Governance, risk management and compliance are typically handled in separate parts of the enterprise by separate teams of people. Even the silos are siloed -- especially in the of compliance, where industry and government regulations keep multiplying. In an effort to stay atop of these obligations, organizations have resorted to a check-the-box, or "letter of the law," approach to compliance. That has resulted in redundant controls, multiple variations on a process and, in some cases, inadequate protection against threats.
The model, however, is changing. If ever there was a time when having a unified view of risk seemed valuable, the "Great Recession" was it. Efficiency is a necessity when resources are scarce and risks are great. governance, risk and compliance (GRC) aims to coordinate the three activities.
In this FAQ, get more information on why more companies are now looking at GRC as a useful framework for rationalizing their risk and compliance environments, plus a rundown of some of the tools and best practices that can help.
What is GRC?
GRC -- or governance, risk and compliance -- refers to the coordination of the people, processes and technologies involved in each of these areas across an enterprise. GRC aims to provide better visibility into a company's risk posture. Governance, risk management and compliance are not new disciplines, but the need for an enterprise-wide approach has been underscored recently by factors that include the rising costs of compliance, legal and shareholder demands for more accountability from top management and the rapid proliferation of new risks.
Christopher McClean, an analyst at Cambridge, Mass.-based Forrester Research Inc., described GRC as a framework with a twofold purpose: "to make those processes more efficient by reducing redundancy and facilitating those processes by providing better oversight and decision-making."
Any definition of GRC today cannot gloss over the fact that the term, which came into vogue a few years ago, remains ill-defined. Even consultancies that promote the approach acknowledge the problem. In its most recent review of the GRC market, Stamford, Conn.-based Gartner Inc., for example, called GRC an "overused term that can cause confusion and misrepresentation." Similarly, Midvale, Utah-based Burton Group Inc. began its in-depth research overview of GRC by stating "there is no such thing as GRC," while advocating that governance, risk and compliance should be related.
"Compliance works best when it uses risk management techniques to reduce not just liability but also loss. Risk management works best when governance requires it to identify risks to be taken as well as risks to be avoided. And governance relies upon risk management and compliance activities to provide timely information about the status and loss exposure of the organization," according to Burton analyst Trent Henry.
Eric Holmquist, president of Holmquist Advisory LLC, calls GRC "the latest buzzword." But he said its intent is important. Organizations need more integrated, holistic risk management systems. "GRC is getting beyond both operational silos, as well as the risk discipline silos to truly layer risk management into the fabric of the organization. Risk management has to be built into the culture. It has to be part of our DNA."
Doing all of the above remains a significant challenge for business, because most enterprises lack a common language for risk. In addition, risk and compliance are only beginning to be embedded in business processes. For more information on some of the hurdles to realizing GRC, consult the Open Compliance & Ethics Group (OCEG), a nonprofit that offers guidelines, standards and tools for implementing GRC.
Who or what is affected by GRC?
"Everybody in the organization" is the glib answer to who is affected by GRC. "Every individual has risk implications tied to him or her," said Forrester's McClean, echoing the views of other experts.
That said, the responsibility for governance falls to senior executive management. Governance creates business transparency (and business value) by establishing standard procedures. In addition to the CEO and the board of directors, policy setters can include the chief financial officer, chief risk officers, CIOs and audit. The responsibility for IT governance, a technical discipline, falls to the CIO. Burton Group's Henry defines governance as "roundtrip management," organized so that policy and responsibility flow down and accountability and assessments flow up. "It's a cyclical activity."
The responsibility for risk management is shared by the business unit executives, the CIO and the CFO. Risk management is an "old discipline," said Henry. The policies and tools for managing physical and personnel security risks, as well as financial risks, have developed over centuries. IT adds another dimension to the risks, as well as remediation.
Enterprise risk management (ERM) aligns performance and risk with the goals and objectives of the business. As the "too big to fail" banks and American taxpayers discovered in this recession, individual units can perform profitably and simultaneously pose huge risks for the enterprise. ERM can be applied companywide or to meet the objectives of a single department, such as IT. While ERM has many of the same objectives as GRC, it is not a substitute for GRC, although there is some disagreement over whether GRC is a subset of ERM or the other way around.
The responsibility for compliance is shared by many executives, usually at the vice president level. Human resources, audit, corporate counsel and the CIO are all involved in understanding the compliance requirements. The aim in GRC is, , to coordinate those compliance efforts and processes, and second, to move to a more risk-based approach to compliance.
Most people tasked with compliance consider it a requirement, not a risk, said Carole Stern Switzer, president of Phoenix-based OCEG. But compliance should not be exempt from the economic constraints that force every other part of the business to calculate the risks versus benefits of their investments, Switzer said. "It's the proverbial 'don't spend a million dollars to fix a $500 problem,'" she said. Organizations need to take a risk-based approach to compliance, and GRC will help them do that, she said.
