The increasing difficulty of maintaining regulatory compliance and the ever-escalating threat of cybercrime highlight the importance of a well-constructed and maintained governance, risk management, and compliance (GRC) program. These three functions have traditionally been the responsibility of multiple departments within a company, with little or no communication or coordination of effort. Yet the coordination of an organization’s efforts in these critical areas is the key to avoid policy conflict, wasteful duplicated work, and gaps in the program.
In short, many departments traditionally work with their own specific goals in mind, rather than having a view of where the team as a whole is headed. The result is often a form of task-oriented tunnel vision. In the traditional view, compliance was something that came up mainly in audit processes, while risk management and governance were functions reserved exclusively for upper management.
Governance is widely recognized as being essential to an organization in that it is a means of identifying goals and seeing them through, usually by means of proven processes and strong executive oversight. Risk management is often seen as a way of addressing those issues which an organization considers unacceptable. Often, this is determined by first identifying what risks are acceptable in an effort to remain competitive. Compliance, which has traditionally been viewed as a reactive process, in the GRC view, takes on a more proactive stance.
Widespread interest in an integrated approach to GRC stemmed largely as a response to the Sarbanes-Oxley Act and new requirements for U.S.-listed companies to create robust governance controls for compliance. More recently, the focus for GRC efforts has moved towards adding value by looking for ways to improve operational decision making and strategic planning.
Perhaps one of the most salient features of the trend toward GRC is the realization that no department is an island, and that lessons learned in one area might be applicable elsewhere in the corporate tree. A good first step toward implementing an integrated GRC program into an organization’s culture is to clarify roles while providing for risk ownership and a sense of accountability, supporting it all by continuous communication.
So, with respect to GRC, lessons learned from good risk management might provide a focus for achieving compliance. At the same time, gaining an understanding of and being able to plan for regulatory compliance can mean the difference in being bogged down addressing individual regulations or standards and being able to recognize that many of them overlap, saving time and money in the process. With respect to IT, information governance, or knowing where your organization’s critical information is and being able to monitor it, could have a far-reaching impact on compliance, particularly if your organization is looking into cloud computing and the accountability that goes along with it.
A well-constructed and maintained GRC reflects a whole greater than the sum of its parts. It’s a “team player” aesthetic that reflects the way in which organizations are increasingly turning to adopting integrated solutions to what had been considered unrelated aspects of their business.