The acronym “GRC” stands for governance, risk management, and compliance. But what is the scope of GRC and what are its boundaries? Is it a technology, a tool, or a process? Does GRC refer to the platform? Should your organization maintain a separate GRC department? In this blog, I provide an introduction into what GRC is—answering key questions on where it acts and why it’s important.
What is GRC?
Many people think of a platform when referring to GRC. But GRC refers to a capability that helps an organization achieve its objectives, with responsibility running right across the organization. GRC is a set of processes and practices that runs across departments and functions. GRC might be enabled by a dedicated platform and other tools, although this is not mandatory. While organizations generally don’t need to maintain a separate GRC department, most organizations have a team in place to manage the GRC platform and tools.
What is the scope of GRC?
By definition, the scope of GRC doesn’t end with just governance, risk and compliance management, but also includes assurance and performance management. In practice, however, the scope is further getting extended to information security management, quality management, ethics and values management, and business continuity management.
In order to get a better understanding of GRC, we first need to understand the different dimensions of a business:
The dimensions of a business
- Business, IT and support functions—an enterprise will have business, IT and support functions such as finance, HR, administration, legal, marketing, procurement, audit, etc.
- Resources—required to conduct business, including strategies, policies, standards, procedures, organizational structure, roles and responsibilities, people, processes, technology, information, physical, financial and intellectual assets, and third parties (suppliers, vendors, and contract employees).
- Business attributes—the key attributes of a business include:
- Performance, including goals, targets, outcomes, profitability and SLAs, etc.
- Risk, including financial risk, credit risk, market risk, strategy risk, operational risk, fraud risk, reputational risk, information security risk, technology risk, and compliance risk, etc.
- Compliance, including regulatory compliance (SOX, PCI/DSS, GDPR), legal compliance (labor laws), organizational compliance (policies and standards), security (human, physical, and information security), quality, ethics, and values.
- Governance, management, and operations—governance involves setting directions, optimizing risks and resources, and monitoring performance and compliance to achieve an organization’s objectives. It can be broadly classified into corporate governance, business governance, IT governance, and legal governance. Management involves planning, organizing, leading, coordinating, controlling, and reporting. Operations include executing the process and function.
- Controls—in order to realize value from the business, resources should be utilized efficiently and effectively, and business attributes should be optimized. This is only possible when appropriate controls are implemented and executed. The controls can be classified as management controls, process controls, technical controls, and physical controls. Controls are applied to the resources as well as the attributes.
- Assurance—independent assurance is required to ensure that controls are designed and operating effectively, and compliance requirements are met consistently. It is the responsibility of governance to monitor and obtain assurance. Assurance will be primarily through audits. There are several types of audits: internal and external audits, certification audits, financial audits, IT audits, compliance audits, process audits, and security audits, etc.
The scope of GRC based on the definition and current trends
Why is GRC important?
An effective GRC implementation helps the organization to reduce risk and improve control effectiveness, security, and compliance through an integrated and unified approach that reduces the ill effects of organizational silos and redundancies.
To find out more about Capgemini’s GRC services, contact: email@example.com
Click here to learn more about how Capgemini’s Governance, Risk Management and Compliance service can ensure compliance, enhance your reputation, and deliver real business value.
Click the links to read the other blogs in this series: