Governance, risk management, and compliance

Last updated March 29, 2024

Governance, risk management and compliance (GRC) is the term covering an organization's approach across these three practices: governance, risk management, and compliance.^[1]^[2]^[3]^[4]

The first scholarly research on GRC was published in 2007^[5] where GRC was formally defined as "the integrated collection of capabilities that enable an organization to reliably achieve objectives, address uncertainty and act with integrity." The research referred to common "keep the company on track" activities conducted in departments such as internal audit, compliance, risk, legal, finance, IT, HR as well as the lines of business, executive suite and the board itself.

Overview

Governance, risk management, and compliance are three related facets that aim to assure an organization reliably achieves objectives, addresses uncertainty and acts with integrity.^[6] Governance is the combination of processes established and executed by the directors (or the board of directors) that are reflected in the organization's structure and how it is managed and led toward achieving goals. Risk management is predicting and managing risks that could hinder the organization from reliably achieving its objectives under uncertainty. Compliance refers to adhering with the mandated boundaries (laws and regulations) and voluntary boundaries (company's policies, procedures, etc.).^[7]^[8]

GRC is a discipline that aims to synchronize information and activity across governance, and compliance in order to operate more efficiently, enable effective information sharing, more effectively report activities and avoid wasteful overlaps. Although interpreted differently in various organizations, GRC typically encompasses activities such as corporate governance, enterprise risk management (ERM) and corporate compliance with applicable laws and regulations.

Organizations reach a size where coordinated control over GRC activities is required to operate effectively. Each of these three disciplines creates information of value to the other two, and all three impact the same technologies, people, processes and information.

Substantial duplication of tasks evolves when governance, risk management and compliance are managed independently. Overlapping and duplicated GRC activities negatively impact both operational costs and GRC matrices. For example, each internal service might be audited and assessed by multiple groups on an annual basis, creating enormous cost and disconnected results. A disconnected GRC approach will also prevent an organization from providing real-time GRC executive reports. GRC supposes that this approach, like a badly planned transport system, every individual route will operate, but the network will lack the qualities that allow them to work together effectively.^[9]

If not integrated, if tackled in a traditional "silo" approach, most organizations must sustain unmanageable numbers of GRC-related requirements due to changes in technology, increasing data storage, market globalization and increased regulation.

GRC topics

Basic concepts

Governance describes the overall management approach through which senior executives direct and control the entire organization, using a combination of management information and hierarchical management control structures. Governance activities ensure that critical management information reaching the executive team is sufficiently complete, accurate and timely to enable appropriate management decision making, and provide the control mechanisms to ensure that strategies, directions and instructions from management are carried out systematically and effectively.^[10]
Risk management is the set of processes through which management identifies, analyzes, and, where necessary, responds appropriately to risks that might adversely affect realization of the organization's business objectives. The response to risks typically depends on their perceived gravity, and involves controlling, avoiding, accepting or transferring them to a third party, whereas organizations routinely manage a wide range of risks (e.g. technological risks, commercial/financial risks, information security risks etc.).
Compliance means conforming with stated requirements. At an organizational level, it is achieved through management processes which identify the applicable requirements (defined for example in laws, regulations, contracts, strategies and policies), assess the state of compliance, assess the risks and potential costs of non-compliance against the projected expenses to achieve compliance, and hence prioritize, fund and initiate any corrective actions deemed necessary. Compliance administration refers to the administrative exercise of keeping all the compliance documents up to date, maintaining the currency of the risk controls and producing the compliance reports. Obligational awareness refers to the ability of the organization to make itself aware of all of its mandatory and voluntary obligations, namely relevant laws, regulatory requirements, industry codes and organizational standards, as well as standards of good governance, generally accepted best practices, ethics and community expectations. These obligations may be financial, strategic or operational where operational includes such diverse areas as property safety, product safety, food safety, workplace health and safety, asset maintenance, etc.

GRC market segmentation

A GRC program can be instituted to focus on any individual area within the enterprise, or a fully integrated GRC is able to work across all areas of the enterprise, using a single framework.

A fully integrated GRC uses a single core set of control material, mapped to all of the primary governance factors being monitored. The use of a single framework also has the benefit of reducing the possibility of duplicated remedial actions.

When reviewed as individual GRC areas, the most common individual headings are considered to be Financial GRC, Operational GRC, WHS GRC, IT GRC, and Legal GRC.

