What is GRC? The rising importance of governance, risk, and compliance
“Governance is who does what, how, and based on what data,” says Tilcia Toledo, senior managing director with FTI Consulting.
“Governance is who does what, how, and based on what data,” says Tilcia Toledo, senior managing director with FTI Consulting. “Governance is about who is in the room, what are they allowed to do or not do, what’s the data they rely on, and what’s the cadence of their actions.”
Toledo says governance applies to multiple levels within the organization, ensuring that the board, management, and workers understand the rules, follow the rules, and face consequences when they don’t.
Risk: The risk management component of GRC ensures that any risk associated with organizational activities is identified and addressed in a way that supports the organization’s business goals. In the IT context, this means having a comprehensive IT risk management process that rolls into an organization’s enterprise risk management function.
Risk speaks to the organization’s risk appetite, which establishes the risks that it is comfortable taking and those it does not, and then managing the residual risk — that is, the risks that remain even after controls for unacceptable risks have been implemented.
“Risk is about where the organization wants to play and where it does not want to play. It is about those boundaries it does not want to cross at this time,” Toledo adds, noting that enterprise risk is constantly evolving.
Compliance: The compliance function within GRC is aboutmaking sure that organizational activities happen in a way that meets the laws and regulations relating to those activities. For example, this means making sure that IT systems and the data contained in those systems are used and secured properly.
Compliance encompasses the laws and regulations that the organization must follow as it executes its strategy, Toledo explains. “In other words, what are the laws and the regulatory environment in which the business operates.”
Although governance, risk, and compliance each focus on specific requirements, Toledo says they overlap and work together. For example, the risk function relies on governance practices to mitigate risk by implementing controls and by alerting supervisors if actions go outside the organization’s risk boundaries.
The strategic nature of GRC in the digital era
Governance, risk and compliance have been longstanding elements for organizational success, but enterprise executives and GRC experts say GRC has become more of a top priority for organizations due to the increasing complexity of doing business in a digital era where being globally connected is standard, not the exception.
Modern threats such as cyberattacks and data breaches have heightened the need for a strong GRC strategy within all organizations, and the growing volume of laws and regulations around protecting and securing data also puts pressure on organizations to have a mature GRC function. So, too, do the consequences of falling short in any of the three areas, as organizations that suffer a successful cyberattack or fail to protect the data it holds can be significant if not catastrophic.
“I view GRC as something that is strategic because when it is functioning properly, it protects the organization. It helps preserve it and retain things like a strong reputation,” Toledo says.
How GRC works in the enterprise
Like other parts of enterprise operations, GRC comprises a mix of people, process, and technology.
To implement an effective GRC program, enterprise leaders must first understand their business, its mission, and its objectives, according to Ameet Jugnauth, the ISACA London Chapter board vice president and a member of the ISACA Emerging Trends Working Group.
Executives then must identify the legal and regulatory requirements the organization must meet and establish the organization’s risk profile based on the environment in which it operates, he says.
“Understand the business, your business environment (internal and external), your risk appetite, and what the government wants you to achieve. That all sets your GRC,” he adds.
The roles that lead these activities vary from one organization to the next. Midsize to large organizations typically have C-level executives — namely a chief governance officer, chief risk officer, and chief compliance officer — to oversee these tasks, McKee says. These executive lead risk or compliance departments with dedicated teams.
Smaller companies typically task GRC responsibilities to either directors or managers —a compliance manager or director or risk management — or they may assign GRC responsibilities to other executives.
GRC roles and responsibilities
According to Stanley, GRC often cascades down from the top tiers of leadership, with roles and responsibilities breaking down as follows:
- Board of directors: provides oversight and approval of policies and strategic decisions
- CEO: provides leadership and ensures GRC efforts are adequately resourced
- Chief risk officer: provides leadership for risk management efforts, such as the assessment and reporting of risks to the board and executive management
- Chief compliance officer: provides compliance oversight and training and communication regarding compliance
- CIO/CTO: provides risk management for technology and digital assets, as well as and compliance and security for all IT
- CFO: provides compliance and reporting on financial regulations and risk management of an organization’s financials
- Legal: provides compliance to all legal requirements while managing legal risks
- HR: implements HR-related GRC policies, such as an authorized use policy and employee behavior policies
- IT: provides data protection and security with policies and controls
- Department heads: implement GRC processes and controls within their respective departments and identify and manage risks specific to their department
- Internal audit: provides independent evaluation and recommendations for improvement
- Employees: adhere to policy and report any risk or compliance issues they observe
“There are also cross-functional GRC teams stood up for specific GRC initiatives, combining expertise from various departments,” Stanley adds.
Even so, GRC responsibility and accountability is shared, and they often roll up to the highest levels of the organization, with CEOs ultimately responsible and accountable, experts say.
GRC certifications
Although GRC professionals have various academic and professional backgrounds, many have earned certifications focused on risk, compliance, and/or governance, including the following.
- ISACA Certified Information Security Manager (CISM)
- ISACA Certified in Risk and Information Systems Control (CRISC)
- ISACA Certified Information Systems Auditor (CISA)
- ISC2 Certified in Governance, Risk and Compliance (CGRC)
- OCEG GRC Professional (GRCP)
- OCEG GRC Auditor (GRCA)
Other options include the Institute of Internal Auditors’ Certified Internal Auditor (CIA) certification, with a focus on compliance, and the Certification in Risk Management Assurance (CRMA), with a focus on risk.
GRC frameworks
GRC leaders typically use a framework to organize and execute GRC duties. GRC frameworks, like all frameworks, specify clearly defined measurables that shine a light on the effectiveness of an organization’s GRC efforts, providing building blocks that organizations can (and should) tailor to their environment.
Frameworks include:
- ISACA’s COBIT for IT governance
- ISACA’s IT Risk Framework
- COSO for internal controls
- Various NIST frameworks and standards
GRC software
GRC software also supports enterprise GRC programs by enabling organizations to create and coordinate policies and controls, as well as to map them to regulatory and internal compliance requirements.
These software options, typically offered as subscription-based SaaS, also automate many processes, which increases efficiency and reduces complexity.
GRC culture
Although frameworks help organizations establish solid GRC programs and GRC software help enable them, the decision-making, resource and portfolio management, risk management, and regulatory compliance functions included in such frameworks will not be effective unless the organization’s executive leadership also supports cultural change.
More on IT governance:
About Author
