Our services

Audit

Audit

What is GRC?

Governance, risk, and compliance – popularly known as GRC – is a set of processes and procedures to help organizations achieve business objectives, address uncertainty, and act with integrity.

The basic purpose of GRC is to instill good business practices into everyday life. While not a new concept, GRC has grown in stature as risks have become more numerous, more complex, and more damaging.

What is GRC

The acronym GRC was coined nearly two decades ago by OCEG as a shorthand reference to critical capabilities that integrate the governance, management, and assurance of performance, risk, and compliance activities.

GRC today spans multiple disciplines, including enterprise risk management, compliance, third-party risk management, internal audit, and more. While each of discipline has its own priorities – and often its own way of doing things – GRC leaders are now recognizing the power of sharing data and intelligence to drive better results and build a stronger, more resilient organization.

GRC integrated risk management

What’s Driving Interest in GRC

Today’s risk landscape is more crowded, uncertain, and interconnected than ever. One risk – say a health and safety issue – can spill over to supply chain, business continuity, business relationships, IT security, workforce productivity, and more. At the same time, multiple forces are reshaping the risk terrain, including:

  • Rising pace and scope of regulatory compliance

    Virtually every organization in every industry is facing an ever-growing and ever-changing number of regulations with which they must comply.

  • Accelerating digitization of risk management

    The internet of things, third parties, blockchain … every new point of access adds vulnerability and increases risk exponentially.

  • Growing importance of risk management in corporate strategy

    Risk management is increasingly viewed not just as a tactical function, but as a valuable part of corporate strategy.

  • Evolving sophistication of analytics

    Better analytics are delivering new levels of insight for data-driven decisions.

The influence of social media, constant threats of cyberattacks, and demands for greater transparency also are amping up the pressure on executives and boards to make wise decisions about risk at an accelerated pace with little room for error. Senior leaders, in turn, are relying on an increasing number of stakeholders from all corners of the organization to identify, manage, and reduce risk.

To steer the organization toward success, leaders need to access facts quickly – and use those facts to inform their response. A comprehensive GRC strategy can pave the way by removing silos and building collaboration for faster, more accurate, and more coordinated action.

What Does GRC Mean – in Theory and in Practice?

GRC ERM enterprise risk management

There are three main components of GRC:

  • Governance — Aligning processes and actions with the organization’s business goals
  • Risk — Identifying and addressing all of the organization’s risks
  • Compliance — Ensuring all activities meet legal and regulatory requirements

In the past, organizations often approached Governance, Risk, and Compliance as separate activities. Processes or systems frequently were created in response to a specific event – e.g., new regulations, litigation, a data breach, or audit finding – with little thought as to how that worked within the whole. The result was a tangle of inefficiencies, redundancies, and inaccuracies, including:

  • Lack of visibility into the complete risk landscape
  • Conflicting actions
  • Unnecessary complexity
  • Inability to assess the cascading effects of risk

The reality is that there is plenty of overlap between Governance, Risk, and Compliance. Each of the three disciplines creates information of value to the other two – and all three impact the same technologies, people, processes, and information. An organization, for instance, might be subject to a new data-privacy regulation (a compliance activity), while also holding itself to certain internal data-protection controls (a governance activity), both of which help mitigate cyber risk (a risk management activity).

When the three disciplines of GRC are managed separately, there is substantial duplication of tasks. Multiple teams end up spending hours collecting the same data – and hours more untangling email threads and spreadsheets just to begin analysis.

More damaging, disconnected processes and lack of transparency leave the organization blind to insights and interrelationships between risks, undermining the whole system by allowing gaps and redundancies of controls to go unnoticed. Siloed teams also have no understanding on how their particular domain influences the company’s risk position as a whole or its overall success.

In short, managing GRC in separate silos is a lot of extra effort – and that effort produces very little reward. Without an integrated view of all GRC-related activities, it’s nearly impossible to identify issues and inconsistencies. A damaging risk can easily slip by undetected and unaddressed because you couldn’t gauge the full impact until it was too late.