Governance, Risk And Compliance (GRC)

Definition of Governance, Risk, and Compliance (GRC)

Governance, Risk, And Compliance (GRC) is a set of processes and procedures to help organizations achieve business objectives, address uncertainty, and act with integrity. The basic purpose of GRC is to instill good business practices into everyday life. While not a new concept, GRC has grown in stature as risks have become more numerous, more complex, and more damaging. There are three main components of GRC:

  • Governance — Aligning processes and actions with the organization’s business goals
  • Risk — Identifying and addressing all of the organization’s risks
  • Compliance — Ensuring all activities meet legal and regulatory requirements

In the past, organizations often approached Governance, Risk, and Compliance as separate activities. Processes or systems frequently were created in response to a specific event – e.g., new regulations, litigation, a data breach, or audit finding – with little thought as to how that worked within the whole. The result was a tangle of inefficiencies, redundancies, and inaccuracies, including:

  • Lack of visibility into the complete risk landscape
  • Conflicting actions
  • Unnecessary complexity
  • Inability to assess the cascading effects of risk[1]

Governance, risk management, and compliance (GRC) is a management discipline that takes an integrated firm-wide approach to meet internal guidelines set for each activity. Corporate Governance, Enterprise Risk Management (ERM), and Corporate Compliance have been integral to managing companies for a long time. But increasing amounts of regulation, increasing demands for transparency, and the exponential growth of third-party relationships have made a siloed approach to these activities costly, risky, and untenable. As an integrated approach, GRC is a relatively new management discipline. It can mean different things to different businesses, but integrating GRC processes typically aims to improve information gathering and quality, in order to operate more efficiently, and share information more effectively across the organization to avoid duplication of effort.[2]

Governance, Risk Management, and Compliance, also known as GRC, is an umbrella term for the way organizations deal with three areas that help them achieve their objectives. The main purpose of GRC as a business practice is to create a synchronized approach to these areas, avoiding the repetition of tasks and ensuring that the approaches used are effective and efficient.

While many experts and GRC vendors disagree on a standard definition for Governance, Risk, and Compliance, the Open Compliance and Ethics Group (OCEG) has published one of the most comprehensive GRC definitions. In its GRC Capability Model, Red Book, 2.0, the OCEG defines GRC as a "system of people, processes, and technology that enables an organization to:

  • Understand and prioritize stakeholder expectations.
  • Set business objectives that are congruent with values and risks.
  • Achieve objectives while optimizing risk profile and protecting value.
  • Operate within legal, contractual, internal, social, and ethical boundaries.
  • Provide relevant, reliable, and timely information to appropriate stakeholders.
  • Enable the measurement of the performance and effectiveness of the system."[3]

GRC Practices[4]

The three practices that make up GRC—'governance, risk management, and compliance—share common and interrelated tasks. Because governance, risk, and compliance have overlapping areas of responsibility and process, they are more effective when they are integrated and dealt with as combined practices. This decreases data islands and silos of activity that ultimately slow down organizational responsiveness and contribute to greater risk by obscuring risk identification and producing inadequate risk impact assessments. Combining can streamline processes and provide transparency and accountability in an organization. It accomplishes this by:

Bringing the right groups of people together (governance) to clarify what needs to happen and evaluate what could get in the way (risk management). Helping the organization determine resource commitments (governance) needed to ensure its goals are achieved (risk management). Making it clear (governance and compliance) what processes and activities should or should not happen (risk management and compliance). Capturing and documenting processes and their results as evidence (compliance). When an organization addresses IT GRC activities, several pivotal questions help establish context. Answering these questions most likely will require conversations with groups external to IT, such as internal audit, legal, compliance, and HR.

What is our organization’s governance plan—who decides how and what to decide? What is our organization’s risk tolerance—where can we accept more risk, and in which areas should we be more cautious? Are there specific regulatory and compliance issues that apply to our industry? What is our compliance culture—that is, how do we determine that we’re doing what we said we would do? By answering these questions and working on integrated GRC plans, the alignment of IT and business goals are improved because the right people are making the right decisions at the right time.