Financial GRC relates to the activities that are intended to ensure the correct operation of all financial processes, as well as compliance with any finance-related mandates.
Operational GRC relates to all operational activities such as property safety, product safety, food safety, workplace health and safety, IT compliance asset maintenance, etc.
WHS GRC, a subset of Operational GRC, relates to all workplace health and safety activities
IT GRC, a subset of Operational GRC, relates to the activities intended to ensure that the IT (Information Technology) organization supports the current and future needs of the business, and complies with all IT-related mandates.
Legal GRC focuses on tying together all three components via an organization's legal department and chief compliance officer. This however can be misleading as ISO 37301 refers to mandatory and voluntary obligations and a focus on legal GRC can introduce bias.

The AICD (Australian Institute of Company Directors) however splits risk into three super groups

Financial Risk
Operational Risk
Strategic Risk

Analysts disagree on how these aspects of GRC are defined as market categories. Gartner has stated that the broad GRC market includes the following areas:

Finance and audit GRC
IT GRC management
Enterprise risk management.

They further divide the IT GRC management market into these key capabilities.

Controls and policy library
Policy distribution and response
IT Controls self-assessment and measurement
IT Asset repository
Automated general computer control (GCC) collection
Remediation and exception management
Reporting
Advanced IT risk evaluation and compliance dashboards

GRC product vendors

The distinctions between the sub-segments of the broad GRC market are often not clear. With a large number of vendors entering this market recently, determining the best product for a given business problem can be challenging. Given that the analysts do not fully agree on the market segmentation, vendor positioning can increase the confusion.

Owing to the dynamic nature of this market, any vendor analysis is often out of date relatively soon after its publication.

Broadly, the vendor market can be considered to exist in three segments:

Integrated GRC solutions (multi-governance interest, enterprise wide)
Domain specific GRC solutions (single governance interest, enterprise wide)
Point solutions to GRC (relate to enterprise wide governance or enterprise wide risk or enterprise wide compliance but not in combination.)

Integrated GRC solutions attempt to unify the management of these areas, rather than treat them as separate entities. An integrated solution is able to administer one central library of compliance controls, but manage, monitor and present them against every governance factor. For example, in a domain specific approach, three or more findings could be generated against a single broken activity. The integrated solution recognizes this as one break relating to the mapped governance factors.

Domain specific GRC vendors understand the cyclical connection between governance, risk and compliance within a particular area of governance. For example, within financial processing — that a risk will either relate to the absence of a control (need to update governance) and/or the lack of adherence to (or poor quality of) an existing control. An initial goal of splitting out GRC into a separate market has left some vendors confused about the lack of movement. It is thought that a lack of deep education within a domain on the audit side, coupled with a mistrust of audit in general causes a rift in a corporate environment. However, there are vendors in the marketplace that, while remaining domain-specific, have begun marketing their product to end users and departments that, while either tangential or overlapping, have expanded to include the internal corporate internal audit (CIA) and external audit teams (tier 1 big four AND tier two and below), information security and operations/production as the target audience. This approach provides a more 'open book' approach into the process. If the production team will be audited by CIA using an application that production also has access to, is thought to reduce risk more quickly as the end goal is not to be 'compliant' but to be 'secure,' or as secure as possible. You can also try the various GRC Tools available in market which are based on automation and can reduce your work load.

Point solutions to GRC are marked by their focus on addressing only one of its areas. In some cases of limited requirements, these solutions can serve a viable purpose. However, because they tend to have been designed to solve domain specific problems in great depth, they generally do not take a unified approach and are not tolerant of integrated governance requirements. Information systems will address these matters better if the requirements for GRC management are incorporated at the design stage, as part of a coherent framework.^[11]

GRC data warehousing and business intelligence

GRC vendors with an integrated data framework are now able to offer custom built GRC data warehouse and business intelligence solutions. This allows high value data from any number of existing GRC applications to be collated and analysed.

The aggregation of GRC data using this approach adds significant benefit in the early identification of risk and business process (and business control) improvement.

Further benefits to this approach include (i) it allows existing, specialist and high value applications to continue without impact (ii) organizations can manage an easier transition into an integrated GRC approach because the initial change is only adding to the reporting layer and (iii) it provides a real-time ability to compare and contrast data value across systems that previously had no common data scheme.'

GRC research

Each of the core disciplines – Governance, Risk Management and Compliance – consists of the four basic components: strategy, processes, technology and people. The organisation's risk appetite, its internal policies and external regulations constitute the rules of GRC. The disciplines, their components and rules are now to be merged in an integrated, holistic and organisation-wide (the three main characteristics of GRC) manner – aligned with the (business) operations that are managed and supported through GRC. In applying this approach, organisations long to achieve the objectives: ethically correct behaviour, and improved efficiency and effectiveness of any of the elements involved.^[12]

Related Research Articles

Risk management is the identification, evaluation, and prioritization of risks followed by coordinated and economical application of resources to minimize, monitor, and control the probability or impact of unfortunate events or to maximize the realization of opportunities.

