When we talk about GRC, the first idea that comes to mind is that we are talking about Governance, Risk and Compliance, and in fact this is correct, but this acronym can have various meanings depending on who refers to it, as well as how they interpret and embody it.
What does GRC mean anyway?
This acronym is a shorthand reference for the set of critical resources that must cooperate together to achieve principle-based performance. It denotes governance, risk management, and compliance, but it means much more than these three terms simply put together.
It is important to remember that organizations have been governed and risk and compliance managed for a long time – so it is not new.
However, many do not approach these activities in a mature way, nor does the effort expended mean the increased likelihood of achieving organizational objectives, which makes GRC, currently as we understand it today, something new and revolutionary.
In a forward-looking organization with a well-defined strategy and mission, GRC is seen as a well-structured and integrated collection of all the resources needed to support performance. This is centered around principles and processes at all levels of the organization. So, we can say that GRC does not burden the business, it supports and enhances it.
To succeed, we must consider the limits of laws, social customs, and uncertainties that arise regarding potential risks and rewards. Performance management, risk, compliance, and ethical conduct also cannot be separated from the activity of achieving goals. Everything must be aligned and operate through fully integrated governance, risk management, and compliance resources.
People talk about business performance and the need to meet objectives, but that is not enough. Successfully achieving principle-based performance requires coordinated capabilities that address performance in relation to objectives, risk arising from uncertainty, and compliance with mandatory and voluntary requirements, each with consideration of the other. These capabilities must include an integrated governance, management, and assurance plan.
The benefits of integrated GRC resources
Integrating the resources of this acronym does not mean creating a mega department and ending decentralized or programmatic approaches to risk management and compliance. Nor does it necessarily require the use of just one GRC technology system.
Rather, it is about establishing an approach that ensures that the right people get the appropriate and correct information at the right times, that the right objectives are set, as well as that the exact actions and controls needed to deal with uncertainty and act with integrity are implemented.
Having a unified vocabulary and taxonomies for information, establishing common repositories for data, documents and information, creating standardized procedures and templates for items such as policies and training, ensuring regular and consistent communication between all relevant functions, including strategic decision makers. These are all aspects of integrated, effective GRC resources established for company-wide objectives or for specific departments or projects.
The benefits of integrating GRC resources and the negative impacts of an isolated approach are two sides of the same coin. In a survey conducted in 2012 and 2015, the majority of respondents provided information about the positive results they got from being “on the GRC journey” and the rest offered a clear picture of the failure of an isolated structure.
In particular, the difference between these two groups was striking in the levels of confidence they have, or do not have, in what they know about threats to the organization and in their ability to manage these threats effectively.
Those who have at least partially integrated GRC resources, compared to those who remain isolated, are three times more likely to feel confident that they can assess their performance against established objectives, and that they have selected and are implementing the right risk and compliance controls to protect the organization.
Some tangible results:
- Better alignment of objectives with the organization’s mission, vision and values;
- Greater agility and confidence in decision making;
- Sustained and reliable performance and value delivery;
- Allocation of capital to the right initiatives at the right time;
- Top-down accountability for key objectives, risks, requirements and related initiatives;
- Significant cost savings within integrated capabilities;
These results enhance the critical attributes an organization needs to be confident and competitive. Confidence comes from being aware of what is happening internally and externally, so that organizations can evaluate information before acting and responding appropriately. It means being agile; moving not only quickly, but with the ability to change direction when necessary to avoid threats or seize opportunities.