Why GRC & What Is It?
GRC, simply put, is to provide collaboration between silos of governance, risk, and compliance. It is to get different business roles to share information and work in harmony. Harmony is a good metaphor, we do not want discord where the different parts of the organization are going down different roads and not working together. We also do not want everyone singing the melody as different roles (such as risk, audit, compliance) have their different and unique purposes.
Note: GRC is not a restructuring of the organization. It is getting varying risk and compliance roles to cooperate, collaborate, and share so there is a big picture of risk and compliance to oversee that the organization is properly governed.
When it comes down to it . . . the acronym is not important, there are many GRC initiatives that I get involved with that do not use the term GRC. The goal is the same – to drive efficiency, effectiveness, and agility across risk and compliance processes to support a dynamic and extended business environment. GRC is a lot about process improvement and sharing information and processes. It is about simplification and efficiency.
Compliance should not drive risk. Nor should risk drive compliance. They both should cooperate with each other and share relevant information. Compliance is being challenged to do periodic risk assessments for unethical/non-compliant/criminal behavior. Audit is being challenged to do risk-based audits. Should these roles completely reinvent risk and risk management or work with the risk management team within an organization cooperatively, to learn from the risk experts themselves, to use a framework like ISO 31000 which is aligned to the OCEG GRC Capability Model?
On the flip side, risk needs to work with compliance. The current economic mess is due in part to many banks that had good credit risk policies – they knew their thresholds and appetite, and it was articulated in policy. The issue was they were not compliant with there policies. Risk management without a compliance program is ineffective. Again – two different departments with their own expertise that need to work together.
I think we all know the answer to that. Cooperation is best. To let different areas of the business lead where they excel but not dominate the others. But to work together in harmony – to collaborate and share information and processes so we can achieve a holistic view of risk and compliance across the business.
While the GRC term is 8 years old, I state in my research and teaching that it is nothing new. Organizations have been doing GRC all along. The issue is have they been doing it efficiently (human and financial), effectively (meeting internal and external requirements), and with the proper agility (for a dynamic and extended business environment)? Does the approach we have been taking make sense or are there better ways to do things that bring more process efficiency?
That is what GRC is about – that is the philosophy behind it.
As for the formal definition of GRC. . .
From OCEG’s GRC Capability Model: GRC is a system of people, processes, and technology that enables an organization to:
Understand and prioritize stakeholder expectations.
Set business objectives that are congruent with values and risks.
Achieve objectives while optimizing risk profile, and protecting value.
Operate within legal, contractual, internal, social, and ethical boundaries.
Provide relevant, reliable, and timely information to appropriate stakeholders.
Enable the measurement of the performance and effectiveness of the system.
As my friend and colleague Norman Marks states, “The definition can perhaps best be summarized as how an organization understands stakeholder expectations and then directs and manages activities to maximize performance against those expectations, while managing risks and complying with applicable laws, regulations and obligations.”I have some IMPORTANT NEWS to announce. The OCEG GRC Certification test is ready to be released.
GRC Certification & Training
To date there has not been a GRC certification for individuals that is based on a publicly vetted common body of knowledge. The only source of such knowledge, in my experience, has been OCEG’s GRC Capability Model.
Now OCEG is releasing a GRC certification for individuals based on the very popular GRC Capability Model.
This is a landmark certification. There is not other GRC certification based on an open and vetted source of GRC guidance that is a compendium (I call it the GRC Rosetta Stone) of guidance from across over 100 standards, frameworks, best practices, and regulatory guidance. This is the GRC Capability Model found in the OCEG Red Book. It defines a process model of common elements, principles, sources of failure, and other areas for a successful GRC strategy or individual risk and compliance effort.
OCEG has confirmed that those that attend the next two GRC Bootcamps (London in October and Dallas in November) will have an opportunity to take the written test during the bootcamp with no additional fee for testing – only for these two bootcamps. However, the individual registering for the bootcamp and to take the test must be an OCEG Individual Premium member or higher. I highly recommend that you consider attending one of the next two GRC Bootcamps so you can be among the first to receive this certification. After these two Bootcamps there will be an additional fee for the test/certification.