Governance, Risk Management, and Compliance

Governance, Risk, and Compliance or "GRC" is an increasingly recognized term that reflects a new way in which organizations can adopt an integrated approach to these three areas. However, this term is often positioned as a single business activity, when in fact, it includes multiple overlapping and related activities within an organization, e.g. internal audit, compliance programs like SOX, enterprise risk management (ERM), operational risk, incident management, etc.

Governance is the responsibility of senior executive management and focuses on creating organizational transparency by defining the mechanisms an organization uses to ensure that its constituents follow established processes and policies. A proper governance strategy implements systems to monitor and record current business activity, takes steps to ensure compliance with agreed policies, and provides for corrective action in cases where the rules have been ignored or misconstrued.

Risk Management is the process by which an organization sets the risk appetite, identifies potential risks and prioritizes the tolerance for risk based on the organization’s business objectives. Risk Management leverages internal controls to manage and mitigate risk throughout the organization.

Compliance is the process that records and monitors the policies, procedures and controls needed to enable compliance with legislative or industry mandates as well as internal policies.

Within the GRC realm, it is very important to realize that if the first one (Governance) is not in place, the second two (Risk Management and Compliance) become irreverent and probably cannot be meaningfully achieved. Working on the same logic, if second one (Risk Management) is not in place then achieving Compliance becomes irreverent and probably cannot be meaningfully achieved. This is the reason the acronym is designed as GRC and not other combinations.Governance, Risk, and Compliance are highly related but distinct activities that solve different problems for different sets of constituents of an organization.

A specific definition of GRC can be challenging. According to [http://www.corp-integrity.com Michael Rasmussen] , an industry GRC analyst, the challenge in defining GRC is that individually each term has "many different meanings within organizations. There is corporate governance, IT governance, financial risk, strategic risk, operational risk, IT risk, corporate compliance, Sarbanes-Oxley (SOX) compliance, employment/labor compliance, privacy compliance . . . you get the picture." [document no longer available]

Initial interest in GRC systems was driven by the Sarbanes-Oxley Act, but GRC system requirements have changed and now are seen as a means to achieve Enterprise Risk Management. Specifically, this represents a movement from managing risk as a transaction or compliance activity to adding business value by improving operational decision making and strategic planning.

Industry groups have recently been started to focus on the GRC area. One leading such group is the [http://www.oceg.org OCEG] (Open Compliance and Ethics Group). OCEG is a non-profit organization that provides a performance framework for integrating governance, compliance, risk management and culture, is one of the leading voices for GRC. OCEG has developed a Measurement and Metrics Guide (MMG) for assisting in measuring and reporting on the performance of compliance and ethics programs. This measurement platform advocates that program objectives be aligned with and contribute to the enterprise objectives in a tangible way. In order to achieve desired program outcomes, an organization should design processes and practices that effectively measure program dimensions on three key dimensions: effectiveness, efficiency and responsiveness. [GRC 360 Degrees: Driving Principled Performance by Scott L. Mitchell, "More than Three Letters," Aug. 24, 2007 (OCEG blog) [http://grc360.blogspot.com/2007/08/grc-more-than-three-letters.html] ]

GRC Market Segmentation

A GRC Program can be instituted to focus on any individual area within the enterprise. However, the two most common areas would be Financial GRC and IT GRC. Financial GRC relates to the activities that are intended to ensure the correct operation of all financial processes, as well as compliance with any finance-related mandates. IT GRC relates to the activities intended to ensure that the IT (Information Technology) organization supports the current and future needs of the business, and complies with all IT-related mandates.

Analysts disagree on how these aspects of GRC are defined as market categories. [http://www.gartner.com Gartner] has stated that the broad GRC market includes the following areas:
*Finance and Audit GRC
*IT GRC Management
*Enterprise Risk Management.

