governance, risk management and compliance (GRC)

What is governance, risk and compliance (GRC)?

Governance, risk and compliance (GRC) refers to an organization's strategy for handling the interdependencies between the following three components:

• corporate governance policies
• enterprise risk management programs
• regulatory and company compliance

GRC emerged as a discipline in the early 21st century when companies recognized that coordinating the people, processes and technologies they used to manage governance, risk and compliance could benefit them in two ways. A synthesized approach would help ensure their organizations acted ethically. It would also help them achieve their goals by reducing the inefficiencies, miscommunications and other perils of a siloed approach to governance, risk and compliance.

Any size organization can use GRC. Developing a GRC discipline is especially important for large organizations that have extensive governance, risk management and compliance requirements and where programs to meet these requirements often overlap.

Core GRC principles

The three components of GRC are defined as follows:

1. Governance refers to the ethical management of an organization by its leaders in accordance with approved business plans and strategies.
2. Risk management refers to an organization's process for identifying, categorizing, assessing and enacting strategies to minimize risks that would hinder its operations and to control risks that enhance operations.
3. Compliance refers to the level of adherence an organization has to the standards, regulations and best practices mandated by the business and by relevant governing bodies and laws.

These three activities traditionally functioned more or less separately. In a GRC approach, each of the three component programs continues to interact with and support existing business functions, but the intersection of the three is where the benefits become apparent.

Why is GRC important today?

As businesses grow increasingly complex, they need a way to effectively identify and manage key activities in the organization. Also needed is the ability to integrate traditional distinct management activities into a cohesive discipline that increases the effectiveness of people, business processes, technology, facilities and other important business elements.

GRC achieves this by breaking down the traditional barriers between business units and requiring them to work in a collaborative fashion to achieve the company's strategic goals. GRC is one of the components of a well-managed organization in the 2020s.

GRC strengths and limitations

If properly implemented, GRC policies, practices and software offer the following benefits:

• reduced costs;
• improved leadership effectiveness across all aspects of governance;
• increased visibility into risks, threats and vulnerabilities;
• ongoing compliance with required standards and regulations;
• protection against unfavorable internal audits, financial penalties and litigation; and
• reduction in risk across the entire organization, including business risks, financial risks, operational risks and security risks.

If improperly implemented or if senior management support for GRC is minimal, potential issues may emerge. Problems include high costs related to reduced risk visibility, reduced performance due to weak risk visibility, and fragmentation across the organization's departments and workforce.

GRC software and tools

GRC software combines applications that manage the core functions of GRC into a single integrated package. It enables an organization to pursue a systematic, organized approach to managing GRC-related strategy and implementation. Instead of using siloed applications, administrators can use a single framework to monitor and enforce rules and procedures. Successful installations enable organizations to manage risk, reduce costs incurred by multiple installations and minimize complexity for managers.

Effective GRC software includes risk examination and risk assessment tools that identify linkages to business processes, internal controls and operations. GRC software will identify the processes and tools that control those risks and integrate the single, multipoint and enterprise-wide software the business currently uses.

GRC software also provides a structured approach for compliance with legal and regulatory requirements, such as those specified in the Sarbanes-Oxley Act, General Data Protection Regulation, or occupational health and safety regulations.

Other features offered in GRC platforms include operational risk management; information technology (IT) risk management; policy; audit management; third-party risk management; issue tracking and document management.

GRC software considerations

GRC software products are available from a number of vendors. Products accommodate virtually any type or size of organization, including organizations with many lines of business.

GRC software can be confusing for businesses, however, because the market is replete with many types of products, including the following:

• integrated GRC products, which aim to provide an enterprise-wide approach to GRC, as noted above;
• GRC products that target only certain areas, such as finance, IT or risk; and
• "point solution" products that may target one component of GRC but not all three.

GRC tools are increasingly cloud-based, but on-site systems are available, as are freeware options. GRC vendors are incorporating automation and artificial intelligence technologies, including machine learning and natural language processing, to help organizations keep abreast of new and evolving risks and to make GRC tools more user-friendly.

Examples of GRC products include IBM OpenPages with Watson; Galvanize's HighBond platform; ServiceNow Governance, Risk, and Compliance; Navex Global's Lockpath platform; and LogicManager.

