Governance, risk and compliance (GRC) refers to a strategy for managing an organization's overall governance, enterprise risk management and compliance with regulations. Think of GRC as a structured approach to aligning IT with business objectives, while effectively managing risk and meeting compliance requirements.
A well-planned GRC strategy comes with lots of benefits: improved decision-making, more optimal IT investments, elimination of silos, and reduced fragmentation among divisions and departments, to name a few.
Here are answers to some common questions related to GRC.
Is it "governance, risk and compliance" or "governance, risk and control"?
According to Joanna Grama, director of cybersecurity and IT GRC programs for EDUCAUSE, the "C" in GRC refers to compliance, but she appreciates why some people equate compliance with control. In the IT environment, GRC has three main components:
- Governance: Ensuring that organizational activities, like managing IT operations, are aligned in a way that supports the organization's business goals.
- Risk: Making sure that any risk (or opportunity) associated with organizational activities is identified and addressed in a way that supports the organization's business goals. In the IT context, this means having a comprehensive IT risk management process that rolls into an organization's enterprise risk management function.
- Compliance: Making sure that organizational activities are operated in a way that meets the laws and regulations impacting those systems. In the IT context, this means making sure that IT systems, and the data contained in those systems, are used and secured properly.
Meeting compliance involves IT controls, as well as auditing those controls to ensure they're working as intended. Organizations also use controls to manage identified risks. In fact, the term "GRC" came about in the early 2000s after many highly publicized corporate financial disasters, which resulted in enterprises scrambling to improve their internal control and governance processes (Gartner, 2016).
How does GRC work?
Grama says that organizations develop a GRC framework for the leadership, organization and operation of the organization's IT areas to ensure that they support and enable the organization's strategic objectives. The framework specifies clearly defined measurables that shine a light on the effectiveness of an organization's GRC efforts.
Although there are many good software options available to help streamline GRC operations, GRC is more than a set of software tools.
Many organizations consult a framework for guidance in developing and refining their GRC functions rather than creating one from scratch. Frameworks and standards provide building blocks that organizations can tailor to their environment. According to Grama, COBIT, COSO and ITIL are the big players in many different industries.
What is key to a successful GRC implementation?
Sign up for CIO Asia eNewsletters.