Using governance, risk and compliance systems to deliver business benefits

Assurance & Compliance, Governance, Risk Management

Governance, risk and compliance systems are getting more and more attention on management and board level. Companies and organisations are struggling to manage governance, risk and compliance in a cost-effective way. Outdated and hard to maintain spreadsheets are piling up and the business is left without proper control. Organisations in general, and IT in particular, need an efficient and effective way of maintaining control. This is not only for compliance reasons, but also to support continuous change and development.

Businesses, organisations and government agencies all over the world are facing governance, risk and compliance (GRC) challenges on a daily basis. Traditionally, these challenges are tracked, measured, managed, treated, solved and reported upon separately by specialists in the respective GRC domains. With increasing complexity and a growing need for information, the integration of the GRC domains is not only a logical step but a necessity.

What is governance, risk and compliance?

OCEG defines GRC as:

  • Governance is the culture, policies, processes, laws and institutions that define the manner in which companies are directed and managed.
  • Risk is the effect of uncertainty on business objectives; risk management is the coordinated activity to direct and control an organisation to realise opportunities while managing negative events.
  • Compliance is the act of adhering to and demonstrating adherence to external laws and regulations as well as to corporate policies and procedures.

GRC systems have become tightly linked to ERP (Enterprise Resource Planning) systems although their nature and objective are different. ERP systems include GRC modules and GRC system providers include interfaces to ERP systems as standard functionality. The key rationale is to provide an integrated view of the governance, risk and compliance related to the core business processes, IT included.

GRC systems normally manage four domains: risk management, internal control, incident management and internal audits. On a high level, most other GRC domains can be covered and managed by the above four main domains. In the case of the compliance domain, implemented internal controls ensure compliance with existing rules and regulations as well as internal policies and procedures. Identified breaches of adherence to laws and regulations are reported and managed as incidents. New and upcoming rules and regulation, as well as other compliance requirements, are identified through risk assessments and managed by action plans until they are included in the internal control system. Internal audit can then use internal control as a basis and include both risk management results and relevant occurred incidents in the actual audit.

The value of an integrated GRC system

Managing GRC information in various spreadsheets or standard office applications is still a very common practice. This setup is usually satisfactory until an organisation wishes to combine and aggregate the gathered information. This becomes expensive and ineffective as it normally requires extensive conversion between formats and definitions. In the worst case, the obtained information is irrelevant or misleading. An integrated GRC system improves efficiency within organisations in three key aspects:

  • Organisations can move from fragmented data collection to asking critical questions once, hence reducing impact on business
  • Stand-alone GRC systems (i.e. one system per GRC domain) are replaced with one integrated GRC system, which reduces cost and complexity while increasing the likelihood of effective and efficient collaboration
  • Overlapping reporting is replaced with integrated reporting, thus showing consistent and recognisable information with different focus and different purpose to management and board

Besides saving cost and effort, the value of an integrated GRC system is often realised even before the actual implementation starts. In order to integrate the current GRC data smoothly into the new integrated GRC system, it is necessary for organisations to create a common understanding and internal agreement on how the systems and processes should be defined. Organisations learn about ownership and accountability as well as how to anchor the different roles and responsibilities in the organisation for the integration to be a success.

While it should be noted that creating and working with a new standard is a journey that many may find cumbersome initially (as it requires a change in mind-set and action), it has visible payoffs. Not only does management information become instantly accessible and more accurate, the occurrence of incidents are subsequently reduced. Most important, organisations no longer find themselves focusing on the troubleshooting of problems, but are able to direct their attention to supporting business enhancements.

Being able to manage GRC challenges in a transparent and cost-effective way while avoiding bureaucracy, process lock-down and allowing for development and change has the potential to become a competitive advantage. Maintaining control is a strategic enabler in an ever-changing environment.

About the author

Alex Hofmann

GRC Technology Service Leader
Transcendent Group

Related Articles

Improving flexibility in IT outsourcing by collaboration and relationship management


There is significant pressure on companies to be flexible and adapt quickly to new business challenges. The business wants an IT organisation that is proactive, has a good understanding of the business and delivers value on strategic, tactical and operational level. IT is expected to be a proactive business partner and an active supporter and enabler of the business strategy.

The platformification of banking

Strategy & Architecture

Fintech firms will soon have considerable impact on the banking landscape, which is good news for customers. It’s no longer a matter of if, but when, banking will be reinvented as major shifts in competition, technology, customer behaviours and regulations are going to shake up the industry.

Whose project is it anyway?

Change Management, Governance, Risk Management

Most traditional methodologies hold that a business case is something that a project manager inherits and that its responsibility sits with a sponsor, project executive or even a governance board of some sort. However the project manager can, and should, play a critical role in assessing and critiquing the business case to guard against project failure.

Managing a successful service desk through the service management office

Governance, Operations

The service desk is the interface between the business and IT and is in many cases the only IT representative that an end user ever comes in contact…

Impacts of the General Data Protection Regulation: Why starting now is essential to reach compliance

Assurance & Compliance

The European General Data Protection Regulation to be adopted in 2018 represents the most significant change to data protection in the EU since 1995. The regulation will require organisations to review their practices and to ensure compliance, it is imperative to get started.