Implementing GRC

GRC software implementation typically involves complex installations that include vendor negotiation and coordination of data between the vendor's technical team and multiple departments in the organization, including business, IT, security, compliance and auditing.

Major challenges include integrating data and other relevant information from internal departments and external organizations into useful GRC information and ensuring all GRC system users are properly trained to obtain maximum benefit from the software.

Changes in the corporate culture may be needed to accommodate the collaborative nature of the new GRC system. Periodic testing of GRC software is essential to ensure it is being properly used by internal departments. Like other critical systems, GRC software must be added to technology disaster recovery (DR) plans to ensure it remains operational in a disruptive event.

Benefits of GRC software

Once in place, GRC dashboards and data analytics tools can help administrators identify an organization's risk exposure, measure progress toward quarterly goals or quickly pull together an information audit. Good governance -- defined as effective, ethical management of a company at the executive level -- is treated as an objectively measurable commodity. Data retention and risk management are converted to similarly measurable metrics. Compliance with standards and regulations can be further assured as GRC software examines existing activities against standards and regulations and identifies areas for improvement.

GRC software, therefore, can satisfy the needs of multiple stakeholders, including the following:

• business executives who need to identify and manage risk;
• finance managers assigned to meet regulatory compliance requirements;
• legal counsel grappling with discovery and records retention; and
• IT directors managing software installations related to GRC projects across an organization.

GRC maturity model

When embarking on a GRC program, it is typically beneficial to establish a benchmark from which to plan and execute the program. A maturity model is one possible approach, as it defines the stages through which an organization can progress to achieve a suitable level of GRC excellence.

The following figure presents a basic GRC maturity model. It can be expanded and modified into greater detail as needed and serve as part of the GRC program planning process.

Stage 1 describes an organization with no integration of GRC: The three disciplines of GRC coexist but do not collaborate on governance, risk and compliance. As the stages progress, the importance of GRC integration is recognized and approved by senior management; manual processes commence; software takes the process to a higher level of cross-organization integration and automation; and, finally, the organization's culture -- and, by extension, its way of doing business -- has adopted to a fully integrated GRC approach.

The dos and don'ts of GRC practices

Managing governance, risk and compliance is one of the organization's most important and complex activities. As your organization establishes a GRC program, keep these dos and don'ts in mind.

Dos

1. Be prepared to justify the integration of GRC activities using a business case approach.
2. Secure senior management support and funding for a GRC program.
3. Carefully examine the possible approaches to a GRC program, and develop a project plan.
4. If software is part of the plan, perform due diligence when selecting a software product.
5. Prepare and deliver awareness and training activities to sell employees and management on the value of integrated GRC activities.
6. Recognize that not all employees will embrace a GRC program; ensure those who stand to benefit the most are on board.
7. Partner with IT to develop an effective system rollout plan.
8. Provide opportunities for employees to test the system before it is put into production.
9. Take care to note employee comments during the test period and share them with the technology vendor.
10. Provide regular briefings to senior management and employees on the program status.
11. Implement the rollout; check for issues, and resolve them quickly.
12. Establish a system maintenance and updating process.
13. Ensure the new system is included in technology DR plans.
14. Establish a program to track program performance and share results with employees and management.

Don't do the following when planning a GRC program

1. Don't assume an integrated GRC program will benefit the company; it may not.
2. Don't assume senior management will quickly embrace a GRC program.
3. Don't assume employees will embrace a GRC program, especially if it means changing the ways they have performed their work over the years.
4. Don't forget to examine the different approaches to a GRC program; consider a maturity model.
5. Don't conduct a minimalist examination and analysis of business processes when determining if an integrated GRC approach will work; understand the business as much as possible.
6. Don't hesitate to contact other organizations to see if their GRC approach worked; this is especially important if GRC software is being considered.
7. Don't fail to collaborate with IT throughout the project.
8. Don't assume employees and management will attend awareness and training sessions; this is where management support can help.
9. Don't ignore the importance of having a project plan for a GRC system implementation.
10. Don't get upset if management decides to defer or cancel the program.