GRC is neither a project nor a technology, but a corporate objective for improving governance through more-effective compliance and a better understanding of the impact of risk on business performance. Governance, risk management and compliance have many valid definitions.
Compliance management is the process which ensures that a set of people are following a given set of rules. The rules are referred to as the compliance standard or compliance benchmark, while the process is what manages their compliance.
Risk governance refers to the institutions, rules conventions, processes and mechanisms by which decisions about risks are taken and implemented. It can be both normative and positive, because it analyses and formulates risk managementstrategies to avoid and/or reduce the human and economic costs caused by disasters.
Compliance risk is exposure to legal penalties, financial forfeiture and material loss an organisation faces when it fails to act in accordance with industry laws and regulations, internal policies or prescribed best practices.
GRC is a discipline that aims to synchronize information and activity across governance, risk management and compliance in order to operate more efficiently, enable effective information sharing, more effectively report activities and avoid wasteful overlaps. Although interpreted differently in various organizations, GRC typically encompasses activities such as corporate governance, enterprise risk management (ERM) and corporate compliance with applicable laws and regulations.
Organizations reach a size where coordinated control over GRC activities is required to operate effectively. Each of these three disciplines creates information of value to the other two, and all three impact the same technologies, people, processes and information.
Substantial duplication of tasks evolves when governance, risk management and compliance are managed independently. Overlapping and duplicated GRC activities negatively impact both operational costs and GRC metrics. For example, each internal service might be audited and assessed by multiple groups on an annual basis, creating enormous cost and disconnected results. A disconnected GRC approach will also prevent an organization from providing real-time GRC executive reports. Like a badly planned transport system, every individual route will operate, but the network will lack the qualities that allow them to work together effectively.
If not integrated, if tackled in a traditional “silo” approach, most organizations must sustain unmanageable numbers of GRC-related requirements due to changes in technology, increasing data storage, market globalization and increased regulation.