GRC 101: The ABCs of GRC

GRC is a term that covers an organization’s approach to Governance, Risk and Compliance. The acronym was coined by OCEG, the “Open Compliance and Ethics Group” in 2003 as shorthand for a growing and increasingly complex field. The first published, peer-reviewed academic paper on the topic came from OCEG in 2007. This paper formalized the industry, layingthe groundwork for all of the solutions, frameworks, and methodologies that have emerged in the years since. 

The ideas of implementing governing processes, managing risk and meeting compliance standards are much older than the creation of the GRC methodology. Organizations had been using their own methods, and metrics for a long time. The introduction of open-source GRC standards was an effort for organizations to support each other to “enhance the reliability of achieving organizational objectives.”

Breaking It Down

Governance, Risk Management, and Compliance (GRC) are the three standard facets of accountability for organizations to review their business decisions and ensure they are meeting their goals and addressing uncertainty, all with integrity.

The study and collection of GRC data allow organizations to synchronize their information and activities across all three disciplines. Although a company’s GRC guidelines can be interpreted differently and vary across industries or from company to company, there are standard understandings of what these categorical guidelines include: 

Governance 

Governance is the set of defined processes that are determined by the board of directors and affects the corporate structure as well as the way the company is driven toward goals and objectives. The overall management approach through which the organization’s decisions are made falls into the category of governance. In their whitepaper on"Developing an Effective Governance Operating Model,” Deloitte shares that good governance is about “striking a balance, repeatedly.” Governance processes are often the vehicle that ensures proper risk management and compliance goals are being met. Using a combination of management information and the organization’s hierarchical structure, senior executives are able to utilize these processes to effectively run and direct the company.  

Risk Management 

Risk Management is the discipline related to predicting, managing, and avoiding risks that could hinder the growth of the organization. This oversight is designed to address any risk or opportunity in a way that supports the organization’s business goals. 

Compliance 

Compliance revolves around adhering to industry mandates and regulations as well as the company’s voluntary boundaries. Industry regulations are often dictated by state or federal laws and regulations. Internal company policies and procedures are the voluntary boundaries an organization may be trying to operate within. 

What Drives GRC

Organizations today are tasked with meeting the challenges of the current business climate, which comes with its unique set of hurdles. OCEG shares GRC issues that can be found at every level of an organization:

• “Stakeholders demand high performance along with high levels of transparency
• Regulations and enforcement are ever-changing and unpredictable
• The exponential growth of third-party relationships and risk is a management challenge
• The costs of addressing risks and requirements are spinning out of control
• The harsh (and scary) impact when threats and opportunities are not identified”

Impact and Benefits of GRC

GRC has a wide reach and impacts many departments across an organization:  internal audit, compliance, risk, legal, finance, IT, HR as well as the lines of business, executive suite and the board itself. All of these departments work together to create a GRC machine where every department plays an integral part. 

“When GRC is done right, benefits accrue. Organizations that integrate GRC processes and technology across all or many areas previously siloed report benefits such as:

• Reduced costs
• Reduced redundant or duplicative activities
• Reduced impact on operations
• Achieved greater information quality
• Achieved greater ability to gather information quickly and efficiently
• Achieved greater ability to repeat processes in a consistent manner” (OCEG)

A Successful GRC Implementation

Any organization, of any size, can implement, and benefit from, a GRC management model. With the proper support from the organization’s executive leadership, the alignment of governance, risk, and compliance can impart a cultural shift across the organization. 

According to CIO, “before looking into any software solution, you need to prepare your environment first. That means assessing your organization’s risk and examining controls. Do you have adequate controls in place? Are existing controls working? Add controls where needed and fix those that aren’t delivering as intended. You also need to create a GRC framework. …implementing a strategy involves an entire organization, and requires a hard look at all of the people and processes that will be affected.”

OCEG has a GRC Capability Model that is available for organizations to use to assess their GRC readiness and begin the process of building your GRC framework. 

Govenda and GRC

The right board portal can also be used as a GRC Solution to store the pertinent data. This blog post details just how your board portal can pull double-duty in its ability to streamline your governance processes. 

If you’re interested in learning more about how Govenda can serve as your GRC solution, start a conversation today.