Any organization seeking to meet its business objectives continues to face a myriad of challenges owing to the ever-changing complexity of the business environment:
For this reason, there is an increasing need for enterprises to put in place mechanisms to ensure that the business can successfully ride the wave of these complexities. GRC—Governance, Risk, and Compliance—is one of the most important elements any organization must put in place to achieve its strategic objectives and meet the needs of stakeholders.
GRC as an acronym stands for governance, risk, and compliance, but the term GRC means much more than that. The OCEG (formerly known as “Open Compliance and Ethics Group”) states that the term GRC was first referenced as early as 2003, but was mentioned in a peer reviewed paper by their co-founder in 2007.
The OCEG views GRC as a well-coordinated and integrated collection of all the capabilities necessary to support principled performance at every level of the organization. These capabilities include:
Principled Performance refers to a point of view and approach to business that helps organizations reliably achieve objectives while addressing uncertainty and acting with integrity.
When broken down, the constituent elements can be defined from ITIL® 4 and explained as follows:
The means by which an organization is directed and controlled. In GRC, governance is necessary for setting direction (through strategy and policy), monitoring performance and controls, and evaluating outcomes.
A possible event that could cause harm or loss or make it more difficult to achieve objectives. In GRC, risk management ensures that the organization identifies, analyses, and controls risk that can derail the achievement of strategic objectives.
The act of ensuring that a standard or set of guidelines is followed, or that proper, consistent accounting or other practices are being employed. In GRC, compliance ensures that depending on the context, the organization takes measures and implements controls to assure that compliance requirements are met consistently.
Without a doubt, the biggest driver for GRC is regulation. While traditional industries such as banking, insurance, healthcare, and telecoms have borne the brunt of regulation in the past, today’s digital age is fueling a risk in regulation that touches all entities, large or small.
Use of data, particularly personally identifiable information, has huge business potential as well as the risk of abuse. Therefore, governments and international agencies are paying a closer eye to how digital businesses manage data. The rise in cyber-attacks, which expose personal data, as well as growing awareness by individuals and civil rights organizations, have shed new light into how companies manage information and technology through processes, people, and culture.
According to CIO.com, benefits of GRC include:
A collective approach is the best bet for any organization seeking to get to grips with the ever-changing regulatory landscape. When GRC is done right across the whole organization, and the right people get the right information at the right time, and the right objectives and controls are established, then OCEG states that we can expect reduction in costs, duplication, and impacted operations.
The organization can also benefit through better decision-making agility and confidence, as well as sustained, reliable performance, and delivery of value.
As has been stated before, GRC is best implemented in a holistic manner that encompasses the entire organization. This does not necessarily mean that an umbrella unit is required for coordination, even though that might work for certain types of entities. The OCEG has defined an open source approach called the GRC Capability Model (also called the Red Book) that integrates the various sub-disciplines of governance, risk, audit, compliance, ethics/culture and IT into a unified approach. The Capability Model is made up of four components:
These components outline an iterative continuous improvement process to achieve principled performance and are further decomposed into elements which are then supported by practices, actions and controls. The actions and controls are classified in three types, which organizations can select a mix dependent on their context:
In order to address the needs of GRC, a lot of organizations are turning to technology solutions. These solutions enable the leadership to monitor GRC across the enterprise by ensuring business processes and information technology continue to align to the governance, risk and compliance requirements of the organization. Capabilities include:
However, having a tool alone isn’t enough to guarantee effective GRC. Technology doesn’t have ethics—people do. Hence GRC must be addressed from a people and process perspective, even before technology is considered.
However, technology is a very good enabler in reducing the “compliance” overheard that comes with gathering and managing records required to prove that the organization is meeting GRC requirements, without overburdening employees who should be focused on generating value instead.
Original Source : link-1