GRC Practices
source: Microsoft

Governance, Risk And Compliance (GRC) Functions and Capability Elements[5]

According to best practice principles, GRC can be broken down into eight functions and capability elements:

  • Organize and oversee – The ability to define outcomes, commitment, roles, and responsibilities as well as approach and accountability
  • Assess and align – The ability to identify, analyze and optimize risk mitigation
  • Prevent and promote – The ability to define code of conduct, policies, preventative controls, awareness and education, human capital incentives, stakeholder relations and requirements, and risk financing/insuring
  • Detect and discern – The ability to define hotline and notification, inquiry and survey, and detective controls.
  • Respond and resolve – The ability to perform internal review and investigation, third-party inquiries and investigations, corrective controls, crisis response, and recovery as well as remediation and discipline
  • Monitor and measure – The ability to define context monitoring, performance monitoring, and evaluation, systematic improvement, and assurance
  • Inform and integrate – The ability to define and perform information management and documentation, internal and external communication, technology, and infrastructure
  • Context and culture – The ability to define and incorporate external and internal business context, culture, values, and objectives

GRC Elements
source: IASA

The Scope of GRC[6]

By definition, the scope of GRC doesn’t end with just governance, risk, and compliance management, but also includes assurance and performance management. In practice, however, the scope of a GRC framework is further getting extended to information security management, quality management, ethics and values management, and business continuity management.

In order to get a better understanding of GRC, we first need to understand the different dimensions of a business:

The dimensions of a business
Dimensions of a Business
source: CapGemini

Business, IT, and support functions—an enterprise will have business, IT, and support functions such as finance, HR, administration, legal, marketing, procurement, audit, etc.

  • Resources—required to conduct business, including strategies, policies, standards, procedures, organizational structure, roles and responsibilities, people, processes, technology, information, physical, financial, and intellectual assets, and third parties (suppliers, vendors, and contract employees).
  • Business attributes—the key attributes of a business include:
  • Performance, including goals, targets, outcomes, profitability and SLAs, etc.
  • Risk, including financial risk, credit risk, market risk, strategy risk, operational risk, fraud risk, reputational risk, information security risk, technology risk, compliance risk, etc.
  • Compliance, including regulatory compliance (SOX, PCI/DSS, GDPR), legal compliance (labor laws), organizational compliance (policies and standards), security (human, physical and information security), quality, ethics, and values.
  • Governance, management, and operations—governance involves setting directions, optimizing risks and resources, and monitoring performance and compliance to achieve an organization’s objectives. It can be broadly classified into corporate governance, business governance, IT Governance, and legal governance. Management involves planning, organizing, leading, coordinating, controlling, and reporting. Operations include executing the process and function.
  • Controls—in order to realize value from the business, resources should be utilized efficiently and effectively, and business attributes should be optimized. This is only possible when appropriate controls are implemented and executed. The controls can be classified as management controls, process controls, technical controls, and physical controls. Controls are applied to the resources as well as the attributes.
  • Assurance—independent assurance is required to ensure that controls are designed and operating effectively, and compliance requirements are met consistently. It is the responsibility of governance to monitor and obtain assurance. Assurance will be primarily through audits. There are several types of audits. Internal and external audits, certification audits, financial audits, IT audits, compliance audits, process audits and security audits, etc.

The scope of GRC based on the definition and current trends
Scope of GRC
source: CapGemini

Maximizing the Value of GRC[7]

Businesses often manage governance, risk management, and compliance separately. The integrated GRC approach combines all three to streamline their governance, risk management, and compliance initiatives. This is more effective and efficient since it reduces or even eliminates duplication and redundancy of work. It saves time, effort, and money – resources that all businesses will do well to use wisely.

A possible scenario that may arise from independently handling the three is having multiple systems that will essentially address the same issues. After all, there are issues that cross-cut across two, or all three, categories. With the GRC approach, it is possible to come up with a single system that will address all the issues. This will certainly avoid confusion among members of the organization, since they have a single point of reference, instead of having to turn this way and that.

Thus, it is important that organizations be able to manage and track its GRC processes and activities in a streamlined and coordinated manner in order to ensure corporate integrity, sustainability, and profitability.

GRC will do wonders for your business. But only if it is done right. It is not enough that you have GRC programs in place. You have to make sure you maximize the value that you will derive from GRC. Let us take a look at how we can get the most out of our GRC programs.

  • Step 1: Design GRC programs to be flexible

Keep in mind that GRC is not a one-time thing. It must continually reassess how the company can effectively and efficiently meet its strategic objectives.

  • Step 2: Simplify your GRC processes

If you are to establish a risk and control governance model as one of your GRC processes, make sure that the model is comprehensive and encompasses the entire organization or enterprise, not just key divisions or operating centers. This will ensure the balance of the corporate risk strategy that will be employed by the business, and will also clearly define and delineate the responsibilities of key personnel and employees.

Within an organization, there are a lot of functions, most of which are markedly different from each other. It is now up to the organization to align those functions – even the highly differentiated ones – in order to make their GRC programs succeed.

