Understanding GRC

Governance, Risk, and Compliance can each be confusing to understand in their individual capacities – bring them together as GRC and it can be even more confounding. GRC is more than a catchy acronym used by technology providers and consultants to market their solutions – it is a philosophy of business. This philosophy permeates the organization: its oversight, its processes, its culture. Ultimately, GRC is about the integrity of the organization:

  • Does the organization properly managed and have sound governance?
  • Does the organization take risk within risk appetite and tolerance thresholds?
  • Does the organization meet its legal/regulatory compliance obligations?
  • Does the organization make its code of ethics, policies, and procedures clear to its employees and business partners?

The challenge of GRC is that each individual term – governance, risk, compliance – has varied meanings across the organization. There is corporate governance, IT governance, financial risk, strategic risk, operational risk, IT risk, corporate compliance, Sarbanes-Oxley (SOX) compliance, employment/labor compliance, privacy compliance . . . the list of mandates and initiatives goes on and on.

It is easier to define what GRC is NOT. GRC is not about silos of risk and compliance operating independently of each other. GRC is not solely about technology – though technology plays a critical role. GRC is not just a label of services that consultants provide. GRC is not just about Sarbanes-Oxley compliance. GRC is not another label for enterprise risk management (ERM), although GRC encompasses ERM.

Further, GRC is not about a single individual owning all aspects of governance, risk, and compliance. 

GRC IS a philosophy of business. It is about individual GRC roles across the organization working in harmony to provide a complete view of governance, risk, and compliance. It is about collaboration and sharing of information, assessments, metrics, risks, investigations, and losses across these professional roles. GRC’s purpose is to show the full view of risk and compliance and identify interrelationships in today’s complex and distributed business environment. GRC is a federation of professional roles – the corporate secretary, legal, risk, audit, compliance, IT, ethics, finance, line of business, and others – working together in a common framework, collaboration, and architecture to achieve sustainability, consistency, efficiency, and transparency across the organization.

Individually, I use the following standard definitions to define the components of GRC as:

  • Governance is the culture, policies, processes, laws, and institutions that define the structure by which companies are directed and managed.
  • Risk is the effect of uncertainty on business objectives; risk management is the coordinated activities to direct and control an organization to realize opportunities while managing negative events.
  • Compliance is the act of adhering to, and demonstrating adherence to, external laws and regulations as well as corporate policies and procedures.

GRC is a three-legged stool:  governance, risk, and compliance are all necessary to effectively manage and steer the organization. In summary - good governance can only be achieved through diligent risk and compliance management. In today’s business environment, ignoring a federated view of GRC results in business processes, partners, employees, and systems that behave like leaves blowing in the wind — GRC aligns them to be more efficient and manageable. Inefficiencies, errors, and potential risks can be identified, averted, or contained, reducing exposure of the organization and ultimately creating better business performance.

How do you define GRC? What is GRC’s role within the organization (please comment)?

Why Integrity?

Integrity is a mirror revealing the truth about an individual or a corporation. It involves walking the talk -- not just talking it.

On a personal level, integrity is measured by what an individual does and does not do when no one is looking. Do they hold to their values, beliefs, and ethics? Or do they compromise and do the opposite of what they believe is right?

Integrity is the same at the corporate level. Corporate reports, filings, and stakeholder communications state one thing but in reality the corporation is doing something else. This inconsistency comes as a result of ignorance, market/management pressure, or an outright willingness to deceive. Within corporations it may be the result of one individual or a campaign of several seeking to violate an organization’s governance principles, risk posture, compliance obligations, culture, and ethical practices.

Integrity is violated when corporate policies and procedures are thrown out the window in the quest for personal or corporate gain. From an organization's perspective, personal and corporate integrity are two sides of the same coin. In order for a corporation to have integrity it must have an ethical environment with employees and business partners willing to follow and enforce corporate culture, policies, and procedures. From an individual's perspective, an employee or partner wants to make sure they are working with a corporation aimed at doing the right thing and is in sync their personal values and beliefs.

This is the reason I have launched my new firm - GRC 20/20 Research, LLC.  My objective is to assist organizations in achieving integrity in their corporate governance, risk, and compliance (GRC) processes. This is accomplished by monitoring GRC events, drivers, trends, and best practices in corporations around the world and providing insight to GRC professionals, technology vendors, and professional services firms that make up the international GRC community.

I would welcome your thoughts and perspectives on GRC and its relationship to integrity ...

All the best,