Governance, Risk & Compliance (GRC) – Big Time Confusion!

"It is important to understand the evolutionary need for GRC in the corporate world before we form an opinion."

In the early 2000s many enterprises scrambling to improve their internal control and governance processes after many highly publicized corporate financial disasters. As a result, the GRC concept came into existence and as a savior to overcome the issues.

As per the GRC definition, “GRC (governance, risk management, and compliance) is the term used to describe an organization's approach to addressing risks, staying compliant with the law, and managing company direction.”

Despite the concept being there for more than a decade, I still found many audit and risk professionals wonder what GRC is all about? Many think it is nothing more than a marketing stunt by ERP vendors to sell their software.

It is important to understand the evolutionary need for GRC in the corporate world before we form an opinion.

In the three lines of defense risk governance model (3LOD model), each corporate layer of defense was working in isolation.

To understand more on the role of three lines of defense risk governance model (3LOD model), refer to my article “Difference between the role of Internal Control, Compliance, Risk Management, and Audit?”, click here.

Similar functional areas were being reviewed or audited by the multiple stakeholders (audit, risk, compliance, fraud, internal control, HSE, information security, quality assurance, etc.) and each one of them were presenting separate reports to the management or to the Board on the governance health of the organization. As a result, a new problem emerged; stakeholders' confusion, too many reports, duplication, and overlapping in roles which eventually lead to the waste of resources.

To overcome these problems, the first scholarly research on GRC was published in 2007. The concept is much taken has a relief to overcome the “silos” issue by introducing the GRC concept in the corporate world. The concept still in its infancy stage and yet to be mature, but overall it embeds the role of governance, risk and compliance by aiming to remove silos and have more coordination and collaboration among each layer within the organization.

Top 5 Common GRC Challenges

The concept of GRC translated in to have a new department in the organization known as GRC or Governance Department. Key challenges faced by the early adopter are the following:

• Where to place GRC in the organization chart?
• In which corporate defense layer, the GRC Department fall; first, second or third?
• What shall be the scope and authority of the GRC Department?
• What shall be the reporting line of the GRC Department and who shall report to GRC?
• How the effectiveness of the GRC Department shall be monitored?

How to address these challenges?

To overcome these challenges, it is important to enhance the corporate culture by removing the adverse competition for recognition among departments and by encouraging more collaboration within a company. The GRC lead (or department) in any organization could work as a moderator and a single point of reference for the executive management and the Board to measure the governance health of the organization.

The aim should be a single report shall be presented to the executive management, which covers the overall aggregated effort of the second and third layer of corporate defense in a company. The same department should work to ensure the work of risk management, internal control, internal audit, compliance, and other oversight functions are working in harmony and sharing and receiving information among each other to avoid duplication and overlapping and ensure nothing falls between the cracks.

Conclusion

I would say there is no right or wrong practice as long as the objective of GRC is achieved i.e. to remove silos and since the GRC role or concept is still in its infancy stage with time it will further evolve and mature like other corporate disciplines.

“Implementing a framework will never be successful unless the organization's culture evolves to support GRC activities” says Grama.

ABOUT THE AUTHOR

The Arif Zaman brings with more than a decade of proven experience in internal audit, risk management, and corporate governance. He is the Head of Internal Audit at Private Joint Stock Company based in Dubai, UAE. He holds MSc in Professional Accountancy from the University of London and BSc Hons in Applied Accounting from Oxford Brookes University along with an impressive set of professional certifications including ACCA, CIA, CISA, CFE, CCSA, CRMA, CRBA, CPA and CGA etc.

For more immediate reading, here are some other articles I have written:

Technical Article

Establishing Risk Department in 7 simple steps . Future Corporate Governance . Strategic Risk Leaders Conference - Risk Management FAQ. The Pivotal Role of Evolving Internal Audit by Embracing Latest Technologies . How to become Internal Auditor? How to Gauge Audit Department . Do not trust Artificial Intelligence . How to establish Internal Audit Department in 8 simple steps . Corporate Governance . Risk Appetite . Road Map to Data Analytics . Political pressure on CAE . Difference between the role of internal control, compliance, risk management and audit? . Internal audit is a dying career? . Internal audit - Innovate or stagnate . Internal audit insight from IIA President . Auditing business ethics . Business email compromise . Create a risk register in 4 steps . Cloud computing - Internal audit perspective . Annual risk assessment (4 steps) . Annual audit planning process (5 steps) . Role of internal audit in risk management . The impact of emerging technology on auditing . Family business governance . New IPPF 2015 (summary) . Internal audit function maturity curve . Real story - Ponzi scheme 

Others

Feel like you are falling apart . My most vivid childhood memories . I think of my failure as a gift . Life changing story - From admin staff to TV anchor . Remove toxic people from your life . Africa is not a country . The best time of the day to do things at work . Build your personal brand . Pass the 6 second CV scan test