GRC Implementation[8]

The following five steps must be taken to make sure GRC is successfully installed at the heart of your corporate strategies:

  • Define what you aim to achieve – If this sounds like an obvious step, it’s because it is. However, it’s a step too often overlooked and one that can make all the difference between success and failure. After all, if you don’t know what you want to achieve and whether your new strategy can even help you get there, how can you possibly hope to effect any meaningful change? The key here is to gather key stakeholders and project staff together to understand collectively what GRC can mean to your organization and to come up with priorities based on that understanding.
  • Take stock of your current situation – You have clarified what GRC can mean to your organization, but another key step is to understand what is currently happening in the fields of governance, risk management, and compliance before you change anything. A survey of your regulatory activities will not only give you a better understanding of what you will gain from GRC but also any other weaknesses that can also be addressed that had previously been out of the scope of the project.
  • Pick a trial entry point – It is certainly possible to jump straight into rolling out GRC across all of your business’s operations, and for smaller companies that are the only option really, but the ideal scenario would be to pick a test subject. If you can identify an area that will benefit from GRC and can focus your energies on implementing it there first, there will be learnings that can be incorporated into the gradual roll-out.
  • Demonstrate the benefits – With the approach above, there’s also the potential to gain some early wins that can help with the internal communications aimed at winning buy-in from staff. It’s not just a case of heading off the confusion and lack support that can result from a poorly communicated change like this, it’s about demonstrating to key staff and managers the clear benefits of GRC, covering subjects like the drivers for it, the implication on staff, the controls in place and the next steps.
  • Define what would represent success – This is one of the most important steps because defining what would represent success is the way that you can demonstrate that the project has been worthwhile. Out of the benefits listed earlier, pick out the ones that are most relevant and put a number by them, whether it’s a financial target or one based on policies and procedures that be measured to show that GRC is making things better.

GRC Drivers[9]

Organizations must address today’s challenging business climate. Even small businesses, nonprofits, and government agencies are facing issues that only large companies had to face in the past. Some or all of the following factors have to be dealt with:

  • Stakeholders demand high performance along with high levels of transparency
  • Regulations and enforcement are ever-changing and unpredictable
  • Exponential growth of third-party relationships and risk is a management challenge
  • The costs of addressing risks and requirements are spinning out of control
  • The harsh (and scary) impact when threats and opportunities are not identified

GRC Done Wrong (see figure below)

OCEG's Maturity Survey finds that disjointed GRC activities cause a number of problems. To address these drivers, organizations develop departments and programs such as performance management; risk management; compliance; corporate social responsibility; and so on. Unfortunately, these departments and programs are often siloed, ineffective, and yield troubling drawbacks:

  • High costs
  • Lack of visibility into risks
  • Inability to address third-party risks
  • Difficulty measuring risk-adjusted performance
  • Too many negative surprises

When these activities are siloed, it is highly likely that counter-productive objectives are established, sub-optimal strategies are selected, and performance isn't optimized.

GRC Done Wrong
source: OCEG

GRC Done Right (see figure below)

Integrating GRC capabilities does not mean creating a mega-department of GRC and doing away with decentralized management. Nor does it call for the use of only one GRC software system to manage it all. Rather, it is about establishing an approach that ensures the right people get the right information at the right times; that the right objectives are established; and that the right actions and controls are put in place to address uncertainty and act with integrity. When GRC is done right, the benefits accrue. Organizations that integrate GRC processes and technology across all or many silos have:

  • Reduced costs
  • Reduced duplication of activities
  • Reduced impact on operations
  • Achieved greater information quality
  • Achieved greater ability to gather information quickly and efficiently
  • Achieved greater ability to repeat processes in a consistent manner

GRC Done Right
source: OCEG

GRC Challenges[10]

There are many risks in the workplace as it relates to ensuring governance, risk management, and compliance. New regulations can be overwhelming if a company doesn’t have a person or team to ensure updates are in place. Additionally, a lack of cohesion in departments can also cause communication problems, as each department has its own rules and guidelines. Departments that run different software packages may not integrate fully and this can cause increased risk. Lastly, a lack of visibility in determining risks in operations can lead to inaccurate reports.

To identify and expose management threats, an effective GRC software program can help to update your current system – if one is in place, or introduce a new one to ensure your business manages activities, controls risk in the workplace, and also effectively works to ensure that all staff comply with and adhere to governmental regulations in the workplace.

Benefits of Taking an Integrated GRC Approach[11]

Many organizations find themselves managing their governance, risk, and compliance initiatives in silos - each initiative managed separately even if reporting needs overlap. Even though each of these initiatives individually follows the governance, risk, and compliance process outlined above, when they deployed software solutions to enable these processes, the selections were made in a very tactical manner, without a thought for a broader set of requirements. As a result, organizations have ended up with dozens of such systems to manage individual governance, risk, and compliance initiatives, each operating in its own silo.

Majority of the Fortune 1000 organizations find themselves in this situation today. However, they are quickly finding that as the multiple risk and compliance initiatives become more intertwined from regulatory and organizational perspectives, multiple systems cause confusion due to duplicative and contradictory processes and documentation. In addition, the redundancy of work, as well as the sheer expense of maintaining multiple-point software solutions causes the cost of compliance to spiral out of control.

