The phrase “Governance, Risk and Compliance” or “GRC” is a common catch phrase with corporate customers, analysts, technology vendors and consultants. It is often used in the context of organizational struggles to meet legal obligations associated with information management. But what does GRC really mean?
“GRC” is a complicated concept because it encompasses such a broad scope. Take just the “C” in GRC. Compliance can involve everything from the rules for electing members of a corporate board of directors, to how executive compensation is derived and reported, to financial audits, to integrity training, to data collection and preservation for lawsuits, to protection of the environment, and much more. Many analysts, vendors and customers (across disparate functions such as Legal, Finance, HR, Compliance and IT) struggle to define what they mean by “compliance”. Indeed, different groups within the same organization may define it in completely different ways.
Similarly, the term “GRC” has some historic baggage because of the way the term has been used by vendors and analysts. For example, some analysts apply the term “GRC” to refer exclusively to workflow tools that track compliance with the Sarbanes Oxley law, others use “GRC” to mean only those products that monitor and log IT system activities, and so on. This article seeks to clarify the meaning of GRC as it relates to information management, because once understood, “GRC” captures a powerful reality about how organizations set information policies.
GRC: The Process of Setting Information Policies
GRC is a way of understanding how organizations, and departments within them, assess risks, determine priorities, allocate assets and investments, and ultimately set policy. It is helpful to start by breaking down and defining the elements of GRC.
Governance is the act or process of setting policy for an organization.
Compliance is the act or process of adhering to those policies and being able to prove it.
Risk management is a disciplined way to address uncertainty, to allocate resources, and to balance risk and opportunity based on organizational goals and tolerance for risk.
The set of activities reflected in the term “GRC” is typically implemented by a management team with a charter to set policy (“governance”), assess risk and determine priorities (because there will never be enough resources to do everything, risk cannot be eliminated and it must be embraced to achieve business goals) (“risk”), and to ensure the organization’s policies are understood, followed and enforced (“compliance”).
“Corporate governance” refers to the way that public corporations are run. It typically includes “governance structures” that set the policies (such as a Board of Directors to represent the interests of shareholders, and executive committees to set the strategy and run the business). It often also includes a mission statement and supporting ethics training and communications to set a cultural tone (so that employees within the corporation will be more likely to act within the policies even when they don’t know precisely what all the policies say). Since information is so critical to every organization, GRC processes are often applied at the corporate level to seek to maximize the value of information, and minimize its costs and risks. Many organizations have begun setting up cross-functional committees of executives (often the General Counsel, Chief Information Officer, Chief Financial Officer, and others) who are tasked with assessing key security, compliance and information management opportunities and challenges. These compliance committees often assess a range of information management choices, triage based on which categories information are the most critical and the most sensitive, and then sponsor information management and protection projects based on business priorities, and return on investment (“ROI”) justifications.
For example, a “Corporate GRC” process may lead to a policy decision that the personally identifiable information (“PII”) of a company’s customers – such as names, addresses, account numbers, social security numbers and the like – must be segregated, securely managed, and that certain statutory obligations to protect such information must be met or exceeded. This policy decision might be driven by a combination of legal requirements, the desire to reduce public relations risk, the opportunity and differentiation created by offering privacy protections to customers that are superior to the competition, and an organizational desire to do the right thing.
The IT department typically has responsibility to implement many of the information policies set through corporate GRC processes. IT also has its own charter to properly manage the information infrastructure. In the example above, a set of “IT GRC” policies and supporting processes might be applied to help implement the “Corporate GRC” policy. Thus, a corporate policy (“secure the PII and meet or exceed applicable regulatory requirements”), results in a series of IT implementation policies (e.g. “access to customer systems and applications containing PII will be strictly limited, multifactor authentication will be required, PII content will be automatically encrypted”, and so on).
Despite some of the confusion about the meaning of GRC, it is a powerful concept because it captures and summarizes a reality about how organizations set priorities, manage risks, allocate assets and set policy, including information management policy. The term GRC is best understood when each of its elements is broken down (G, R, and C), when the domain to which a policy is being applied is articulated (e.g. information), and where there is an understanding of the organizational context (e.g. “corporate”, “IT” or other company department).