tiero - Fotolia


Plan and implement a GRC framework with this checklist

Whether planning or updating your governance, risk and compliance program, use this guide to help simplify the initiative and successfully implement a GRC framework.

In recent years, governance, risk and compliance have emerged as critical initiatives within organizations of all kinds. A program encompassing the three helps identify and manage situations that can impact a company's ability to achieve its objectives.

For each of these disciplines, a few fundamental conditions must exist. First, senior management must be supportive of a GRC program. Second, funding, staffing and technology resources must be available to support the program. Lastly, goals and objectives of the organization must be fully defined and quantified.

Here, get tips on how best to organize a GRC program if one does not already exist, as well as for enhancing existing programs.

Understanding the components of a GRC framework

Once the above criteria have been met, the most advantageous approach is to have a framework that facilitates the analysis and management of GRC activities. The figure below depicts a basic GRC framework, based on the management of the three components and their interaction with the business, as well as internal and external factors.

Diagram of a governance, risk and compliance (GRC) framework
The three components of a governance, risk and compliance framework must work in coordination and alignment.

A GRC framework includes three components, each of which interacts with various elements of the organization and must also coordinate with the other components. Further, each GRC element must interact and respond to internal and external factors, such as laws, regulations, audit reports, risks and threats.

GRC programs regularly examine how an organization is operating in the context of various metrics. GRC teams interview employees to understand how they operate in order to analyze how various GRC factors apply to their activities. Many departments could find themselves interacting with a GRC team on each of the three components. For example, a manufacturing operation will need to follow established operating procedures and practices (governance), identify situations that could disrupt their activities (risk) and ensure regulations associated with their activities are being followed (compliance).

Alignment with GRC activities is essential to ensure an organization is performing its work to the highest standards possible.

Steps to plan or update a GRC initiative

Investing in a GRC program makes great sense in today's complex business environment. With a GRC program, organizations can keep ahead of potential threats, comply with critical regulations and statutes, and continually optimize how the company is managed.

Organizations should keep in mind the following checklist of tips to optimize a GRC program:

  • Ensure senior management supports the work. This is perhaps the most important success factor.
  • Set up a detailed GRC program structure, ensuring all three components are addressed using an easy-to-understand framework.
  • Carefully examine the current GRC environment -- for example, risks and regulatory requirements -- to identify what makes the most sense for an organized GRC activity.
  • Set up a budget, and secure funding for the program.
  • Identify candidates to join the team, and consider those with professionals' credentials and certifications.
  • Understand the firm's business goals and objectives from multiple perspectives, including financial, investment, competitive position, reputation, new product development and employee development.
  • Identify and map various GRC factors -- both internal and external -- that directly apply to the organization.
  • Prepare and schedule periodic senior management briefings on program findings and recommendations.
  • Schedule frequent team meetings to ensure all team members are in sync with the overall program and its goals.
  • Organize and conduct training and education briefings for employees and management on GRC activities. If a shared resource, such as SharePoint, is used, it can serve as a platform for sharing GRC activities with employees and management.
  • Periodically conduct reviews and audits of the GRC program to ensure it is functioning as designed and fulfilling its purpose.
  • Seek ways to continually improve the GRC function by using automated GRC software applications and other tools that can streamline functions.

Next Steps

12 top enterprise risk management trends

Dig Deeper on Risk management and governance

Cloud Computing
Mobile Computing
Data Center
and ESG