What Is Governance, Risk Management, and Compliance (GRC)?
Governance, risk management, and compliance (GRC) is a relatively new corporate management system that integrates these three crucial functions into the processes of every department within an organization.
GRC is in part a response to the "silo mentality," as it has become disparagingly known. That is, each department within a company can become reluctant to share information or resources with any other department. This is seen as reducing efficiency, damaging morale, and preventing the development of a positive company culture.
Governance, risk management, and compliance have been key elements of company management for a long time. But the concept of GRC has been around only since about 2007.
- GRC is a system intended to correct the "silo mentality" that leads departments within an organization to hoard information and resources.
- Governance, risk management, and compliance systems are integrated into every department for greater efficiency.
- The overall purpose is to reduce risks, costs, and duplication of effort.
The overall purpose of GRC is to reduce risks and costs as well as duplication of effort. It is a strategy that requires company-wide cooperation to achieve results that meet internal guidelines and processes established for each of the three key functions.
The three elements of GRC are:
- Governance, or corporate governance, is the overall system of rules, practices, and standards that guide a business.
- Risk, or enterprise risk management, is the process of identifying potential hazards to the business and acting to reduce or eliminate their financial impact.
- Compliance, or corporate compliance, is the set of processes and procedures that a company has in place in order to make certain that the company and its employees are conducting business in a legal and ethical manner.
Adopting a GRC System
An entire industry has emerged to provide companies with the consulting services necessary to implement a GRC system.
GRC proponents argue that increased regulation, demands for transparency, and the growth of third-party relationships make the traditional siloed approach too risky.
GRC software is also available. Some highly-regarded software packages, according to CIO.com, include the IBM OpenPage GRC Platform, MetricStream, and Rsam's Enterprise GRC. The article notes that more affordable and even free GRC software is available, though with fewer features.
Advantages of GRC
Its proponents argue that increasing government regulation, greater demands for corporate transparency, and the growth of third-party business relationships have made the traditional siloed approach to these activities risky and expensive.
Instead, GRC focuses on integrating certain key capabilities and functions across an organization. These capabilities and functions may include information technology, human resources, finance, and performance management, among many others.
As an integrated approach, GRC can mean different things to different businesses. However, it generally requires each department within a business to gather, share, and use information and internal resources more efficiently for the company as a whole.