The phrase “Governance, Risk and Compliance” or “GRC” is a common catch phrase with corporate customers, analysts, technology vendors and consultants. It is often used in the context of organizational struggles to meet legal obligations associated with information management. But what does GRC really mean?
“GRC” is a complicated concept because it encompasses such a broad scope. Take just the “C” in GRC. Compliance can involve everything from the rules for electing members of a corporate board of directors, to how executive compensation is derived and reported, to financial audits, to integrity training, to data collection and preservation for lawsuits, to protection of the environment, and much more. Many analysts, vendors and customers (across disparate functions such as Legal, Finance, HR, Compliance and IT) struggle to define what they mean by “compliance”. Indeed, different groups within the same organization may define it in completely different ways.
Similarly, the term “GRC” has some historic baggage because of the way the term has been used by vendors and analysts. For example, some analysts apply the term “GRC” to refer exclusively to workflow tools that track compliance with the Sarbanes Oxley law, others use “GRC” to mean only those products that monitor and log IT system activities, and so on. This article seeks to clarify the meaning of GRC as it relates to information management, because once understood, “GRC” captures a powerful reality about how organizations set information policies.
GRC: The Process of Setting Information Policies
GRC is a way of understanding how organizations, and departments within them, assess risks, determine priorities, allocate assets and investments, and ultimately set policy. It is helpful to start by breaking down and defining the elements of GRC.
Governance is the act or process of setting policy for an organization.
Compliance is the act or process of adhering to those policies and being able to prove it.
Risk management is a disciplined way to address uncertainty, to allocate resources, and to balance risk and opportunity based on organizational goals and tolerance for risk.
The set of activities reflected in the term “GRC” is typically implemented by a management team with a charter to set policy (“governance”), assess risk and determine priorities (because there will never be enough resources to do everything, risk cannot be eliminated and it must be embraced to achieve business goals) (“risk”), and to ensure the organization’s policies are understood, followed and enforced (“compliance”).
“Corporate governance” refers to the way that public corporations are run. It typically includes “governance structures” that set the policies (such as a Board of Directors to represent the interests of shareholders, and executive committees to set the strategy and run the business). It often also includes a mission statement and supporting ethics training and communications to set a cultural tone (so that employees within the corporation will be more likely to act within the policies even when they don’t know precisely what all the policies say). Since information is so critical to every organization, GRC processes are often applied at the corporate level to seek to maximize the value of information, and minimize its costs and risks. Many organizations have begun setting up cross-functional committees of executives (often the General Counsel, Chief Information Officer, Chief Financial Officer, and others) who are tasked with assessing key security, compliance and information management opportunities and challenges. These compliance committees often assess a range of information management choices, triage based on which categories information are the most critical and the most sensitive, and then sponsor information management and protection projects based on business priorities, and return on investment (“ROI”) justifications.
For example, a “Corporate GRC” process may lead to a policy decision that the personally identifiable information (“PII”) of a company’s customers – such as names, addresses, account numbers, social security numbers and the like – must be segregated, securely managed, and that certain statutory obligations to protect such information must be met or exceeded. This policy decision might be driven by a combination of legal requirements, the desire to reduce public relations risk, the opportunity and differentiation created by offering privacy protections to customers that are superior to the competition, and an organizational desire to do the right thing.
The IT department typically has responsibility to implement many of the information policies set through corporate GRC processes. IT also has its own charter to properly manage the information infrastructure. In the example above, a set of “IT GRC” policies and supporting processes might be applied to help implement the “Corporate GRC” policy. Thus, a corporate policy (“secure the PII and meet or exceed applicable regulatory requirements”), results in a series of IT implementation policies (e.g. “access to customer systems and applications containing PII will be strictly limited, multifactor authentication will be required, PII content will be automatically encrypted”, and so on).
Conclusion
Despite some of the confusion about the meaning of GRC, it is a powerful concept because it captures and summarizes a reality about how organizations set priorities, manage risks, allocate assets and set policy, including information management policy. The term GRC is best understood when each of its elements is broken down (G, R, and C), when the domain to which a policy is being applied is articulated (e.g. information), and where there is an understanding of the organizational context (e.g. “corporate”, “IT” or other company department).
this is a very informative blog... i heard GRC but never even had a clue of what it is... until i read your post... brilliant post
Posted by: Acai Berry | January 20, 2010 at 05:31 PM
GRC means “Governance, Risk and Compliance”.It summarizes a reality about how organizations set priorities, manage risks, allocate assets and set policy..
