Governance Risk and Compliance
As organizations undergo digital transformation and implement new technologies, they face challenges like increased management complexity, new sources of risks, and additional regulatory and legal obligations. To address these challenges effectively, organizations engage in Governance Risk and Compliance (GRC) activities at the strategic, tactical, and operational levels.
What is Governance Risk and Compliance?
The concept of an integrated Governance, Risk, and Compliance (GRC) was described by Scott L. Mitchell of the Open Compliance and Ethics Group (now known as OCEG) in a 2007 publication titled “GRC360: A framework to help organizations drive principled performance”.
The OCEG was founded in 2002, in the wake of the dot-com bubble burst by a group of professionals that included board members, compliance managers, risk managers, IT auditors, lawyers, accounts, and audit executives. The group identified that organizations like those in the dot-com crisis were failing because of their antiquated management techniques – valuable information was siloed in separate departments with separate responsibilities, and a lack of oversight prevented organizations from discovering and resolving issues until it was too late.
To help organizations better achieve their objectives, identify and mitigate risk, and comply with the necessary regulations, an OCEG working group of over 100 experts created the GRC framework, designed to break down silos and establish closer oversight and integration of six key business areas:
- Governance and strategy
- Risk management
- Audit and internal audit
- Compliance and legal
- Ethics and culture
Why is Governance Risk and Compliance Important?
As organizations grow, they eventually reach a size where a formalized, integrated framework for governance, risk management, and compliance is required to operate at maximum efficiency. Without such a framework, these activities may be managed separately by siloed departments or business units. This leads to major inefficiencies that can include duplication of tasks and effort, excess costs, taking on too much risk (or not enough), and compliance issues with a variety of consequences.
The basis of the GRC framework is that accomplishing business objectives requires an integrated approach that effectively aligns business goals and objectives with risk management, compliance, and ethical conduct.
The GRC framework outlines a five-step process for avoiding the negative consequences of poorly managed governance, risk, and compliance:
- Commit: Obtain buy-in and commitment to integrated capabilities from all relevant stakeholders.
- Plan: Use the GRC capability model to understand the current state of GRC within your organization, define a future goal state, establish roles and responsibilities, develop and synchronize capability processes, and define an approach for measuring results.
- Do: Implement the GRC plan through a controlled change management process, ensuring effective communication with employees and stakeholders about new expectations.
- Check: Evaluate the performance of new GRC processes and capabilities against objectives to determine whether new changes are having the intended results.
- Act: Work to improve GRC processes and capabilities based on the result of ongoing evaluations.
This five-step process adapts the Plan-Do-Check-Act (PDCA) cycle to corporate governance, offering organizations a clear path to implementing an effective corporate governance framework and avoiding the pitfalls of disconnected governance, risk management, and compliance processes.