They further divide the IT GRC Management market into these key capabilities. Although this list relates to IT GRC, a similar list of capabilities would be suitable for other areas of GRC.
*Controls and policy library
*Policy distribution and response
*IT Controls self-assessment and measurement
*IT Asset repository
*Automated general computer control (GCC) collection
*Remediation and exception management
*reporting
*Advanced IT risk evaluation and compliance dashboards

The [http://www.burtongroup.com Burton Group] offers a similar market taxonomy , which includes the following segments: ["Products for Managing Governance, Risk, And Compliance: Market Fluff or Relevant Stuff", March 8, 2008 by Trent Henry]
*Financial GRC
*Operational risk management
*General compliance and audit management
*IT GRC
*Enterprise risk management

IT GRC 2008 Annual Survey Report

IT governance, risk and compliance (IT GRC) is about striking an appropriate balance between business reward and risk. The maturity of IT GRC practices for managing reward and risk has a direct impact on the organization. IT GRC encompasses the practices for delivering:
* Greater business value from IT strategy, investment and alignment,
* Significantly reduced business and financial risk from the use of IT, and
* Conformance with policies of the organization and its external legal and regulatory compliance mandates.

While some of these practices involve continuous improvement to quality, others involve practices and capabilities that are known to be effective, along with objectives for what the organization wants to achieve. IT GRC energizes the entire organization to imagine what it can achieve, establishes methods for achieving their objectives, and demonstrates the practices that are proven to work for minimizing business and financial risk.

Fundamentally, IT GRC is about striking an appropriate balance between business reward and risk, enabling an organization to more effectively anticipate and manage business risk while more effectively delivering value for the organization.

[http://www.compliancehome.com/symantec/ IT Governance, Risk and Compliance (IT GRC) 2008 Annual Research Report] , assembled from benchmark research conducted with more than 2,600 organizations around the World, reveals the IT GRC maturity profiles, business outcomes, capabilities and practices that are most responsible for influencing and impacting business rewards and risks.

GRC Product Vendors

The distinctions between the sub-segments of the broad GRC market are often not clear. And, with a large number of vendors entering this market recently, determining the best product for a given business problem can be challenging. And, given that the analysts don’t fully agree on the market segmentation, vendor positioning can increase the confusion.

There are a large number of companies who offer a “GRC Platform” for managing and tracking GRC activities across an enterprise. These include large, enterprise software vendors such as [http://www.ca.com/grc CA] , [http://www.SAP.com/grc SAP] , [http://www.ibm.com IBM] , and [http://www.oracle.com Oracle] as well as a variety of smaller companies who are targeting the GRC Platform market, including: [http://www.proventsure.com Proventsure] , [http://www.metricstream.com METRICSTREAM] , [http://www.bwise.com BWise] , AXENTIS, [http://www.mega.com MEGA] , [http://www.openpages.com OpenPages] , [http://www.trintech.com Trintech] , Paisley, QUMAS, and several others.

The Forrester Wave™: Enterprise Governance, Risk, And Compliance Platforms, Q4 2007 was released on December 21, 2007 and Forrester evaluated 15 leading enterprise governance, risk, and compliance (GRC) platform vendors across approximately 100 criteria. [http://www.metricstream.com METRICSTREAM] , [http://www.bwise.com BWise] , [http://www.axentis.com AXENTIS] , OpenPages, Paisley, and QUMAS rounded out the Leaders category. ["The Forrester Wave™: Enterprise Governance, Risk, And Compliance Platforms, Q4 2007" by Chris McClean, Michael Rasmussen with Alissa Dill, Jonathan Penn, Dec. 21, 2007 [http://www.forrester.com/Research/Document/Excerpt/0,7211,41751,00.html] ]

However, due to the dynamic nature of this market, any vendor analysis is often out of date relatively soon after its publication.

External links

*http://www.complianceonline.com/
*http://www.grc-resource.com
*http://technet.microsoft.com/en-us/library/cc531020(TechNet.10).aspx
* [http://www.compliancehome.com/symantec/] IT Governance, Risk and Compliance (IT GRC) 2008 Annual Survey Report

References