ISO 14000 is a family of standards by the International Organization for Standardization (ISO) related to environmental management that exists to help organizations (a) minimize how their operations negatively affect the environment ; (b) comply with applicable laws, regulations, and other environmentally oriented requirements; and (c) continually improve in the above.

<span class="mw-page-title-main">Audit</span> Independent examination of an organization

An audit is an "independent examination of financial information of any entity, whether profit oriented or not, irrespective of its size or legal form when such an examination is conducted with a view to express an opinion thereon." Auditing also attempts to ensure that the books of accounts are properly maintained by the concern as required by law. Auditors consider the propositions before them, obtain evidence, roll forward prior year working papers, and evaluate the propositions in their auditing report.

Information technology (IT)governance is a subset discipline of corporate governance, focused on information technology (IT) and its performance and risk management. The interest in IT governance is due to the ongoing need within organizations to focus value creation efforts on an organization's strategic objectives and to better manage the performance of those responsible for creating this value in the best interest of all stakeholders. It has evolved from The Principles of Scientific Management, Total Quality Management and ISO 9001 Quality management system.

In general, compliance means conforming to a rule, such as a specification, policy, standard or law. Compliance has traditionally been explained by reference to the deterrence theory, according to which punishing a behavior will decrease the violations both by the wrongdoer and by others. This view has been supported by economic theory, which has framed punishment in terms of costs and has explained compliance in terms of a cost-benefit equilibrium. However, psychological research on motivation provides an alternative view: granting rewards or imposing fines for a certain behavior is a form of extrinsic motivation that weakens intrinsic motivation and ultimately undermines compliance.

Quality management ensures that an organization, product or service consistently functions well. It has four main components: quality planning, quality assurance, quality control and quality improvement. Quality management is focused not only on product and service quality, but also on the means to achieve it. Quality management, therefore, uses quality assurance and control of processes as well as products to achieve more consistent quality. Quality control is also part of quality management. What a customer wants and is willing to pay for it, determines quality. It is a written or unwritten commitment to a known or unknown consumer in the market. Quality can be defined as how well the product performs its intended function.

COBIT is a framework created by ISACA for information technology (IT) management and IT governance.

Information technology controls are specific activities performed by persons or systems to ensure that computer systems operate in a way that minimises risk. They are a subset of an organisation's internal control. IT control objectives typically relate to assuring the confidentiality, integrity, and availability of data and the overall management of the IT function. IT controls are often described in two categories: IT general controls (ITGC) and IT application controls. ITGC includes controls over the hardware, system software, operational processes, access to programs and data, program development and program changes. IT application controls refer to controls to ensure the integrity of the information processed by the IT environment. Information technology controls have been given increased prominence in corporations listed in the United States by the Sarbanes-Oxley Act. The COBIT Framework is a widely used framework promulgated by the IT Governance Institute, which defines a variety of ITGC and application control objectives and recommended evaluation approaches.

The Committee of Sponsoring Organizations of the Treadway Commission (COSO) is an organization that develops guidelines for businesses to evaluate internal controls, risk management, and fraud deterrence. In 1992, COSO published the Internal Control – Integrated Framework, commonly used by businesses in the United States to design, implement, and conduct systems of internal control over financial reporting and assessing their effectiveness.

Enterprise risk management (ERM) in business includes the methods and processes used by organizations to manage risks and seize opportunities related to the achievement of their objectives. ERM provides a framework for risk management, which typically involves identifying particular events or circumstances relevant to the organization's objectives, assessing them in terms of likelihood and magnitude of impact, determining a response strategy, and monitoring process. By identifying and proactively addressing risks and opportunities, business enterprises protect and create value for their stakeholders, including owners, employees, customers, regulators, and society overall.

Microsoft Operations Framework (MOF) 4.0 is a series of guides aimed at helping information technology (IT) professionals establish and implement reliable, cost-effective services.

Operational risk management (ORM) is defined as a continual recurring process that includes risk assessment, risk decision making, and the implementation of risk controls, resulting in the acceptance, mitigation, or avoidance of risk.

<span class="mw-page-title-main">Internal audit</span> Independent, objective assurance and consulting activity

Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization's operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control and governance processes. Internal auditing might achieve this goal by providing insight and recommendations based on analyses and assessments of data and business processes. With commitment to integrity and accountability, internal auditing provides value to governing bodies and senior management as an objective source of independent advice. Professionals called internal auditors are employed by organizations to perform the internal auditing activity.