Holmquist raises another aspect of GRC governance: the tension between managing by intuition and managing by framework. "Every organization has to determine where they fit on that continuum. You can't manage entirely by intuition. You have to have some set of controls. And you can't manage entirely by rigid framework. Nobody will want to work there. People have to figure out what is their tolerance level for how much structure they're going to have. To me, that is the heart of GRC: building systems which allow you to indentify and mitigate risk while ensuring compliance, which means looking at how you govern, how you do things."
Figuring out who owns what part of the governance, risk and compliance process can be a struggle. "There are a lot of political challenges about who owns what part of the GRC process," McClean said. "Audit has a clear idea of what their purview is; risk and compliance are the same; getting all groups to work together is a fairly big hurdle."
What is the role of IT in implementing GRC?
IT plays two roles in GRC. IT must deal with own internal risks: data breaches, privacy, internal data governance and so on. "There are many different risks related to IT specifically, requiring a set of risk assessments, controls and mitigation." McClean said.
In addition, IT should play a role in business-level GRC, implementing the tools that will help with the flow of information. IT, for example, will help design the applications and platforms for conducting risk assessments and training employees and pull in the information from systems throughout the enterprise that measure risk, McClean said. In terms of the practical implementation of GRC, IT plays a large role.
"What IT wants to avoid is being tasked with the creating the rules and responsibilities of the GRC program -- who is going to be involved, how often to conduct assessments," McClean said. These are decisions made at the board and C-level, not by IT."
Some CIOs are being asked to oversee GRC. "I am surprised by this," McClean said, "but it can be argued that because IT has broad reach, touching every part of the business, it makes sense to put IT in charge." Or a company may tap IT to fill the role of chief risk officer, a person charged with tying together separate areas of risk, such as environmental health and safety, IT security, business continuity and financial risk, so the organization can see its exposure across these areas. Still, if GRC strategy does not come from the board, the CEO, the CFO and head of risk, "it will be a very limited program," McClean said.
What are the most important frameworks?
GRC frameworks provoke as much debate as the three-letter term itself. Holmquist points to "only two frameworks" that matter for GRC: COSO and the Control Objectives for Information and related Technology, or COBIT.
Five major accounting associations formed the Committee of Sponsoring Organizations in 1985 to address factors that lead to fraudulent financial reporting and develop guidance on internal controls. COBIT is an international open standard in the 1990s that defines requirements for the control and security of sensitive data and provides a reference framework. Both are broadly accepted and used by audit for reviews.
"In the end, framework is nothing more than structured approach to common sense. If you've already got systems to identify, mitigate, monitor and manage risk, you've got a framework," Holmquist said.
Forrester's McClean agreed that many organizations use COSO as a foundation for GRC, but added, "There are actually no very good GRC frameworks. GRC is more about combining best practices from audit, compliance and risk."
Organizations need to develop a common language for risk if they want to practice GRC. Standards that can help organizations do this include COSO ERM, Australian/ Zealand AS/NZS 4360 and the ISO 31,000. Also, OCEG is working to develop an international governance, risk and compliance standard.
COSO and COBIT: The value of compliance frameworks for SOX
Learn how COBIT and COSO frameworks can help to ease the burden of achieving SOX compliance.
What are the most cost-effective GRC tools
When it comes to software GRC tools, buyer beware.
Some of the GRC platforms on the market are "frankly, a little bit ahead of the ability to use them," said McClean. The majority of risk and compliance functions are still done on email and Microsoft Excel spreadsheets. Some organizations are using Microsoft's SharePoint platform to track compliance.
Another caution: Most GRC products were originally built to address specific requirements for specific areas of the business, such as IT, finance and operations. Software marketed as comprehensive GRC solutions functioned in fact as standalone tools that did not integrate well with the software that manages mainstream business processes.
Although GRC management functions can span all three categories of IT, finance and operations, "controls typically address risks in only one category and don't overlap," Gartner cautioned in its GRC market review last year. For example, documentation tracking and dashboarding functions are similar across finance, IT and operations, the report states, but "finance GRC controls, such as finance account reconciliation process, have no overlap with IT controls, such as firewalls."
Leaders in GRC platform technology, according to Gartner, include OpenPages Inc., Paisley Consulting Inc., Archer Technologies LLC and software giant Oracle Corp. Forrester's July analysis of GRC platforms singled out Axentis Inc., BWise and Thomson Reuters Corp. for having "comprehensive GRC programs."
But it may not be realistic to expect to buy everything in one package, said French Caldwell, a Gartner analyst. And the selection of an optimum platform will almost certainly trigger debate. "It is hard to balance the requirements of internal audit vs. the chief risk officer, vs. the CFO or the IT chief risk officer," he said. "Someone is always going to feel suboptimized."
Indeed, experts we interviewed advised CIOs to start by isolating and articulating the GRC issues facing their businesses in the near term. Then look at how technology investments in those areas might have multiple uses within IT and other parts of the business. As one expert put it, don't boil the ocean. And be prepared for turf battles.
Let us know what you think about this FAQ; email Linda Tucci, Senior News Writer.