Actions

Difference between revisions of "Governance, Risk And Compliance (GRC)"

Line 8: Line 8:
 
*Provide relevant, reliable, and timely information to appropriate stakeholders.
 
*Provide relevant, reliable, and timely information to appropriate stakeholders.
 
*Enable the measurement of the performance and effectiveness of the system."<ref>Defining Governance, Risk And Compliance (GRC) [https://www.webopedia.com/TERM/G/grc-governance-risk-compliance.html Webopedia]</ref>
 
*Enable the measurement of the performance and effectiveness of the system."<ref>Defining Governance, Risk And Compliance (GRC) [https://www.webopedia.com/TERM/G/grc-governance-risk-compliance.html Webopedia]</ref>
 +
 +
 +
== Benefits of Taking an Integrated GRC Approach<ref>Benefits of Taking an Integrated GRC Approach [https://www.metricstream.com/whitepapers/html/GRC_frame.htm Metric Stream]</ref> ==
 +
 +
Many organizations find themselves managing their governance, risk and compliance initiatives in silos - each initiative managed separately even if reporting needs overlap. Even though, each of these initiatives individually follow the governance, risk and compliance process outlined above, when they deployed software solutions to enable these processes, the selections were made in a very tactical manner, without a thought for a broader set of requirements. As a result, organizations have ended up with dozens of such systems to manage individual governance, risk and compliance initiatives, each operating in its own silo.
 +
 +
Majority of the Fortune 1000 organizations find themselves in this situation today. However, they are quickly finding that as the multiple risk and compliance initiatives become more intertwined from regulatory and organizational perspectives, multiple systems cause confusion due to duplicative and contradictory processes and documentation. In addition, the redundancy of work, as well as sheer expense of maintaining multiple point software solutions causes the cost of compliance to spiral out of control.
 +
 +
By taking an integrated GRC process approach and deploying a single system to manage the multiple governance, risk and compliance initiatives across the organization, the issues listed above can be easily addressed. Such an approach can :
 +
 +
Have a dramatic positive impact on organizational effectiveness by providing a clear, unambiguous process and a single point of reference for the organization
 +
Eliminate all redundant work in various initiatives
 +
Eliminate duplicative software, hardware, training and rollout costs as multiple governance, risk and compliance initiatives can be managed with one software solution
 +
Provide a “single version of the truth” available to employees, management, auditors and regulatory bodies
 +
 +
According to a recent note from Gartner, “For Sarbanes-Oxley, we put the burden on a global Bank at about 0.2 percent to 0.4 percent on EBITDA. So if the Securities and Exchange Commission is one of 370 regulators for a global bank - to approach each regulatory program individually would eat up all the profits. Lots of companies have separate compliance programs for every regulatory regime. As regulatory regimes proliferate, a comprehensive compliance program keeps regulations from depressing earnings”. An integrated GRC approach enables an organization to integrate and streamline these individual compliance initiatives, so it can significantly reduce the cost of compliance.
 +
 +
It is critical that a GRC solution must be able to address a wide range of compliance and risk management initiatives so that an organization can leverage GRC to deploy a consistent framework across the organization for compliance and risk management. Many vendors window dress their point solution by re-labeling it as a GRC solution or adding support for a few additional regulations to claim multi-regulatory label.

Revision as of 14:43, 5 June 2019

Governance, risk management and compliance (GRC) is a management discipline that takes an integrated firm-wide approach to meeting internal guidelines set for each activity. Corporate Governance, Enterprise Risk Management (ERM), and Corporate Compliance have been integral to managing companies for a long time. But increasing amounts of regulation, increasing demands for transparency and the exponential growth of third-party relationships have made a siloed approach to these activities costly, risky and untenable. As an integrated approach, GRC is a relatively new management discipline. It can mean different things to different businesses, but integrating GRC processes typically aims to improve information gathering and quality, in order to operate more efficiently, and share information more effectively across the organization to avoid duplication of effort.[1]

While many experts and GRC vendors disagree on a standard definition for Governance, Risk and Compliance, the Open Compliance and Ethics Group (OCEG) has published one of the most comprehensive GRC definitions. In its GRC Capability Model, Red Book, 2.0, the OCEG defines GRC as a "system of people, processes, and technology that enables an organization to:

  • Understand and prioritize stakeholder expectations.
  • Set business objectives that are congruent with values and risks.
  • Achieve objectives while optimizing risk profile and protecting value.
  • Operate within legal, contractual, internal, social, and ethical boundaries.
  • Provide relevant, reliable, and timely information to appropriate stakeholders.
  • Enable the measurement of the performance and effectiveness of the system."[2]


Benefits of Taking an Integrated GRC Approach[3]

Many organizations find themselves managing their governance, risk and compliance initiatives in silos - each initiative managed separately even if reporting needs overlap. Even though, each of these initiatives individually follow the governance, risk and compliance process outlined above, when they deployed software solutions to enable these processes, the selections were made in a very tactical manner, without a thought for a broader set of requirements. As a result, organizations have ended up with dozens of such systems to manage individual governance, risk and compliance initiatives, each operating in its own silo.

Majority of the Fortune 1000 organizations find themselves in this situation today. However, they are quickly finding that as the multiple risk and compliance initiatives become more intertwined from regulatory and organizational perspectives, multiple systems cause confusion due to duplicative and contradictory processes and documentation. In addition, the redundancy of work, as well as sheer expense of maintaining multiple point software solutions causes the cost of compliance to spiral out of control.

By taking an integrated GRC process approach and deploying a single system to manage the multiple governance, risk and compliance initiatives across the organization, the issues listed above can be easily addressed. Such an approach can :

Have a dramatic positive impact on organizational effectiveness by providing a clear, unambiguous process and a single point of reference for the organization Eliminate all redundant work in various initiatives Eliminate duplicative software, hardware, training and rollout costs as multiple governance, risk and compliance initiatives can be managed with one software solution Provide a “single version of the truth” available to employees, management, auditors and regulatory bodies

According to a recent note from Gartner, “For Sarbanes-Oxley, we put the burden on a global Bank at about 0.2 percent to 0.4 percent on EBITDA. So if the Securities and Exchange Commission is one of 370 regulators for a global bank - to approach each regulatory program individually would eat up all the profits. Lots of companies have separate compliance programs for every regulatory regime. As regulatory regimes proliferate, a comprehensive compliance program keeps regulations from depressing earnings”. An integrated GRC approach enables an organization to integrate and streamline these individual compliance initiatives, so it can significantly reduce the cost of compliance.

It is critical that a GRC solution must be able to address a wide range of compliance and risk management initiatives so that an organization can leverage GRC to deploy a consistent framework across the organization for compliance and risk management. Many vendors window dress their point solution by re-labeling it as a GRC solution or adding support for a few additional regulations to claim multi-regulatory label.

  1. Definition - What does Governance, Risk And Compliance (GRC) Mean? Investopedia
  2. Defining Governance, Risk And Compliance (GRC) Webopedia
  3. Benefits of Taking an Integrated GRC Approach Metric Stream