Software asset management (SAM) is a business practice that involves managing and optimizing the purchase, deployment, maintenance, utilization, and disposal of software applications within an organization. According to ITIL, SAM is defined as “…all of the infrastructure and processes necessary for the effective management, control, and protection of the software assets…throughout all stages of their lifecycle.” Fundamentally intended to be part of an organization's information technology business strategy, the goals of SAM are to reduce information technology (IT) costs and limit business and legal risk related to the ownership and use of software, while maximizing IT responsiveness and end-user productivity. SAM is particularly important for large corporations regarding redistribution of licenses and managing legal risks associated with software ownership and expiration. SAM technologies track license expiration, thus allowing the company to function ethically and within software compliance regulations. This can be important for both eliminating legal costs associated with license agreement violations and as part of a company's reputation management strategy. Both are important forms of risk management and are critical for large corporations' long-term business strategies.

Internal control, as defined by accounting and auditing, is a process for assuring of an organization's objectives in operational effectiveness and efficiency, reliable financial reporting, and compliance with laws, regulations and policies. A broad concept, internal control involves everything that controls risks to an organization.

Continuous monitoring is the process and technology used to detect compliance and risk issues associated with an organization's financial and operational environment. The financial and operational environment consists of people, processes, and systems working together to support efficient and effective operations. Controls are put in place to address risks within these components. Through continuous monitoring of the operations and controls, weak or poorly designed or implemented controls can be corrected or replaced – thus enhancing the organization's operational risk profile. Investors, governments, the public and other stakeholders continue to increase their demands for more effective corporate governance and business transparency.

Security information and event management (SIEM) is a field within the field of computer security, where software products and services combine security information management (SIM) and security event management (SEM). SIEM is the core component of any typical Security Operations Center (SOC), which is the centralized response team addressing security issues within an organization.

IT risk management is the application of risk management methods to information technology in order to manage IT risk, i.e.:

Lockpath is a governance, risk management, and compliance and information security software platform based in Overland Park, Kansas. Its Keylight platform integrates business processes to simplify risk management and regulatory compliance challenges. Common business areas Lockpath target are policy and procedure management, risk assessment, incident management, vulnerability management, vendor management, business continuity planning and internal audit preparation.

Service governance is a means of achieving good corporate governance through managing internal corporate services across and throughout an enterprise. It engages stakeholders and delivery channels for the purpose of effectively managing risk, as well as driving the intended business value with a focus on how decisions are made and enforced in a dynamic business environment.

References

↑ Anthony Tarantino (2008-02-25), Governance, Risk, and Compliance Handbook, ISBN 978-0-470-09589-8
↑ Denise Vu Broady; Holly A. Roland (2008-04-25), "The ABCs of GRC", SAP GRC For Dummies, ISBN 978-0-470-33317-4
↑ Silveira, P., Rodriguez, C., Birukou, A., Casati, F., Daniel, F., D'Andrea, V., Worledge & C., Zouhair, T. (2012), "Aiding Compliance Governance in Service-Based Business Processes", Handbook of Research on Service-Oriented Systems and Non-Functional Properties (PDF), IGI Global, pp. 524–548, doi:10.4018/978-1-61350-432-1.ch022, ISBN 9781613504321 , retrieved 2013-04-06{{citation}}: CS1 maint: multiple names: authors list (link)
↑ Scott L. Mitchell (2007-10-01), "GRC360: A framework to help organisations drive principled performance", International Journal of Disclosure and Governance, 4 (4): 279–296, doi:10.1057/palgrave.jdg.2050066, ISSN 1741-3591, S2CID 154869217
↑ Scott L. Mitchell (2007-10-01), "GRC360: A framework to help organisations drive principled performance", International Journal of Disclosure and Governance, 4 (4): 279–296, doi:10.1057/palgrave.jdg.2050066, ISSN 1741-3591, S2CID 154869217
↑ OCEG (2004), "GRC Capability Model"Scott L. Mitchell, OCEG (2004-01-01), GRC Capability Model (Free Open Source)
↑ Kurt F. Reding, Paul J. Sobel, Urton L. Anderson, Michael J. Head, Sridhar Ramamoorti, Mark Salamasick, Cris Riddle (2013), "Internal Auditing: Assurance & Advisory Services"
↑ OCEG (2004), "GRC Capability Model"Scott L. Mitchell, OCEG (2004-01-01), GRC Capability Model (Free Open Source)
↑ Terminus Systems (2018), "GRC" Unlisted, Terminus Systems (2018-01-01), GRC {Free Open Source}
↑ Lamm, Blount, etc. (2009-12-28), Under Control: Governance Across the Enterprise, ISBN 978-1430215929 {{citation}}: CS1 maint: multiple names: authors list (link)
↑ Bonazzi, R., Hussami, L. & Pigneur, Y. (2009), "Compliance Management is Becoming a Major Issue in IS Design" (PDF), in D'atri, Alessandro; Saccà, Domenico (eds.), Information Systems: People, Organizations, Institutions, and Technologies, Springer, pp. 391–398, doi:10.1007/978-3-7908-2148-2, ISBN 978-3-7908-2147-5, archived from the original (PDF) on 2012-03-12, retrieved 2013-04-06{{citation}}: CS1 maint: multiple names: authors list (link)
↑ Racz, N., Weippl, E. & Seufert, A. (2010), Bart De Decker; Ingrid Schaumüller-Bichl (eds.), A frame of reference for research of integrated GRC, vol. Communications and Multimedia Security, 11th IFIP TC 6/TC 11 International Conference, CMS 2010 Proceedings, Berlin: Springer, pp. 106–117, ISBN 978-3-642-13240-7 {{citation}}: CS1 maint: multiple names: authors list (link)

