The phrase “Governance, Risk and Compliance” or “GRC” is a common catch phrase with corporate customers, analysts, technology vendors and consultants. It is often used in the context of organizational struggles to meet legal obligations associated with information management. But what does GRC really mean?
“GRC” is a complicated concept because it encompasses such a broad scope. Take just the “C” in GRC. Compliance can involve everything from the rules for electing members of a corporate board of directors, to how executive compensation is derived and reported, to financial audits, to integrity training, to data collection and preservation for lawsuits, to protection of the environment, and much more. Many analysts, vendors and customers (across disparate functions such as Legal, Finance, HR, Compliance and IT) struggle to define what they mean by “compliance”. Indeed, different groups within the same organization may define it in completely different ways.
Similarly, the term “GRC” has some historic baggage because of the way the term has been used by vendors and analysts. For example, some analysts apply the term “GRC” to refer exclusively to workflow tools that track compliance with the Sarbanes Oxley law, others use “GRC” to mean only those products that monitor and log IT system activities, and so on. This article seeks to clarify the meaning of GRC as it relates to information management, because once understood, “GRC” captures a powerful reality about how organizations set information policies.
GRC: The Process of Setting Information Policies
GRC is a way of understanding how organizations, and departments within them, assess risks, determine priorities, allocate assets and investments, and ultimately set policy. It is helpful to start by breaking down and defining the elements of GRC.
Governance is the act or process of setting policy for an organization.
Compliance is the act or process of adhering to those policies and being able to prove it.
Risk management is a disciplined way to address uncertainty, to allocate resources, and to balance risk and opportunity based on organizational goals and tolerance for risk.
The set of activities reflected in the term “GRC” is typically implemented by a management team with a charter to set policy (“governance”), assess risk and determine priorities (because there will never be enough resources to do everything, risk cannot be eliminated and it must be embraced to achieve business goals) (“risk”), and to ensure the organization’s policies are understood, followed and enforced (“compliance”).
“Corporate governance” refers to the way that public corporations are run. It typically includes “governance structures” that set the policies (such as a Board of Directors to represent the interests of shareholders, and executive committees to set the strategy and run the business). It often also includes a mission statement and supporting ethics training and communications to set a cultural tone (so that employees within the corporation will be more likely to act within the policies even when they don’t know precisely what all the policies say). Since information is so critical to every organization, GRC processes are often applied at the corporate level to seek to maximize the value of information, and minimize its costs and risks. Many organizations have begun setting up cross-functional committees of executives (often the General Counsel, Chief Information Officer, Chief Financial Officer, and others) who are tasked with assessing key security, compliance and information management opportunities and challenges. These compliance committees often assess a range of information management choices, triage based on which categories information are the most critical and the most sensitive, and then sponsor information management and protection projects based on business priorities, and return on investment (“ROI”) justifications.
For example, a “Corporate GRC” process may lead to a policy decision that the personally identifiable information (“PII”) of a company’s customers – such as names, addresses, account numbers, social security numbers and the like – must be segregated, securely managed, and that certain statutory obligations to protect such information must be met or exceeded. This policy decision might be driven by a combination of legal requirements, the desire to reduce public relations risk, the opportunity and differentiation created by offering privacy protections to customers that are superior to the competition, and an organizational desire to do the right thing.
The IT department typically has responsibility to implement many of the information policies set through corporate GRC processes. IT also has its own charter to properly manage the information infrastructure. In the example above, a set of “IT GRC” policies and supporting processes might be applied to help implement the “Corporate GRC” policy. Thus, a corporate policy (“secure the PII and meet or exceed applicable regulatory requirements”), results in a series of IT implementation policies (e.g. “access to customer systems and applications containing PII will be strictly limited, multifactor authentication will be required, PII content will be automatically encrypted”, and so on).
Conclusion
Despite some of the confusion about the meaning of GRC, it is a powerful concept because it captures and summarizes a reality about how organizations set priorities, manage risks, allocate assets and set policy, including information management policy. The term GRC is best understood when each of its elements is broken down (G, R, and C), when the domain to which a policy is being applied is articulated (e.g. information), and where there is an understanding of the organizational context (e.g. “corporate”, “IT” or other company department).
A big hello from me to everyone. My name is Nathan, I am very grateful to you for sharing this information with us.
Posted by: ClubPenguinCheats | March 21, 2011 at 07:08 PM
Wow, Great postNice work, I would like to read your blog every day Thanks
Posted by: アンカロン | April 19, 2011 at 05:08 AM
There can be hundreds of millions what individuals are convinced typically the Messiah seems to have can be purchased. Should the guy could, therefore it happens to be alas the outcome who your partner's daring sacrifice not to mention departure experience certainly no appearance anything at the especially concern your partner's getting might have been supposed to treat, for the purpose of back ground shows that, other than subject, that marilyn and i Christians are generally simply as perilous, singly not to mention en masse, for the reason that non-Christians.
