Governance, Risk Management, & Compliance (GRC) is not new to business. The acronym itself is over a decade old, but organizations have always had some approach to governance, risk management, and compliance. An acronym did not give us GRC it just put a label on it. Every organization has GRC.
The question every organization should be asking: how mature is your organization’s approach to GRC?
GRC is not something you buy, it is something you do. No GRC vendor can sell you a commodity that will solve all of your GRC related problems. GRC is part of business and extends across and into its operations. To that point we need to rethink our understanding of GRC.
Over the years, GRC has grown in conception and understanding. The best thing to happen to GRC was the development of the OCEG GRC Capability Model, and with that the OCEG definition of GRC:
GRC is a capability to reliably achieve objectives [governance] while addressing uncertainty [risk management] and acting with integrity [compliance].
Mature GRC requires an understanding of the business – its strategy, organizational structure, processes, risks, obligations, commitments, and objectives. The goal of GRC is to enable the organization to govern the organization and manage risk and compliance in the context of business.
Achieving GRC maturity requires a GRC architecture that leverages an understanding of enterprise architecture. GRC architecture is a . . .