This post is part of our GRC 101 series, providing an entry-level overview of the business of governance, risk, and compliance. In this article we’ll tie it all together.
What does GRC acronym mean?
Let's start by breaking down the acronym, GRC:
- The G, for Governance: the combination of rules, policies, and processes put in place to dictate corporate behavior, and how it is managed
- The R, for Risk Management: the ability to effectively and cost-efficiently mitigate risks that can hinder an organization's operations or ability to remain competitive in its market
- The C, for Compliance: the process of making sure a company and its employees follow the laws, regulations, standards, and ethical practices that apply to the organization
GRC, then, is the integrated collection of capabilities that enable an organization to reliably achieve objectives, address uncertainty, and act with integrity. In other words, GRC helps keep the company on track.
In this post we’ll look at the history of the acronym, its purpose, and why the G, the R, and the C are lumped together at most large companies.
What's the purpose of GRC?
GRC aims to synchronize people, information, and activity across departments so that the company can operate efficiently. This includes effective information sharing and elimination of wasteful overlaps. As companies grow, this becomes more and more complex.
A well-planned GRC strategy comes with a host of benefits: improved decision-making, more optimal IT investments, elimination of silos, and reduced fragmentation among divisions and departments, to name a few. Most important, however, is how GRC ensures all areas of the organization are aligned with accomplishing the firm’s strategic objectives.
Another reason GRC is lumped together is that business activities often satisfy more than one requirement. Particularly in large organizations, each of the three disciplines creates information of value to the other two—and all three impact the same technologies, people, processes, and information. For example, a company might be subject to a cybersecurity regulation (a compliance activity) while also holding itself to certain internal data-protection standards (a governance activity), both of which in turn help to mitigate the risk of a cybersecurity incident (a risk management result).
This is why coordinated control over GRC activities is required to operate effectively. Substantial duplication of tasks can emerge when governance, risk management, and compliance are managed independently.
What’s the origin of the term GRC?
It’s important to remember that organizations have been governed—and risk and compliance managed—for a long time. Looked at in this way, GRC is nothing new; it’s the coordinated oversight of functions that has emerged as a discipline just in the last couple of decades.
The term "GRC" was coined in the early 2000s after a spate of corporate financial disasters, including those involving Enron, Worldcom, and Tyco. The highly publicized incidents led directly to the passing of the Sarbanes-Oxley Act (SOX) of 2002, which established sweeping auditing and financial regulations for public companies. Amid the mad dash to comply with these new regulatory requirements, the acronym GRC caught on as a shorthand reference to the critical capabilities that must work together to keep companies on track (and out of the headlines).
While the acronym was used as early as 2003, the first peer-reviewed academic paper on the topic was published in 2007 by OCEG founder Scott Mitchell in the International Journal of Disclosure and Governance. This paper formalized the industry, laying the groundwork for all of the solutions, frameworks, and methodologies that have emerged in the years since.
Who uses GRC?
GRC can be implemented at any organization, whether large or small, public or private. There is no one “right” company profile, just as there is no one correct way to do GRC.
Within an organization, GRC touches multiple stakeholders. Because GRC strategies span the entire organization, these tools and policies require management and coordination across numerous stakeholders, including:
- Business executives that need to identify and manage risk
- Finance managers assigned to meet regulatory compliance requirements
- Legal counsels grappling with discovery and records retention
- IT directors managing software installations related to GRC projects across an organization
What is GRC software?
Many different GRC tools and software, at various levels of sophistication, exist to help managers stay on top of their GRC programs. The different methods give managers the power to create and coordinate policies and controls, map them to regulatory and internal compliance requirements, facilitate workflow within and across business units, and monitor the company’s overall risk profile. As the tools and software for GRC progress upwards on the sophistication scale, additional capabilities such as data analytics, centralization of risk exposures, and workflow automations may also be layered in.
Organizations might also consult a framework for guidance in developing and refining their GRC functions, rather than creating one from scratch. Frameworks and standards provide general guidelines that organizations can tailor to their environment. COBIT, for information technology, and COSO, for internal controls, are two major ones.
Ultimately GRC is fairly simple in concept. It is about establishing an approach that ensures the right people get the right information at the right times; that the right objectives are established; and that the right actions and controls are put in place to address uncertainty and act with integrity.