Governance, Risk management, and Compliance (GRC) is the umbrella term covering an organisation’s approach across these three areas: corporate governance, risk management and regulatory compliance. The GRC areas have evolved to become top business priorities. A new evolution in business is being driven by increased stakeholder demands, heightened public scrutiny and new performance expectations. The trend toward improved corporate governance is seen in many initiatives, for instance:
- Protecting corporate reputation and brand value;
- Meeting the increased demands and expectations of investors, legislators, regulators, customers, employees, analysts, consumers and other key stakeholders;
- Driving value and managing performance expectations for governance, ethics, risk management and compliance;
- Managing crisis and remediation while defending the organisation, its executives and board members against the increased scope of legal enforcement and the rising impact of fines, penalties and business disruption;
- Exercising good corporate stewardship and discharging fiduciary duties in a transparent and proactive manner.
GRC is a discipline that aims to synchronise information and activity across governance, risk management and compliance in order to operate more efficiently, enable effective information sharing, more effectively report activities and avoid wasteful overlaps. GRC is three related facets that help assure an organisation meets its objectives.
- Governance is the combination of processes established and executed by the directors (or the board of directors) that are reflected in the organisation’s structure and how it is managed and led toward achieving goals. (see IT Governance)
- Risk management is predicting and managing risks that could prevent the organisation achieving its objectives. (see Risk management)
- Compliance refers to adhering to the company’s policies, procedures, laws and regulations.
Organisations reach a size where coordinated control over GRC activities is required to operate effectively. Each of these three disciplines creates information of value to the other two, and all three disciplines impact the same technologies, people, processes and information.
Organisations are also dealing with today’s challenging business climate. Even small businesses, non-profits, and government agencies are facing issues that only large companies had to face in the past.
Think of how many of these factors an organisation has to deal with:
- Stakeholders demand high performance along with high levels of transparency;
- Regulations and enforcement are ever-changing and unpredictable;
- Exponential growth of third-party relationships and risk is a management challenge;
- The costs of addressing risks and requirements are spinning out of control;
- The harsh impact when threats and opportunities are not identified.