Policies Management

Governance Risk & Compliance (GRC)


Governance, risk management, and compliance or GRC is the broad term explaining an organization's approach across these three closely related areas. Governance, risk and compliance activities are increasingly being integrated and aligned to some extent in order to avoid conflicts, wasteful overlaps and gaps. While interpreted differently in various organizations, GRC typically encompasses activities such as corporate governance, enterprise risk management (ERM) and corporate compliance with applicable laws and regulations.


Governance usually describes the overall management approach through which senior executives direct and control the entire organization - as guided by the organization's board of directors - using a combination of management information and hierarchical management control structures. Governance activities ensure that critical management information reaching the executive team is sufficiently complete, accurate and timely to enable appropriate management decision making, and provide the control mechanisms to ensure that strategies, directions and instructions from management are carried out systematically and effectively.


Risk management is the set of processes through which management identifies, analyzes, and, where necessary, responds appropriately to risks that might adversely affect meeting an organization's business objectives. The response to risks typically depends on their perceived gravity, and involves controlling, avoiding, accepting or transferring them to a third party. Organizations routinely manage a wide range of risks.


Compliance means conforming with stated requirements. At an organizational level, it is achieved through management processes which identify the applicable requirements (defined for example in laws, regulations, contracts, strategies and policies), assess the state of compliance, assess the risks and potential costs of non-compliance against the projected expenses to achieve compliance, and hence prioritize, fund and initiate any corrective actions deemed necessary.


Widespread interest in GRC was sparked by the US Sarbanes-Oxley Act and the need for US listed companies to design and implement suitable governance controls for SOX compliance, but the focus of GRC now shifted towards adding business value through improving operational decision making and strategic planning. It therefore has relevance well beyond the SOX world.


Governance, risk, and compliance or GRC are increasingly recognized terms that reflects a new way in which organizations are adopting an integrated approach to these aspects of their business and a new way of doing business.




Introduction to Principled Performance and GRC


Today's business climate is more complex and more challenging than ever before. Even small businesses, non-–profits and government agencies face issues that, historically, affected only the largest international operations. Internal and external stakeholders demand not only high-performance, but also transparency into business operations. Contemporary risks and requirements are numerous, ever-changing and fast to impact the organization. And, if that were not enough, the cost of addressing risks and requirements are spinning out of control.


In short, the status quo for many organizations is neither sustainable nor acceptable.


To address this growing web of issues, many organizations have adopted a vision toward Principled Performance - a point of view and approach to business that helps organizations reliably achieve objectives while addressing uncertainty and acting with integrity. 


Principal Performance is enabled by integrating and orchestrating areas that, in many organizations, are fragmented and siloed in area such as governance, performance management, risk management, internal control, compliance, and audit. In some organizations, these activities are managed in more than 15 different departments with little if any cross–functional communication. In some organizations, these activities are not really managed at all - literally untouched by modern business process improvement technique.


While there are numerous functions that contribute to Principled Performance, many organizations use the acronym GRC (governance, risk, and compliance) as a shorthand reference to the collection of activities.  It is important to note that every organization engages in the underlying GRC activities to some degree, but many do not do so yet in an integrated way that is effective GRC which can enable Principled Performance.


The successful attainment of Principled Performance requires a holistic view that addresses the governance, management and assurance of performance, risk and compliance, each with consideration of the other. As demonstrated by companies that have done so, this integration delivers tangible results.


- Reported cost savings of 30% or more,

- Improved alignment of business objectives with mission, vision and values of the organization,

- Improved capital allocation to the right initiatives at the right time,

- Improved decision-making agility, and

- Top to bottom accountability for key objectives, risks, requirements and related initiatives.


In short, the modern organization must address today's modern environment with modern techniques, including a mix of proactive, detective and responsive actions and controls, if it is to achieve Principled Performance.