Nice post
Posted by: western australia flowers | April 16, 2010 at 09:57 PM
We don't really have to go looking for them. We have a wonderful world that is full of beauty, light and promise. Why waste time in this world looking for the bad, disappointing or annoying when we can look around us, and see the wondrous things before us?
Posted by: coach sale | June 29, 2010 at 06:46 PM
This is why i visit you site daily. Great read thanks. Incidently http://www.rapidhawk.com has a similar topic.
Posted by: Monty | July 25, 2010 at 02:04 AM
In live we have to full of confidence,because Self-confidence and self-reliance are the mainstays of a strong character.
Posted by: coach purses | July 29, 2010 at 11:31 PM
Interesting will want more info on this
Posted by: Vigrx reviews | September 15, 2010 at 12:23 PM
Different people all over the world take the loan from various creditors, because this is fast and easy.
Posted by: LaneJeanie25 | September 20, 2010 at 09:51 PM
HEllo! A big hello from me to everyone. My name is Nathan, I am very grateful to you for sharing this information with us. I hope you keep writing more, I would greatly appreciate if you send me more information, these items I'm passionate!
Posted by: Impotence causes | October 14, 2010 at 08:28 PM
Sometimes people do not take into account the importance of reading in our lives, since I have 14 years I got used to make reading something important in my life, I think is essential in the development of the brain, apart from all This must take into account that when there is information like that shown here should not be missed.
Posted by: Cheap viagra | October 22, 2010 at 10:29 AM
Be to act , that each tomorrow.
Posted by: Air Jordans | November 10, 2010 at 12:12 AM
GOOD LUCK!
Posted by: taobao buy | November 11, 2010 at 07:03 PM
Blessed be God, the Father of Christ Jesus our Lord, who in Christ has blessed us from heaven with every spiritual blessing.
Posted by: Air Jordan Shoes | November 11, 2010 at 10:48 PM
Thank you for your opiniones and words, dear brothers!
David: yes, in our Spanish speaking world ABBA BIBLES is the only one that rebinds Bibles with high quality leathers and methods. I asked them to upgrade their website, because there will be a lot of people interested in their services. And for Spanish, well, it's the language of Heaven! Isn't it?
Esteban & Abraham: yes, the RVR60 is the most used and trusted Bible in our Spanish speaking churches. The RVR95 is just the last revision of that one, and only affects some words and the order of poetry, but not the Reina-Valera principles. I also have another Bibles versions rebounded by Abba Bibles, and like Mark said, today just is the beggining of the posts about them. Be patient!
Posted by: air jordan 13 | November 12, 2010 at 10:18 PM
The African tragedy!
Posted by: Air Jordan | November 14, 2010 at 10:24 PM
In my mind you are the best*_*
Posted by: supra skate shoes | November 25, 2010 at 06:25 PM
Thank you for sharing your great ideas.
Please keep continue like that
Posted by: generic cialis | November 26, 2010 at 10:49 PM
To my mind it is a great article*.*
Posted by: Air Jordan Basket | December 01, 2010 at 11:09 PM
When another person pays me an sudden compliment, I normally inform them that they created my day!
Posted by: chaussure basket | December 01, 2010 at 11:14 PM
Thank You for posting this. i really enjoyed reading this!!
Posted by: Chaussure Jordan | December 01, 2010 at 11:17 PM
^-^Many visitors are asking us about how this crisis will affect nonprofits.
Posted by: chaussure de basket | December 01, 2010 at 11:20 PM
It is clear for me now.
Posted by: registry cleaners | December 19, 2010 at 05:52 AM
A present from me is on the way. Hope you'll like it.
Posted by: Air Jordans | December 26, 2010 at 10:17 PM
Very good story we have to spread the word about this site.You deserve to have extra interest .
Posted by: shoes wholesale | December 29, 2010 at 11:01 PM
Fear not that the life shall come to an end, but rather fear that it shall never have a beginning. Do you think so?
Posted by: Jordan 23 | January 18, 2011 at 02:37 AM
Hola,
Ha hecho un trabajo muy bueno. Hay muchas personas en busca de eso ahora van a encontrar suficientes fuentes por tus consejos.
espera para obtener más consejos acerca de que
Posted by: Generic Cialis | March 07, 2011 at 10:36 PM