Governance, risk and compliance, often referred to as GRC, is a blanket term used to describe the strategies and technologies used to manage an organization’s compliance with regulatory mandates and corporate governance standards.
SEE: Risk Management Policy (TechRepublic Premium)
The concept of GRC can be traced back to 2003, but the topic was first extensively discussed in a peer-reviewed paper by Scott L. Mitchell, published in the International Journal of Disclosure and Governance in 2007. In this guide, we discuss what GRC is and what it can mean for your business.
Jump to:
- What is GRC?
- What drives governance risk and compliance?
- Why is GRC important?
- What are some GRC tools?
- How to implement GRC in your organization
What is GRC?
GRC is made up of three core pillars: Governance, risk and compliance. Here’s what GRC means when broken down into parts:
- Governance: The framework of rules, processes and practices by which an organization is directed and managed.
- Risk: The potential for loss or damage to an organization’s reputation, finances, employees, customers or other stakeholders.
- Compliance: The state of conforming to laws, regulations and standards.
What drives governance, risk and compliance?
There is no question that regulation is the current biggest driver of GRC. Industries such as healthcare, financial services and technology companies have borne the brunt of regulatory measures. Amazon’s massive GDPR fine of $877 million has been fresh on our minds since it was announced in its 2021 Q2 earnings report filed with the SEC.
But another important driver of GRC is corporate governance. Investors are increasingly taking an interest in how companies are managed and what kind of risks they are exposed to. Moreover, employees, customers and other stakeholders expect organizations to be transparent about their operations and to have robust mechanisms in place to prevent misconduct.
Operational risks associated with the day-to-day operations of an organization also drive GRC. These include risks related to information security, supply chain management and employee safety.
Why is GRC important?
GRC is important because it helps organizations protect their reputations, finances, customers and employees while ensuring compliance with relevant laws and regulations. Moreover, GRC can also help organizations improve their operational efficiency and reduce costs.
By implementing a GRC program, organizations can avoid costly fines, penalties and litigation expenses associated with non-compliance. In addition, a well-run GRC program can help organizations spot potential problems before they occur, which can save them time and money in the long run.
What are some GRC tools?
In recent years, the corporate emphasis on governance, risk and compliance has given rise to a new breed of GRC software that is helping organizations of all sizes automate and streamline their GRC processes. Here are just a few examples:
Compliance management systems
These systems help organizations keep track of their compliance obligations by providing them with real-time visibility into their compliance posture. In addition, they typically include workflow capabilities that make it easy for organizations to manage their compliance processes from start to finish.
Risk management systems
These help organizations identify, assess and manage operational risks. They typically include features such as risk dashboards and heat maps that give organizations a quick way to see where their biggest risks are located.
Policy management systems
These systems help organizations develop, implement and enforce corporate policies and procedures. They typically include features such as policy templates and workflows that make it easy for organizations to create and distribute policies throughout their company.
SEE: Risk Management Policy (TechRepublic Premium)
There are also unified platforms that offer a complete suite of GRC capabilities in one place. These platforms are often used by enterprises that need to manage complex GRC programs.
How to implement GRC in your organization
When it comes to implementing a GRC program, there is no one-size-fits-all solution. The best approach will vary depending on the size, complexity and needs of your organization.
A strong approach to GRC implementation is offered through the GRC Capability Model (Red Book) developed by OCEG. The model has four components:
Learn how GRC relates to your specific business needs
The first step is to develop a clear understanding of the laws, regulations, standards, culture, stakeholders and the entire context that applies to your organization. You should also assess your organization’s risk tolerance and establish what kind of risks you are willing to take. This will inform your objectives, strategies and actions.
Align your strategy with greater business objectives
The next step is to align your GRC strategy with your organizational objectives and actions. This will help your GRC program to align with the overall goals of your organization
Put policies and performance management into action
The third step is to take actions that reinforce the desirable and neutralize the undesirable. You should also take actions that help you detect any deviation from GRC policies and procedures as soon as possible.
Review and evaluate GRC on an ongoing basis
The fourth and final stage of this GRC model is to evaluate the strategy’s design, operational effectiveness and continuing relevance of goals in order to improve your organization.
Figure A
The GRC Capability Model provides an excellent framework for thinking about and implementing GRC in your organization. When implemented correctly, a GRC program can help organizations take a proactive stance on governance, risk and compliance, which is crucial to an organization’s success in today’s complex business environment.