greater detail as needed and serve as part of the GRC program planning process.
Stage 1 describes an organization with minimal integration of GRC: The three disciplines of GRC coexist but don't collaborate on governance, risk and compliance. As the stages progress, senior management recognizes the importance of GRC integration. Manual processes commence, and the software takes the process to a higher level of cross-organization integration and automation. And, finally, by Stage 5, the organization's culture -- and, by extension, its way of doing business -- has adopted a fully integrated GRC approach.
Managing governance, risk and compliance is one of an organization's most important and complex activities. As your organization establishes a GRC program, keep the following dos and don'ts in mind.
In today's landscape, organizations must fulfill diverse regulatory compliance needs. Learn about six open source GRC tools that can help compliance professionals.
21 Sep 2023