While GRC is ultimately about collaboration and communication between business roles and processes, technology provides the backbone that enables GRC. To describe this technology, Corproate Integrity has defined the GRC Reference Architecture (this is closely aligned to the second version of the Open Compliance & Ethics Group (OCEG) GRC Technology Blueprint).

This model is meant to be a practical and applicable tool for organizations trying to understand and implement technology for GRC.

GRC today is akin to customer/client relationship management (CRM) in the 1980s. Before CRM systems and processes entered the organization, client information and relationships were being managed. The challenge was that there were scattered silos that created inconsistent and redundant data, with no view into the entire profile of the client and its interaction with the business. CRM systems create a single view of customer information and interaction across business processes and roles. GRC systems and processes aim to achieve the same thing — to provide an integrated picture of governance, risk, and compliance information and processes across the business. This requires an integrated view of GRC business process and technology architecture.

A high-level view of the GRC Reference Architecture comprises the following areas:

  • Information architecture: Conceptualizes the interrelationship of GRC-related information that bring agility, efficiency, and effectiveness to the entire organization.
  • Enterprise GRC applications: Represents solution areas that span risk and compliance roles and processes. These solutions are not locked to a single business role, function, and process, but are leveraged among all of them.
  • GRC role and process-specific applications: Describes GRC-role specific applications. These are solutions designed for a specific business role or function to accomplish a specific set of tasks. These applications are typically used predominantly by one area of the organization.



A firm GRC foundation is built upon solid information architecture. The burden, inefficiency, and ineffectiveness — as opposed to agility, efficiency, and effectiveness — of risk and compliance processes results from a lack of integrated and interrelated information architecture.

An intricate relationship of information from across the organization is the heart of a successful GRC technology strategy. All policies, risks, controls, events, requirements, enterprise assets and processes, responsibilities, and objectives interrelate and support each other. When managed in information silos, each of these areas bring inefficiency to the risk and compliance processes.

For example, organizations must understand which policies set management thresholds for specific risks; which events violate specific policies, materialize risk, and cause infractions of regulatory requirements; which controls are established for specific policies and are defined to control certain risks; and which business objectives involve risk, and how their controls allow pursuit of the objective but stay within acceptable risk-tolerance levels.

Enterprise GRC applications interact, share, and leverage the information model to deliver sustainable, consistent, efficient, transparent, and accountable GRC processes. This requires the application to be used across the business as a platform that touches and interacts with a variety of business roles and information. These foundational applications must deliver on the GRC philosophy of a common architecture and collaboration across business roles and interests.

Dozens of application categories fall outside the enterprise GRC application core — these applications focus on specific business roles and functions, such as quality, environmental, health, and safety (EH&S ), and matter management. The enterprise GRC application core consists of the following applications:

  • Audit and assurance management: Audit and assurance management systems manage audit cycles and output — this includes audit resource scheduling and calendaring, audit work paper management, and audit process management.
  • Case and investigations management: Case and investigations management software is used to manage investigations, issues, incidents, events, or cases. It specifically provides consistent documentation and management of events — from reporting to managing and documenting the investigation, to recording the loss and business impact.
  • Compliance management: Corporate compliance systems support the overall coordination of legal, regulatory, contractual, and corporate policy requirements and responsibilities with associated tasks and records of adherence.
  • Control activity and monitoring: Control management and monitoring systems provide the ability to define, record, map, monitor, change, alert and report on information processing (financial and operational data). This includes the limitations or conditions applied to amounts and parties in a transaction; user access, rights, and responsibilities; and accounts, workflows, and process initiation.
  • Hotline/helpline: Employee hotline and helpline systems are confidential, independent information intake and response systems for reporting potential internal fraud, negligence or impropriety by co-workers, partners or contractors. Employees can also use them to seek clarification on policies, and procedures.
  • Policy and procedure management: Policy and procedure management systems help develop, record, organize, modify, maintain, communicate, and administer organizational policies and procedures in response to new or changing requirements or principles, and correlate them to one another.
  • Risk & Regulatory intelligence and monitoring: Regulatory intelligence and monitoring systems monitor external and internal changes, and alert the organization to regulatory and legal conditions that can impact their business. Risk intelligence and monitoring systems monitor external and internal changes, and alert the organization to risk conditions (e.g., geo-political, economic, natural disaster) that can impact their business.
  • Risk management: ERM systems mange implementation of frameworks and processes that apply parameters, indicators, measures, consequential outcomes and business scenarios related to financial and non-financial risks. Operational risk management systems and applications implement and monitor risk processes that define parameters, indicators, consequential analysis and “what-if?” scenarios that stem from performing tasks and from passive activities. Risk analytics and modeling systems help identify specific causes of risk, given the potential consequences of events and the likelihood of events occurring sequentially or simultaneously. These tools execute historical reviews, simulations, interpretations and project impacts to operations, assets, or individuals.
  • Strategy, performance, and business intelligence: BI, strategy, and performance systems examine the systems, processes and applications that manage collection, integration, analysis, and presentation of all layers of planning, strategy, performance, operational, procedural, and decision-making information.
  • Training a
    nd awareness:
    Training and awareness systems manage the learning and understanding of compliance, policy, and risk areas to employees and extended business relationships. They combine training content with learning management system capabilities.

