Governance, risk management, and compliance are not always managed together, sometimes managed separately by different teams of people. That often results in redundant controls, multiple variations on a process, and, in some cases, inadequate protection against threats. However, efficiency is a must when resources are scarce and risks are great.
What is GRC?
GRC is the acronym that stands for Governance, Risk, and Compliance; refers to the coordination of people, processes, and technologies involved in each of these areas in a company. The goal of GRC is to improve insight into a company's risk posture. Governance, risk management, and compliance are not new disciplines, but the need for an enterprise-wide approach includes the rising costs of compliance, legal and shareholder demands for increased senior management accountability, and the rapid proliferation of new risks.
“Compliance works best when you use risk management techniques to reduce not only liability but also loss. Information governance compliance management works best when governance requires you to identify risks to take and risks to avoid. And governance relies on risk management and compliance activities to provide timely information about the organization's status and loss exposure,”.
GRC goes beyond silos to embed risk management in the fabric of the organization, but it remains a challenge because many companies lack a common language for risk.
Who or what is affected by GRC?
Everyone in the organization. Each individual has risk implications. That said, the responsibility for governance rests with senior executive management. By creating regular standards, governance generates company transparency (and commercial value). In addition to the CEO and board of directors, policymakers may include the CFO, chief risk officers, CIOs, and audit. Responsibility for governance of IT, a technical discipline, rests with the CIO.
Responsibility for risk management is shared by business unit executives, the CIO, and the CFO. Policies and tools to manage physical and personal security risks, as well as financial risks, have been developed over the centuries. IT adds another dimension to risks as well as remediation.
Enterprise risk management (ERM) aligns performance and risk with business goals and objectives. ERM can be applied across the enterprise or to meet the goals of a single department, such as IT. Although ERM has many of the same goals as GRC, it is not a substitute for GRC.
Many executives share responsibility for compliance, usually at the vice president level. Human resources, audit, corporate advisory, and the CIO are all involved in understanding compliance requirements. The goal in GRC is to first coordinate those compliance efforts and processes, and second to move to a more risk-based approach to compliance.
Most compliance people see it as a requirement, not a risk, but compliance should not be exempt from the economic constraints that force all other parts of the business to weigh the risks against the rewards of their investments. The proverb says: 'don't spend a million dollars to solve a $500 problem'. Organizations need to take a risk-based approach to compliance, and GRC will help them do so.
It should be noted that each organization must determine the scope of GRC for its type of business. A set of controls is necessary, but rigid frameworks complicate administration. Companies need to figure out what their tolerance level is for how much structure they're going to have. GRC, then, allows building systems to be put in place to identify and mitigate risk while ensuring compliance, which impacts how things get done, i.e. governance."
Figuring out who owns what part of the governance, risk, and compliance process can be a struggle, and getting all the groups to work together is a challenge to solve.
What is the role of IT in the implementation of GRC?
The IT area plays two roles in GRC. IT must deal with its internal risks: data breaches, privacy, internal data governance, etc. Additionally, information security governance risk and compliance play a role in enterprise-level GRC, implementing the tools that will help with the flow of information. IT, for example, will help design the applications and platforms to conduct risk assessments and train employees, and pull information from systems across the enterprise that measure risk.
However, the task of creating the rules and responsibilities of the GRC program (who will participate, how often to conduct evaluations, etc.) should be decisions made by the board and the leadership level, not by IT. If the GRC strategy doesn't come from the board, the CEO, the CFO, and the chief risk officer, it's going to be a very limit
ed program.
What are the most important frames?
Some experts point to two important frameworks for GRC: COSO and the Control Objectives for Information and Related Technology, or COBIT.
Five major accounting associations formed the Committee of Sponsoring Organizations in 1985 to address the factors that lead to fraudulent financial reporting and develop guidance on internal controls. COBIT is an international open standard that defines the requirements for the control and security of sensitive data and provides a reference framework. It is still widely accepted and used by audits for reviews.
In the end, it is worth remembering that a framework is a structured approach to common sense. If you already have systems in place to identify, mitigate, monitor, and manage risk, then you have a framework. GRC is more about combining audit, compliance, and risk best practices. Other standards that can help organizations include COSO, ERM, and ISO 31000, in addition to the international governance, risk, and compliance standards developed by the Open Compliance & Ethics Group (OCEG).
Read More - Best Practices for Implementing an Effective Information Governance Strategy
