Businesses, organisations and government agencies all over the world are facing governance, risk and compliance (GRC) challenges on a daily basis. Traditionally, these challenges are tracked, measured, managed, treated, solved and reported upon separately by specialists in the respective GRC domains. With increasing complexity and a growing need for information, the integration of the GRC domains is not only a logical step but a necessity.
What is governance, risk and compliance?
OCEG defines GRC as:
- Governance is the culture, policies, processes, laws and institutions that define the manner in which companies are directed and managed.
- Risk is the effect of uncertainty on business objectives; risk management is the coordinated activity to direct and control an organisation to realise opportunities while managing negative events.
- Compliance is the act of adhering to and demonstrating adherence to external laws and regulations as well as to corporate policies and procedures.
GRC systems have become tightly linked to ERP (Enterprise Resource Planning) systems although their nature and objective are different. ERP systems include GRC modules and GRC system providers include interfaces to ERP systems as standard functionality. The key rationale is to provide an integrated view of the governance, risk and compliance related to the core business processes, IT included.
GRC systems normally manage four domains: risk management, internal control, incident management and internal audits. On a high level, most other GRC domains can be covered and managed by the above four main domains. In the case of the compliance domain, implemented internal controls ensure compliance with existing rules and regulations as well as internal policies and procedures. Identified breaches of adherence to laws and regulations are reported and managed as incidents. New and upcoming rules and regulation, as well as other compliance requirements, are identified through risk assessments and managed by action plans until they are included in the internal control system. Internal audit can then use internal control as a basis and include both risk management results and relevant occurred incidents in the actual audit.
The value of an integrated GRC system
Managing GRC information in various spreadsheets or standard office applications is still a very common practice. This setup is usually satisfactory until an organisation wishes to combine and aggregate the gathered information. This becomes expensive and ineffective as it normally requires extensive conversion between formats and definitions. In the worst case, the obtained information is irrelevant or misleading. An integrated GRC system improves efficiency within organisations in three key aspects:
- Organisations can move from fragmented data collection to asking critical questions once, hence reducing impact on business
- Stand-alone GRC systems (i.e. one system per GRC domain) are replaced with one integrated GRC system, which reduces cost and complexity while increasing the likelihood of effective and efficient collaboration
- Overlapping reporting is replaced with integrated reporting, thus showing consistent and recognisable information with different focus and different purpose to management and board
Besides saving cost and effort, the value of an integrated GRC system is often realised even before the actual implementation starts. In order to integrate the current GRC data smoothly into the new integrated GRC system, it is necessary for organisations to create a common understanding and internal agreement on how the systems and processes should be defined. Organisations learn about ownership and accountability as well as how to anchor the different roles and responsibilities in the organisation for the integration to be a success.
While it should be noted that creating and working with a new standard is a journey that many may find cumbersome initially (as it requires a change in mind-set and action), it has visible payoffs. Not only does management information become instantly accessible and more accurate, the occurrence of incidents are subsequently reduced. Most important, organisations no longer find themselves focusing on the troubleshooting of problems, but are able to direct their attention to supporting business enhancements.
Being able to manage GRC challenges in a transparent and cost-effective way while avoiding bureaucracy, process lock-down and allowing for development and change has the potential to become a competitive advantage. Maintaining control is a strategic enabler in an ever-changing environment.