By taking an integrated GRC process approach and deploying a single system to manage the multiple governance, risk, and compliance initiatives across the organization, the issues listed above can be easily addressed. Such an approach can :

  • Have a dramatic positive impact on organizational effectiveness by providing a clear, unambiguous process and a single point of reference for the organization
  • Eliminate all redundant work in various initiatives
  • Eliminate duplicative software, hardware, training and rollout costs as multiple governance, risk, and compliance initiatives can be managed with one software solution
  • Provide a “single version of the truth” available to employees, management, auditors, and regulatory bodies

According to a recent note from Gartner, “For Sarbanes-Oxley, we put the burden on a global Bank at about 0.2 percent to 0.4 percent on EBITDA. So if the Securities and Exchange Commission (SEC) is one of 370 regulators for a global bank - to approach each regulatory program individually would eat up all the profits. Lots of companies have separate compliance programs for every regulatory regime. As regulatory regimes proliferate, a comprehensive compliance program keeps regulations from depressing earnings”. An integrated GRC approach enables an organization to integrate and streamline these individual compliance initiatives, so it can significantly reduce the cost of compliance.

It is critical that a GRC solution must be able to address a wide range of compliance and risk management initiatives so that an organization can leverage GRC to deploy a consistent framework across the organization for compliance and risk management. Many vendors window-dress their point solution by re-labeling it as a GRC solution or adding support for a few additional regulations to claim a multi-regulatory label.

GRC Product Vendors[12]

The distinctions between the sub-segments of the broad GRC market are often not clear. With a large number of vendors entering this market recently, determining the best product for a given business problem can be challenging. Given that the analysts don’t fully agree on the market segmentation, vendor positioning can increase the confusion.

Due to the dynamic nature of this market, any vendor analysis is often out of date relatively soon after its publication.

Broadly, the vendor market can be considered to exist in 3 segments:

  • Integrated GRC solutions (multi-governance interest, enterprise-wide): Integrated GRC solutions attempt to unify the management of these areas, rather than treat them as separate entities. An integrated solution is able to administer one central library of compliance controls, but manage, monitor, and present them against every governance factor. For example, in a domain-specific approach, three or more findings could be generated against a single broken activity. The integrated solution recognizes this as one break relating to the mapped governance factors.
  • Domain-specific GRC solutions (single governance interest, enterprise-wide): Domain-specific GRC vendors understand the cyclical connection between governance, risk, and compliance within a particular area of governance. For example, within financial processing — that risk will either relate to the absence of control (need to update governance) and/or the lack of adherence to (or poor quality of) an existing control. An initial goal of splitting GRC into a separate market has left some vendors confused about the lack of movement. It is thought that a lack of deep education within a domain on the audit side, coupled with a mistrust of audit in general causes a rift in a corporate environment. However, there are vendors in the marketplace that, while remaining domain-specific, have begun marketing their product to end users and departments that, while either tangential or overlapping, have expanded to include the internal corporate internal audit (CIA) and external audit teams (tier 1 big four AND tier two and below), information security and operations/production as the target audience. This approach provides a more 'open book' approach to the process. If the production team will be audited by the CIA using an application that production also has access to, is thought to reduce risk more quickly as the end goal is not to be 'compliant' but to be 'secure,' or as secure as possible.
  • Point solutions to GRC (relate to enterprise-wide governance or enterprise-wide risk or enterprise-wide compliance but not in combination.): Point solutions to GRC are marked by their focus on addressing only one of its areas. In some cases of limited requirements, these solutions can serve a viable purpose. However, because they tend to have been designed to solve domain-specific problems in great depth, they generally do not take a unified approach and are not tolerant of integrated governance requirements. Information systems will address these matters better if the requirements for GRC management are incorporated at the design stage, as part of a coherent framework.

GRC Certifications[13]

Professionals with a GRC certification must juggle stakeholder expectations with business objectives and ensure that organizational objectives are met while also meeting compliance requirements. That's an incredible amount of responsibility, and it's absolutely necessary for today's business climate.

All kinds of job roles require or benefit from a GRC certification, including CIO, IT security analyst, security engineer or architect, information assurance program manager, and senior IT auditor, among others.

Here are our's picks for GRC certifications:

  • Certified in Risk and Information Systems Control (CRISC)
  • Certified in the Governance of Enterprise IT (CGEIT)
  • Project Management Institute - Risk Management Professional (PMI-RMP)
  • ITIL Expert
  • Certification in Risk Management Assurance (CRMA)
  • GRC Professional (GRCP)

See Also


Further Reading