Governance, Risk Management, and Compliance
From Wikipedia, the free encyclopedia
 |
This article may not meet the general notability guideline. Please help to establish notability by adding reliable, secondary sources about the topic. If notability cannot be established, the article is likely to be merged or deleted. (October 2007) |
 |
This article's external links may not follow Wikipedia's content policies or guidelines. Please improve this article by removing excessive or inappropriate external links. |
Governance, Risk Management, and Compliance or "GRC" is an increasingly recognized term that reflects a new way in which organizations can adopt an integrated approach to these three areas. However, this term is often positioned as a single business activity, when in fact, it includes multiple overlapping and related activities within an organization, e.g. internal audit, compliance programs like SOX, enterprise risk management (ERM), operational risk, incident management, etc.
Governance is the responsibility of senior executive management and focuses on creating organizational transparency by defining the mechanisms an organization uses to ensure that its constituents follow established processes and policies. A proper governance strategy implements systems to monitor and record current business activity, takes steps to ensure compliance with agreed policies, and provides for corrective action in cases where the rules have been ignored or misconstrued.
Risk Management is the process by which an organization sets the risk tolerance, identifies potential risks and prioritizes the tolerance for risk based on the organization’s business objectives. Risk Management leverages internal controls to manage and mitigate risk throughout the organization.
Compliance is the process that records and monitors the controls, be they physical, logical or organisational, needed to enable compliance with legislative or industry mandates as well as internal policies.
Within the GRC realm, it is very important to realize that if the first one (Governance) is not in place, the second two (Risk Management and Compliance) become irrelevant and probably cannot be meaningfully achieved. Working on the same logic, if second one (Risk Management) is not in place then achieving Compliance becomes irrelevant and probably cannot be meaningfully achieved. This is the reason the acronym is designed as GRC and not other combinations. Governance, Risk, and Compliance are highly related but distinct activities that solve different problems for different sets of constituents of an organization.
A specific definition of GRC can be challenging. According to Michael Rasmussen, an industry GRC analyst, the challenge in defining GRC is that individually each term has "many different meanings within organizations. There is corporate governance, IT governance, financial risk, strategic risk, operational risk, IT risk, corporate compliance, Sarbanes-Oxley (SOX) compliance, employment/labor compliance, privacy compliance . . . you get the picture."[document no longer available]
According to Nicolas Racz of GRC-Resource.com, "GRC reflects an integrated approach on the issues of governance, risk and compliance ensuring that an organisation acts in accordance with its self-imposed rules, its risk appetite and external regulations. GRC further implies horizontal and vertical integration and the use of synergies across strategy, process and technology levels."[1] Thus GRC should not be seen as an umbrella term for the separated topics of governance, risk management and compliance, but as a concept leveraging synergies in order to increase efficiency and reduce complexity.
Initial interest in GRC systems was driven by the Sarbanes-Oxley Act, but GRC system requirements have changed and now are seen as a means to achieve Enterprise Risk Management. Specifically, this represents a movement from managing risk as a transaction or compliance activity to adding business value by improving operational decision making and strategic planning.
GRC Market Segmentation
A GRC program can be instituted to focus on any individual area within the enterprise. However, the three most common areas would be Financial GRC, IT GRC, and Legal GRC. Financial GRC relates to the activities that are intended to ensure the correct operation of all financial processes, as well as compliance with any finance-related mandates. IT GRC relates to the activities intended to ensure that the IT (Information Technology) organization supports the current and future needs of the business, and complies with all IT-related mandates. Legal GRC focuses on tying together all three components via an organization's legal department and Chief Compliance Officer.
Analysts disagree on how these aspects of GRC are defined as market categories. Gartner has stated that the broad GRC market includes the following areas:
- Finance and Audit GRC
- IT GRC Management
- Enterprise Risk Management.
They further divide the IT GRC Management market into these key capabilities. Although this list relates to IT GRC, a similar list of capabilities would be suitable for other areas of GRC.