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.

[1] Anthony Tarantino (2008-02-25), Governance, Risk, and Compliance Handbook, ISBN 978-0-470-09589-8

[2] Denise Vu Broady; Holly A. Roland (2008-04-25), "The ABCs of GRC", SAP GRC For Dummies, ISBN 978-0-470-33317-4

[3] Silveira, P., Rodriguez, C., Birukou, A., Casati, F., Daniel, F., D'Andrea, V., Worledge & C., Zouhair, T. (2012), "Aiding Compliance Governance in Service-Based Business Processes", Handbook of Research on Service-Oriented Systems and Non-Functional Properties (PDF), IGI Global, pp. 524–548, doi:10.4018/978-1-61350-432-1.ch022, ISBN 9781613504321 , retrieved 2013-04-06{{citation}}: CS1 maint: multiple names: authors list (link)

[4] Scott L. Mitchell (2007-10-01), "GRC360: A framework to help organisations drive principled performance", International Journal of Disclosure and Governance, 4 (4): 279–296, doi:10.1057/palgrave.jdg.2050066, ISSN 1741-3591, S2CID 154869217

[5] Scott L. Mitchell (2007-10-01), "GRC360: A framework to help organisations drive principled performance", International Journal of Disclosure and Governance, 4 (4): 279–296, doi:10.1057/palgrave.jdg.2050066, ISSN 1741-3591, S2CID 154869217

[6] OCEG (2004), "GRC Capability Model"Scott L. Mitchell, OCEG (2004-01-01), GRC Capability Model (Free Open Source)

[7] Kurt F. Reding, Paul J. Sobel, Urton L. Anderson, Michael J. Head, Sridhar Ramamoorti, Mark Salamasick, Cris Riddle (2013), "Internal Auditing: Assurance & Advisory Services"

[8] OCEG (2004), "GRC Capability Model"Scott L. Mitchell, OCEG (2004-01-01), GRC Capability Model (Free Open Source)

[9] Terminus Systems (2018), "GRC" Unlisted, Terminus Systems (2018-01-01), GRC {Free Open Source}

[10] Lamm, Blount, etc. (2009-12-28), Under Control: Governance Across the Enterprise, ISBN 978-1430215929 {{citation}}: CS1 maint: multiple names: authors list (link)

[11] Bonazzi, R., Hussami, L. & Pigneur, Y. (2009), "Compliance Management is Becoming a Major Issue in IS Design" (PDF), in D'atri, Alessandro; Saccà, Domenico (eds.), Information Systems: People, Organizations, Institutions, and Technologies, Springer, pp. 391–398, doi:10.1007/978-3-7908-2148-2, ISBN 978-3-7908-2147-5, archived from the original (PDF) on 2012-03-12, retrieved 2013-04-06{{citation}}: CS1 maint: multiple names: authors list (link)

[12] Racz, N., Weippl, E. & Seufert, A. (2010), Bart De Decker; Ingrid Schaumüller-Bichl (eds.), A frame of reference for research of integrated GRC, vol. Communications and Multimedia Security, 11th IFIP TC 6/TC 11 International Conference, CMS 2010 Proceedings, Berlin: Springer, pp. 106–117, ISBN 978-3-642-13240-7 {{citation}}: CS1 maint: multiple names: authors list (link)

[1]

[2]

[3]

[4]

[5]

[6]

[7]

[8]

[9]

[10]

[11]

[12]