GRC 101.....What does GRC mean again?

GRC, or governance, risk, and compliance have been top of mind for Risk Managers since 2020. Most of us risk professionals have a superficial understanding of GRC and how it works. For the next few weeks, I will be going over the basics of GRC so you have a reference in the event that you need a refresher.

 Definition of GRC

GRC (sometimes referred to as Integrated Risk Management) is an integrated collection of capabilities that enables an organization to:

      G) reliability achieve objectives

R) while addressing uncertainty and

      C) acting with integrity

 Source: OCEG GRC Capability model

 The following are different areas under the GRC Umbrella:

ERM

ORM

Internal Audit

Internal Controls

Regulatory Compliance

Third-Party Risk Management

Business Continuity Management

 The breakdown of GRC is the following:

 Governance describes the overall management approach through which senior executives direct the entire organization, using a combination of management information and hierarchical management control structures. Governance activities ensure that critical management information reaching the executive team is sufficiently complete, accurate, and timely to enable appropriate management decision-making and provide control mechanisms to ensure that strategies, directions, and instructions from management are carried out systematically and effectively.

 Risk management is the set of processes through which management identifies, analyzes, and, where necessary, responds appropriately to risks that might adversely affect the realization of the organization's business objectives. Response to risks typically depends on their perceived gravity and involves controlling, avoiding, accepting, or transferring them to a third party, whereas organizations routinely manage a wide range of risks (e.g. technological risks, commercial/financial risks, information security risks, etc.).

 Compliance means conforming to the stated requirements. At an organizational level, it is achieved through management processes that identify the applicable requirements (defined for example in laws, regulations, contracts, strategies, and policies), assess the state of compliance, assess the risks and potential costs of non-compliance against the projected expenses to achieve compliance, and hence prioritize, fund and initiate any corrective actions deemed necessary.

 The best analogy I have heard explaining the concept of GRC at a high level is comparing the GRC process to how you drive a car.

 I drive a sports coupe. My governance (my own internal set of rules) dictates that I cannot drive my sports coupe off-road.

The risks that arise while driving my car is that it could break down while driving. I could get into an accident. My tire could explode while driving.

 I obey the traffic laws, and my car’s paperwork is up to date therefore I am compliant with state laws.

 This analogy is GRC in a nutshell.

 GRC is a strategy, not a software solution.

 A GRC strategy can be instituted to focus on any single area within the organization. A mature GRC strategy can work across all areas of the organization, using a single framework.

A good GRC strategy uses a single core set of control material, mapped to all of the primary governance factors being monitored. The use of a single framework also has the benefit of reducing the possibility of duplicated remedial actions.

 GRC Drivers

 5 drivers normally accelerate the adoption of a sound GRC strategy

1. Stakeholders demand transparency across the enterprise
2. Regulations and enforcement are constantly changing and being updated.
3. Expanded use of Third Party organizations leads to more risk.
4. The cost of addressing risk is growing exponentially
5. The impact of threats and opportunities not being properly identified.

 Where most GRC Strategies Stand Today

 In 2020 most organizations have Risk Management and Compliance teams that often struggle with the following challenges.

 Manual Processes

Organizational Silos

Lack of visibility across the organization

Disjointed strategies

Lack of effective oversight

Lack of visibility into risks

 An Ideal GRC Strategy will have all stakeholders operating with the following attributes.

 Effective Oversight

Integrated Reporting and Analytics

Integrated GRC Strategy across all business units

Integrated Risk and Control Activities

Integrated & Quality Information

Shared Technology

Shared Services

Common Vocabulary

 This is a high-level overview of what GRC is. The goal of this brief blog is to give a universally understood definition of GRC and some of the basic components of a GRC strategy. Please comment if you have any questions. Next week we will be digging into the topic of ERM.

Find out more about how Camms can help you achieve integrated risk management by messaging me directly or posting below.

OCEG. “OCEG - The Ultimate Resource for Governance, Risk and Compliance (GRC).” OCEG, https://www.oceg.org/. Accessed 11 May 2021.