What is GRC
Scott Mitchell
Scott is the Founder of OCEG, global nonprofit that created GRC and Principled Performance.
GRC is a three-letter acronym that stands for “governance” + “risk” + “compliance.” While the acronym is simple, the real story of what is meant by GRC includes so much more. and more
What is GRC?
GRC is a three-letter acronym that stands for “governance” + “risk” + “compliance.” While the acronym is simple, the real story of what is meant by GRC includes so much more.
GRC Defined
The first scholarly research was published in 2007—but the original ideas behind GRC were created (invented!) back in 2003 by OCEG. A panel of experts formally defined GRC as a shorthand reference to the critical capabilities used to reliably achieve an organization’s objectives while addressing uncertainty and acting with integrity.
GRC is the capability, or integrated collection of capabilities, that enables an organization to reliably achieve objectives, address uncertainty, and act with integrity; including the governance, assurance and management of performance, risk, and compliance.(www.grcglossary.org)
GRC More than Three Letters
GRC goes beyond the critical roles of governance, risk and compliance. GRC includes other key areas such as internal audit, compliance, risk, legal, finance, IT, HR as well as the lines of business, executive suite and the board itself.
Though the acronym IACRLFITHR may have been more inclusive of all of these areas, 3-letter acronyms are more memorable—and these three letters embodied the areas that required the most work to integrate. Thus, the panel of experts coined GRC.
GRC Goals and Objectives
In other words, GRC refers to the people, processes, technology and information that help an organization achieve Principled Performance. GRC refers to the capabilities that help an organization reliably achieve objectives, address uncertainty and act with integrity.
In this sense, GRC is the pathway to Principled Performance.
Principled Performance is achieved when an organization reliably achieves objectives, addresses uncertainty and acts with integrity.
To be clear, GRC is not a technology. GRC is not a department. GRC is not, at least for our purposes here, a Global Rallycross event sponsored by Red Bull.
GRC refers to the people, processes, technology and information that help an organization achieve Principled Performance—that help an organization reliably achieve objectives, address uncertainty and act with integrity. GRC is the pathway to Principled Performance.
Nothing New. Totally Revolutionary.
It’s important to remember that organizations have been governed, and risk and compliance have been managed, for a long time—in this way, GRC is nothing new.
However, many have not approached these activities in a mature way. Too often, these efforts do not support each other to enhance the reliability of achieving organizational objectives.
In a forward-thinking organization, GRC is viewed as a well-coordinated and integrated collection of all of the capabilities necessary to support Principled Performance at every level. GRC doesn’t burden the business, it supports and improves it. In this way, GRC is totally revolutionary. GRC looks beyond obstacles and sees the opportunities.
Drivers for GRC
But let’s take a step back. Why are companies embracing the GRC mindset and approach?
Well, the need for GRC is greater than ever before given today’s challenging business climate. Even small businesses, nonprofits, and government agencies are facing issues that only large companies had to face in the past. Think of how many of these factors you have to deal with:
- Stakeholders demand high performance along with high levels of transparency
- Fast moving and uncertain technology trends impact what your customers need and want
- Regulations and enforcement are ever-changing and unpredictable
- Third-party relationships and risk is exponentially growing
- Costs of addressing risks and requirements are spinning out of control
- The harsh (and terrifying) impact when threats and opportunities are not identified and addressed
GRC Common Mistakes
To address these drivers, organizations develop all kinds of departments and systems. They put in place things such as:
- corporate governance;
- performance management programs;
- risk management programs;
- compliance programs;
- internal audit departments;
- information security programs;
- corporate social responsibility programs; and so on.
All of these departments are doing very similar things in different ways. And, unfortunately, research finds that these programs tend to be “siloed” and disjointed—and this causes a number of problems:
- High costs because of duplicated and inefficient efforts
- Lack of visibility into risks
- Inability to address third party risks
- Difficulty measuring risk-adjusted performance
- Too many negative surprises
When things are siloed, it is more likely that wrong or counter-productive objectives are established, sub-optimal strategies are selected, and performance is not optimized.
GRC Done Wrong is Natural!
It really drives me crazy when consultants come into a business declaring how dim-witted and foolish executives must be (or must have been) to build nonsensical organizational structures.
My belief is that this “silo-ing” is the result of how businesses naturally grow. It isn’t the result of “dumb” executives who “don’t get it.”
Think about it.
Very few people self-select to be part of a profession that specializes in internal audit, compliance management or corporate governance. Most everyone gets into business or starts a business to do anything BUT governance, risk management and compliance.
Most people start businesses to “make great shoes” or to “make great software” or to “serve customers amazing food” or to “heal patients” and so on. As the business grows, they need to address performance, risk and compliance issues accordingly. Maybe increased labor or information security risks and requirements. Maybe increased financial risk and requirements.
As issue arise, departments (silos!) get created.
It is only with hindsight that the damage caused by multiple silos is clear.
Research shows that very, VERY few organizations have the kind of foresight to avoid siloing these GRC areas. Thus, GRC activities must be integrated and orchestrated once discovered and wherever they are found.
GRC Done Right / GRC Best Practices
Integrating GRC capabilities does not mean creating a mega-department of GRC and doing away with programmatic approaches to risk and compliance management. Nor does GRC call for using only one technology system or GRC platform (though there are some GRC platforms built to address the broad range of GRC capabilities).
Rather, it is about using an approach that ensures the right objectives are established; and that the right actions and controls are put in place to address uncertainty and act with integrity. It is about establishing an approach that ensures the right people get the right information at the right times.
This means that historically fragmented and siloed departments need to get on the same page and understand how they relate with one another. It also means that these departments orchestrate the way that they interact with the business so that information requests and audits leave less of a “footprint” on the lines of business and key value drivers.
In fact, the best approach to GRC is almost invisible. The orchestration of GRC becomes part of the business itself—sort of “baked into” the business—so that business operators “do GRC” as part of “doing business.”
GRC Benefits
When GRC is done right, benefits accrue. Organizations that integrate GRC processes and technology across all or many areas previously siloed report benefits such as:
- Reduced costs
- Reduced redundant or duplicative activities
- Reduced impact on operations
- Achieved greater information quality
- Achieved greater ability to gather information quickly and efficiently
- Achieved greater ability to repeat processes in a consistent manner
GRC Kickstarted
With the help of a panel of over 100 experts, best practices were embodied in the open source GRC Capability Model (commonly called the OCEG Red Book). This guide details:
- Unified vocabulary across disciplines
- Defined common components and elements
- Defined common information requirements
- Standardized practices for things like policies and training
- Identified communication for everyone involved; including strategic decision-makers.
FYI, you may use the GRC Capability model for free. It makes it easier to implement GRC in your organization.
Featured in: Principled Performance , Integrated GRC