What is GRC?

What is GRC?

Governance, Risk, & Compliance (GRC) is more than a catchy acronym used by technology providers and consultants to market their solutions – it is an approach to business. An approach that permeates the organization: its oversight, its processes, its culture, its boundaries.

Ultimately, GRC is about the integrity of the organization:

  • Is the organization properly managed and governed?
  • Does the organization take and manage risk within boundaries of risk appetite and tolerance?
  • Does the organization meet its legal/regulatory compliance obligations? Its social responsibility and sustainability commitments?
  • Does the organization make its code of ethics, policies, and procedures clear to its employees and business partners?
  • Are the values of the organization clear and understood across the business and its relationships?
  • Does risk and compliance contribute to corporate performance, strategy, & objectives?

The challenge of GRC is that each individual term – governance, risk, and compliance – has varied meanings across the organization. There is corporate governance, IT governance, financial risk, strategic risk, operational risk, IT risk, corporate compliance, Sarbanes-Oxley (SOX) compliance, employment/labor compliance, privacy compliance, ethics, social responsibility . . . the list of mandates and initiatives goes on and on.

It is easier to define what GRC is NOT:

  • GRC is not about silos of risk and compliance operating independently of each other;
  • GRC is not solely about technology – though technology plays a critical role;
  • GRC is not just a label of services that consultants provide;
  • GRC is not just about financial controls;
  • GRC is not another label for enterprise risk management (ERM), although GRC encompasses ERM; and, furthermore,
  • GRC is not about a single individual owning all aspects of governance, risk, and compliance.

GRC IS an approach to business. It is about individual GRC roles across the organization working in harmony to provide a complete view of governance, risk, and compliance. It is about collaboration and sharing of information, assessments, metrics, risks, investigations, policies, training, and losses across these business roles and processes. GRC’s purpose is to show a 360° view of risk and compliance and to identify interrelationships in today’s complex and distributed business environment. GRC is a federation of business roles and processes – the corporate secretary, legal, risk, audit, compliance, IT, ethics, finance, line of business, and others – working together in a common framework, collaboration, and architecture to achieve agility, effectiveness, and efficiency across the organization.

GRC is a three-legged stool: governance, risk, and compliance are all necessary to effectively manage and steer the organization.

In summary – good governance can only be achieved through diligent risk and compliance management. In today’s business environment, ignoring a federated view of GRC results in business processes, partners, employees, and systems that behave like leaves blowing in the wind. GRC aligns these to be more efficient and managable. Inefficiencies, errors, and potential risks can be identified, averted, or contained, reducing exposure of the organization and ultimately creating better business performance.