Governance, risk management, and compliance or GRC is the umbrella term covering an organization’s approach across these three areas: Governance, risk management, and compliance. The GRC operations of major companies and institutions are monitored by high-tech computerized systems.
Governance
Describes the overall management approach through which senior executives direct and control the entire organization, using a combination of management information and hierarchical management control structures. Governance activities ensure that critical management information reaching the executive team is sufficiently complete, accurate and timely to enable appropriate management decision making, and provide the control mechanisms to ensure that strategies, directions and instructions from management are carried out systematically and effectively.
Governance of risk management is the attention given to preventing excessive risk management by keeping in mind the organization’s appetite for risk. Sufficient countermeasures are required rather than excessive, unnecessary and pointless measures. The risk of risk management is that the good intentions become wasteful expenditure or impediments to growth, innovation and opportunity.
Risk management
Is the set of processes through which management identifies, analyzes, and, where necessary, responds appropriately to risks that might adversely affect realization of the organization’s business objectives, The response to risks typically depends on their perceived gravity, and involves controlling, avoiding, accepting or transferring them to a third party. Whereas organizations routinely manage a wide range of risks (e.g. technological risks, commercial/financial risks, information security risks etc.), external legal and regulatory compliance risks are arguably the key issue in GRC.
Compliance
Means conforming to stated requirements. At an organizational level, it is achieved through management processes which identify the applicable requirements (defined for example in laws, regulations, contracts, strategies and policies), assess the state of compliance, assess the risks and potential costs of non-compliance against the projected expenses to achieve compliance, and hence prioritize, fund and initiate any corrective actions deemed necessary.
Compliance management is the process which ensures that a set of people are following a given set of rules. The rules are referred to as the compliance standard or compliance benchmark, while the process is what manages their compliance.
Compliance management can take many forms. It can be a mix of policies, procedures, documentation, internal auditing, third party audits, security controls, and technological enforcement. There are two recognized models for implementing compliance management.
Model 1: The Ten Commandments
This model sets forth the rules and vigorously punishes those who do not comply with the rules. There is often minimal recourse for transgressions. This model is largely inflexible and suffers from significant breakdown when there is room for interpretation. It works well when there is little room for dissent regarding the compliance.
For example, if a manufacturing rule states that all ball bearings will be 1 inch in diameter, plus or minus 0.1% at 65 degrees Fahrenheit, the standard is clear. However it does not work well if, for example, the temperature were neglected, as metals may change size with the temperature.
Similarly, a requirement for a specific Windows service that must be disabled at all times would do well in this model, but not if the caveat existed which stated “unless it severely impacts a critical business process”. What constitutes “severe” or a “critical business process” is ambiguous, at best.
Model 2: Quality Management
The Quality Management method allows for judgement calls to be made in many circumstances, even though the regulations may explicitly state that a rule is required to be followed. It is generally understood that not every rule can be followed in every instance and thus, exceptions must be made to allow the business to operate as best it can, while following as many of the rules as possible.
This model has been widely adopted and has been largely successful. This model is especially important because many companies which are required to follow a compliance standard often have multiple standards to follow, some of which may overlap or conflict with one another. When two standards oppose each other for the same company, who has the authority to say which one is to be followed?
This model allows for some flexibility on the part of the company implementing the standards to make those judgement calls without being harshly penalized for something which may not make sense for the company.