- Controls and policy library
- Policy distribution and response
- IT Controls self-assessment and measurement
- IT Asset repository
- Automated general computer control (GCC) collection
- Remediation and exception management
- reporting
- Advanced IT risk evaluation and compliance dashboards
The Burton Group offers a similar market taxonomy , which includes the following segments: [2]
- Financial GRC
- Operational risk management
- General compliance and audit management
- IT GRC
- Enterprise risk management------
IT GRC 2008 Annual Survey Report
IT governance, risk and compliance (IT GRC) is about striking an appropriate balance between business reward and risk. The maturity of IT GRC practices for managing reward and risk has a direct impact on the organization. IT GRC encompasses the practices for delivering:
- Greater business value from IT strategy, investment and alignment,
- Significantly reduced business and financial risk from the use of IT, and
- Conformance with policies of the organization and its external legal and regulatory compliance mandates.
While some of these practices involve continuous improvement to quality, others involve practices and capabilities that are known to be effective, along with objectives for what the organization wants to achieve. IT GRC energizes the entire organization to imagine what it can achieve, establishes methods for achieving their objectives, and demonstrates the practices that are proven to work for minimizing business and financial risk.
Fundamentally, IT GRC is about striking an appropriate balance between business reward and risk, enabling an organization to more effectively anticipate and manage business risk while more effectively delivering value for the organization.
IT Governance, Risk and Compliance (IT GRC) 2008 Annual Research Report, assembled from benchmark research conducted with more than 2,600 organizations around the World, reveals the IT GRC maturity profiles, business outcomes, capabilities and practices that are most responsible for influencing and impacting business rewards and risks.
GRC Product Vendors
The distinctions between the sub-segments of the broad GRC market are often not clear. And, with a large number of vendors entering this market recently, determining the best product for a given business problem can be challenging. And, given that the analysts don’t fully agree on the market segmentation, vendor positioning can increase the confusion.
There are a large number of companies who offer a “GRC Platform” for managing and tracking GRC activities across an enterprise. These include large, enterprise software vendors such as CA, SAP AG, IBM, and Oracle Corporation as well as a variety of smaller companies who are targeting the GRC Platform market, including Archer Technologies, brinQa, DoubleCheck, Protiviti, ControlCase, ControlPath, Curulis, Proventsure, MetricStream, BWise, Modulo Security, AXENTIS, OpenPages, Trintech, CMO COMPLIANCE, Paisley, QUMAS, Infogov, Security Weaver, MEGA, TWC and several others.
The Forrester Wave: Enterprise Governance, Risk, And Compliance Platforms, Q4 2007 was released on December 21, 2007 and Forrester evaluated 15 leading enterprise governance, risk, and compliance (GRC) platform vendors across approximately 100 criteria. MetricStream, BWise, AXENTIS, OpenPages, Paisley, and QUMAS rounded out the Leaders category. [3]
However, due to the dynamic nature of this market, any vendor analysis is often out of date relatively soon after its publication.
Contents |
[edit] GRC Organizations
Several industry groups have focus on GRC exclusively:
- OCEG (Open Compliance and Ethics Group). OCEG is a nonprofit organization that provides a performance framework for integrating governance, compliance, risk management and culture. OCEG has developed a Measurement and Metrics Guide (MMG) for assisting in measuring and reporting on the performance of compliance and ethics programs and processes. This measurement platform advocates that program objectives be aligned with and contribute to the enterprise objectives in a tangible way. In order to achieve desired program outcomes, an organization should design processes and practices that effectively measure program dimensions on three key dimensions: effectiveness, efficiency and responsiveness. [4]
- Legal GRC Center for Innovation, or LGRC Center for Innovation,is a nonprofit professional organization of experts within the legal and business processes industries dedicated to applying the principles of good legal governance, risk management, and compliance within the legal industry. The Center for Innovation strives to produce best-practice guidelines within the realm of legal governance, risk management, and compliance.
[edit] References
- ^ [1] Integrated GRC by Nicolas Racz, 2008
- ^ "Products for Managing Governance, Risk, And Compliance: Market Fluff or Relevant Stuff", March 8, 2008 by Trent Henry
- ^ "The Forrester Wave: Enterprise Governance, Risk, And Compliance Platforms, Q4 2007" by Chris McClean, Michael Rasmussen with Alissa Dill, Jonathan Penn, Dec. 21, 2007 [2]
- ^ GRC 360 Degrees: Driving Principled Performance by Scott L. Mitchell, "More than Three Letters," Aug. 24, 2007 (OCEG blog) [3]
