Actions

Difference between revisions of "Governance, Risk And Compliance (GRC)"

Line 10: Line 10:
  
  
== Governance, Risk And Compliance (GRC) Functions and Capability Elements<ref>The Eight Functions and Capability Elements of Governance, Risk And Compliance (GRC) [https://iasaglobal.org/itabok/capability-descriptions/governance-risk-and-compliance/ IASA Global}</ref> ==
+
== Governance, Risk And Compliance (GRC) Functions and Capability Elements<ref>The Eight Functions and Capability Elements of Governance, Risk And Compliance (GRC) [https://iasaglobal.org/itabok/capability-descriptions/governance-risk-and-compliance/ IASA Global]</ref> ==
  
 
According to best practice principles, GRC can be broken down into eight functions and capability elements:
 
According to best practice principles, GRC can be broken down into eight functions and capability elements:
Line 22: Line 22:
 
*Context and culture – The ability to define and incorporate external and internal business context, culture, values and objectives
 
*Context and culture – The ability to define and incorporate external and internal business context, culture, values and objectives
  
[[File:GRC_Elements.png|300px|GRC Elements]]< br/>
+
[[File:GRC_Elements.png|300px|GRC Elements]]<br/ >
 
source: [https://iasaglobal.org/itabok/capability-descriptions/governance-risk-and-compliance/ IASA]
 
source: [https://iasaglobal.org/itabok/capability-descriptions/governance-risk-and-compliance/ IASA]
 
  
  
Line 60: Line 59:
  
 
It is critical that a GRC solution must be able to address a wide range of compliance and risk management initiatives so that an organization can leverage GRC to deploy a consistent framework across the organization for compliance and risk management. Many vendors window dress their point solution by re-labeling it as a GRC solution or adding support for a few additional regulations to claim multi-regulatory label.
 
It is critical that a GRC solution must be able to address a wide range of compliance and risk management initiatives so that an organization can leverage GRC to deploy a consistent framework across the organization for compliance and risk management. Many vendors window dress their point solution by re-labeling it as a GRC solution or adding support for a few additional regulations to claim multi-regulatory label.
 +
 +
 +
== GRC Certifications<ref>What are the top GRC certifications? [https://www.cio.com/article/3206607/what-is-grc-and-why-do-you-need-it.html CIO.com]</ref> ==
 +
 +
Professionals with a GRC certification must juggle stakeholder expectations with business objectives and ensure that organizational objectives are met while also meeting compliance requirements. That's an incredible amount of responsibility, and it's absolutely necessary in today's business climate.
 +
 +
All kinds of job roles require or benefit from a GRC certification, including CIO, IT security analyst, security engineer or architect, information assurance program manager and senior IT auditor, among others.
 +
 +
Here are our CIO.com's picks for GRC certifications:
 +
*Certified in Risk and Information Systems Control (CRISC)
 +
*Certified in the Governance of Enterprise IT (CGEIT)
 +
*Project Management Institute - Risk Management Professional (PMI-RMP)
 +
*ITIL Expert
 +
*Certification in Risk Management Assurance (CRMA)
 +
*GRC Professional (GRCP)

Revision as of 15:14, 5 June 2019

Governance, risk management and compliance (GRC) is a management discipline that takes an integrated firm-wide approach to meeting internal guidelines set for each activity. Corporate Governance, Enterprise Risk Management (ERM), and Corporate Compliance have been integral to managing companies for a long time. But increasing amounts of regulation, increasing demands for transparency and the exponential growth of third-party relationships have made a siloed approach to these activities costly, risky and untenable. As an integrated approach, GRC is a relatively new management discipline. It can mean different things to different businesses, but integrating GRC processes typically aims to improve information gathering and quality, in order to operate more efficiently, and share information more effectively across the organization to avoid duplication of effort.[1]

While many experts and GRC vendors disagree on a standard definition for Governance, Risk and Compliance, the Open Compliance and Ethics Group (OCEG) has published one of the most comprehensive GRC definitions. In its GRC Capability Model, Red Book, 2.0, the OCEG defines GRC as a "system of people, processes, and technology that enables an organization to:

  • Understand and prioritize stakeholder expectations.
  • Set business objectives that are congruent with values and risks.
  • Achieve objectives while optimizing risk profile and protecting value.
  • Operate within legal, contractual, internal, social, and ethical boundaries.
  • Provide relevant, reliable, and timely information to appropriate stakeholders.
  • Enable the measurement of the performance and effectiveness of the system."[2]


Governance, Risk And Compliance (GRC) Functions and Capability Elements[3]

According to best practice principles, GRC can be broken down into eight functions and capability elements:

  • Organize and oversee – The ability to define outcomes, commitment, roles and responsibilities as well as approach and accountability
  • Assess and align – The ability to identify, analyze and optimize risk mitigation
  • Prevent and promote – The ability to define code of conduct, policies, preventative controls, awareness and education, human capital incentives, stakeholder relations and requirements and risk financing/insuring
  • Detect and discern – The ability to define hotline and notification, inquiry and survey and detective controls.
  • Respond and resolve – The ability to perform internal review and investigation, third-party inquiries and investigations, corrective controls, crisis response and recovery as well as remediation and discipline
  • Monitor and measure – The ability to define context monitoring, performance monitoring and evaluation, systematic improvement and assurance
  • Inform and integrate – The ability to define and perform information management and documentation, internal and external communication, technology and infrastructure
  • Context and culture – The ability to define and incorporate external and internal business context, culture, values and objectives

GRC Elements
source: IASA


Maximizing the Value of GRC[4]

Businesses often manage the governance, risk management, and compliance separately. The integrated GRC approach combines all three to streamline their governance, risk management, and compliance initiatives. This is more effective and efficient, since it reduces or even eliminates duplication and redundancy of work. It saves time, effort and money – resources that all businesses will do well to use wisely.