The enterprise GRC application core provides the foundation of GRC across the business. All of these applications can be leveraged from one side of the business to the other, to provide a consistent approach to GRC across silos of risk and compliance. However, a variety of business functions and roles have specific needs that demand applications aimed at their business function. These applications plug into the broader GRC Reference Architecture.

GRC is a federated effort. There is no such thing as one group of the organization that “does” GRC. While there may be a role in leading the collaboration, GRC must extend throughout the business. Business role and function-specific applications predominantly focus on the needs of a specific business function, process, or role in the enterprise. Applications in this area may have significant risk and compliance relevance and impact on the enterprise — but 80% (or more) are used by a specific user or role subset. The enterprise application core represents applications that span GRC business users and roles across the business.

The business roles and functions with specific need for GRC technologies and applications are scattered across the enterprise. In one sense, every part of the business touches on GRC as it relates to different aspects of performance, risk, compliance, values, and control. Primary, not all-inclusive, business function/role application categories include:

  • 3rd/vendor/supply-chain risk and compliance
  • Board and entity management
  • Brand and reputation management
  • Business continuity management
  • Contract management
  • Corporate social responsibility
  • Discovery/e-discovery management
  • Environmental monitoring and reporting
  • Environmental, health, and safety
  • Fraud detection and prevention
  • Global trade compliance/international dealings
  • Information/IT risk and compliance
  • Insurance and claims management
  • Intellectual property management
  • Loss management
  • Matter management
  • Physical security management
  • Privacy
  • Quality management and monitoring
  • Risk management – finance and treasury

These roles represent a significant but not exhaustive look at the categories of risk and compliance software solutions targeted at specific areas of the business. The applications must be able to report and feed information into broader GRC reporting systems and dashboards to maintain a 360-degree view of GRC. All are very relevant, and part of a broad GRC strategy.


The GRC Reference Architecture is a model of the technology landscape of GRC solutions. Currently there are more than 400 different technology providers delivering solutions for narrow to broad aspects of governance, risk, and compliance. The GRC Reference Architecture is part of Corporate Integrity’s broader GRC EcoSystem, which catalogs more than 1,300 technologies, professional service firms, and information/content providers. This posting has been just an excerpt of Corporate Integrity’s published research, GRC Reference Architecture: Understanding the GRC Technology Landscape.

I would love to hear your thoughts on the topic of GRC Software. Please feel free to comment in this forum, or send me an email. Please comment on this blog or send me an e-mail.

ONLINE WORKSHOP: The GRC Reference Architecture

Understanding & Approaching GRC Technology for Your Business

GRC – Governance, Risk, & Compliance. Whether you use this specific acronym or not the fact is your organization does GRC. There is not a single executive that will tell you that they lack corporate governance, do not manage risk, and completely ignore compliance. The truth of the matter: GRC has been a part of business since the dawn of business. In this 2 hour online workshop, Corporate Integrity defines and communicates The GRC Reference Architecture. This GRC Reference Architecture is part of my broader GRC EcoSystem of technology, consultants, and information providers (over 1300 firms cataloged to date). And is synchronized to the OCEG GRC IT Blueprint

The GRC Reference Architecture is comprised of: information framework, enterprise core GRC application(s), role/business function specific applications, as well as industry and geographic/jurisdiction specific applications.

The goal is to assist organizations in understanding the breadth of the GRC technology landscape, how different GRC technologies can and should work together, and provide the foundation for developing a GRC technology plan to support your organization’s risk and compliance process requirements.

ONLINE WORKSHOPThe GRC Reference Architecture

Date: Thursday, July 01, 2010 from 11:00 AM – 1:00 PM (CT)

Leave a Reply

Your email address will not be published. Required fields are marked *