Posted by: GHD Straigheners | April 29, 2011 at 12:17 AM
Hola,Ha hecho un trabajo muy bueno. Hay muchas personas en busca de eso ahora van a encontrar suficientes fuentes por tus consejos.espera para obtener más consejos acerca de que
Posted by: Generic Aspirin | May 07, 2011 at 03:27 AM
There are may person searching about that now they will find enough resources by your post,
Posted by: Networking solutions | May 07, 2011 at 04:24 AM
Is est vere interesting, tristique eget nulla ipsum. Lorem ipsum dolor sit amet quaeris ultra victum et tuos contulit vester iste stipes. Sed facilisis mi in amicabiliter networks dedi!
Posted by: Seo Services India | June 18, 2011 at 06:35 AM
I think you are right when you say this. Hats off man, what a superlative knowledge you have on this subject…hope to see more work of yours.
Posted by: Generic Viagra | June 20, 2011 at 03:45 AM
Wonderful post... Very informational and educational as usual!
Posted by: Klaudia | June 24, 2011 at 12:28 PM
Azt akarta, hogy többet tudjon konkrét témákban, de nem sok websites segítene nekem, ki tájékoztatása rám, ahogy vártam. Ez maradt meg sok kérdést, de elolvasása után a cikk, kaptam választ minden kérdésemre. Túl jó haver!
Posted by: Generic Drugs Exporter | July 23, 2011 at 04:00 AM
Interesting will want more info on this
Posted by: SEO Services Company | July 29, 2011 at 10:06 PM
I '
m lieta questa pagina straordinaria carità, questa è una forma di materia che sostengo, ma vede day.We out 'era spesso sentito ultimamente di voler sul vostro sito web a destra subito dopoHey,
Great idea, I would like to read your post every day,
Posted by: Buy Topamax Online | August 08, 2011 at 02:36 AM
Sea Niza a visitar su blog una vez más, han pasado meses para mí. Así este artículo que he estado esperando por mucho tiempo con. Necesito este artículo completar esta tarea en el colegio, y tiene tema de Sam con su artículo. Gracias, la participación de grandes.
Posted by: Allegra | August 09, 2011 at 12:00 AM
Nautin todella Reding viestejäsi koska olen oppia paljon niistä. Olen myös avartamaan ajattelua niin pitkälle kuin mitä voin käyttää ja tehdä asioita
Rate translation
Posted by: Avodart | August 09, 2011 at 10:24 PM
Most tourists to Europe tend to visit cities and use the available train system, buses, taxis, or they bicycle or walk. So it may seem that the residents of these cities don't need cars. And they probably don't. I also wouldn't need a car if I lived and worked in SF, NY, Washington DC, or Philadelphia. But all Europeans don't live in cities. I have friends who live outside of Brussels and they have to commute on a jam-packed freeway just like I do. Their parents live in small French towns and while there are trains to get there from Paris, they still have to drive to the station to pick up guests. It's too far to walk and the only other source of transportation is a taxi. Just like in the US.
Posted by: nike shox shoes outlet | August 10, 2011 at 08:16 PM
In your blog I feel your enthusiasm for life. thank you.
Posted by: Ralph Lauren Outlet | August 11, 2011 at 12:38 AM
GRC means “Governance, Risk and Compliance”.It summarizes a reality about how organizations set priorities, manage risks, allocate assets and set policy..
Nice post
Posted by: Herve leger | August 29, 2011 at 01:55 AM
Be to act , that each tomorrow.
Posted by: Herve leger | August 30, 2011 at 07:31 PM
I wonder how you got so good. This is really a fascinating blog, lots of stuff that I can get into. One thing I just want to say is that your Blog is so perfect!
Posted by: Generic Viagra | September 19, 2011 at 03:37 AM
Great information you got here. I've been reading about this topic for one week now for my papers in school and thank God I found it here in your blog. I had a great time reading this..
Posted by: Generic Viagra | October 21, 2011 at 01:46 AM
Blessed be God, the Father of Christ Jesus our Lord, who in Christ has blessed us from heaven with every spiritual blessing.
Posted by: uggs sale | October 25, 2011 at 12:39 AM
There is nothing much better than have a good couple of traditional athletic shoes.
Asics Tiger Shoes When onitsuka tiger shoes becomes to the best vintage footwear on the market, the onitsuka tiger shoes is the best selection around. This running shoe is almost perfect.
Belstaff Mens Bags The performance that onitsuka tiger mini may easily achieve is great and onitsuka tiger rotation 77 one of the most eye-catching and classy shoes out there.
language learning software If you are contemplating buying some sneakers, then this shoe deserves to always be first choice to purchase. This is one kind of shoes you are not likely to regret.
Posted by: Hogan Online | December 10, 2011 at 12:47 AM
Don't know what is wrong what is rite but i know that every one has there own point of view and same goes to this one
Posted by: bags mulberry | December 25, 2011 at 06:19 AM