A possible scenario that may arise from independently handling the three is having multiple systems that will essentially address the same issues. After all, there are issues that cross-cuts across two, or all three, categories. With the GRC approach, it is possible to come up with a single system that will address all the issues. This will certainly avoid confusion among members of the organization, since they have a single point of reference, instead of having to turn this way and that.

Thus, it is important that organizations be able to manage and track its GRC processes and activities in a streamlined and coordinated manner in order to ensure corporate integrity, sustainability, and profitability.

GRC will do wonders for your business. But only if it is done right. It is not enough that you have GRC programs in place. You have to make sure you maximize the value that you will derive from GRC. Let us take a look at how we can get the most out of our GRC programs.

  • Step 1: Design GRC programs to be flexible

Keep in mind that GRC is not a one-time thing. It must continually reassess how the company can effectively and efficiently meet its strategic objectives.

  • Step 2: Simplify your GRC processes

If you are to establish a risk and control governance model as one of your GRC processes, make sure that the model is comprehensive and encompasses the entire organization or enterprise, not just key divisions or operating centers. This will ensure the balance of the corporate risk strategy that will be employed by the business, and will also clearly define and delineate the responsibilities of key personnel and employees.

Within an organization, there are a lot of functions, most of which are markedly different from each other. It is now up to the organization to align those functions – even the highly differentiated ones – in order to make their GRC programs succeed.


Benefits of Taking an Integrated GRC Approach[5]

Many organizations find themselves managing their governance, risk and compliance initiatives in silos - each initiative managed separately even if reporting needs overlap. Even though, each of these initiatives individually follow the governance, risk and compliance process outlined above, when they deployed software solutions to enable these processes, the selections were made in a very tactical manner, without a thought for a broader set of requirements. As a result, organizations have ended up with dozens of such systems to manage individual governance, risk and compliance initiatives, each operating in its own silo.

Majority of the Fortune 1000 organizations find themselves in this situation today. However, they are quickly finding that as the multiple risk and compliance initiatives become more intertwined from regulatory and organizational perspectives, multiple systems cause confusion due to duplicative and contradictory processes and documentation. In addition, the redundancy of work, as well as sheer expense of maintaining multiple point software solutions causes the cost of compliance to spiral out of control.

By taking an integrated GRC process approach and deploying a single system to manage the multiple governance, risk and compliance initiatives across the organization, the issues listed above can be easily addressed. Such an approach can :

Have a dramatic positive impact on organizational effectiveness by providing a clear, unambiguous process and a single point of reference for the organization Eliminate all redundant work in various initiatives Eliminate duplicative software, hardware, training and rollout costs as multiple governance, risk and compliance initiatives can be managed with one software solution Provide a “single version of the truth” available to employees, management, auditors and regulatory bodies

According to a recent note from Gartner, “For Sarbanes-Oxley, we put the burden on a global Bank at about 0.2 percent to 0.4 percent on EBITDA. So if the Securities and Exchange Commission is one of 370 regulators for a global bank - to approach each regulatory program individually would eat up all the profits. Lots of companies have separate compliance programs for every regulatory regime. As regulatory regimes proliferate, a comprehensive compliance program keeps regulations from depressing earnings”. An integrated GRC approach enables an organization to integrate and streamline these individual compliance initiatives, so it can significantly reduce the cost of compliance.

It is critical that a GRC solution must be able to address a wide range of compliance and risk management initiatives so that an organization can leverage GRC to deploy a consistent framework across the organization for compliance and risk management. Many vendors window dress their point solution by re-labeling it as a GRC solution or adding support for a few additional regulations to claim multi-regulatory label.


GRC Certifications[6]

Professionals with a GRC certification must juggle stakeholder expectations with business objectives and ensure that organizational objectives are met while also meeting compliance requirements. That's an incredible amount of responsibility, and it's absolutely necessary in today's business climate.

All kinds of job roles require or benefit from a GRC certification, including CIO, IT security analyst, security engineer or architect, information assurance program manager and senior IT auditor, among others.

Here are our CIO.com's picks for GRC certifications:

  • Certified in Risk and Information Systems Control (CRISC)
  • Certified in the Governance of Enterprise IT (CGEIT)
  • Project Management Institute - Risk Management Professional (PMI-RMP)
  • ITIL Expert
  • Certification in Risk Management Assurance (CRMA)
  • GRC Professional (GRCP)
  1. Definition - What does Governance, Risk And Compliance (GRC) Mean? Investopedia
  2. Defining Governance, Risk And Compliance (GRC) Webopedia
  3. The Eight Functions and Capability Elements of Governance, Risk And Compliance (GRC) IASA Global
  4. How to Maximize the Value of GRC Cleverism
  5. Benefits of Taking an Integrated GRC Approach Metric Stream
  6. What are the top GRC certifications? CIO.com