Governance, risk management, and compliance

From Wikipedia, the free encyclopedia

This article or section has multiple issues. Please help improve the article or discuss these issues on the talk page. The notability of this article's subject is in question. If notability cannot be established, it may be listed for deletion or removed. Tagged since October 2007. It is written like an advertisement and needs to be rewritten from a neutral point of view. Tagged since December 2009. It may contain improper references to self-published sources. Tagged since December 2009.

Governance, Risk Management, and Compliance or "GRC" is an increasingly recognized term that reflects a new way in which organizations can adopt an integrated approach to these three areas. Although governance, risk and compliance are separate factors, they each have a significance, relevance and influence on each other.

Although an integrated approach to these 3 areas presents many advantages, GRC is not a single business activity, but in fact, includes multiple overlapping and related activities within an organization. For example - internal audit, compliance programs like SOX, enterprise risk management (ERM), operational risk, incident management, etc.

Governance is the umbrella term used to describe the overall framework through which the senior executive management ensure that their organization follows appropriate processes and policies to meet the required standards. The standards incorporated into a governance framework depends on the decisions of the senior executive. A proper governance strategy implements systems to monitor and record all regulated business activities, takes steps to ensure compliance with agreed policies, and provides for corrective action in cases where the rules have been ignored or misconstrued.

Risk Management is the process through which an organization identifies and resolves the gap between the current operational standards and the required operational standards. There are 2 main types of risk in GRC "True Risk" based on real operational assessments and "Perceived Risk" based on incident and reported control gaps. An orgnaization identifies real and potential risks and prioritizes the tolerance for risk based on the organization’s business objectives. Risk Management leverages internal controls to manage and mitigate risk throughout the organization.

Compliance is the process that records and monitors the controls, be they physical, logical or organisational, needed to enable compliance with legislative or industry mandates as well as internal policies.

Governance, Risk, and Compliance are highly related but distinct activities that solve different problems for different sets of constituents of an organization.

Initial interest in GRC systems was driven by the Sarbanes-Oxley Act, but GRC system requirements have changed and now are seen as a means to achieve Enterprise Risk Management. Specifically, this represents a movement from managing risk as a transaction or compliance activity to adding business value by improving operational decision making and strategic planning.

GRC Market Segmentation

A GRC program can be instituted to focus on any individual area within the enterprise, or a fully integrated GRC is able to work across all areas of the enterprise, using a single framework.

A fully integrated GRC uses a single core set of control material, mapped to all of the primary governance factors being monitored. The use of a single framework also has the benefit of reducing the possibility of duplicated remedial actions.

When reviewed as individual GRC areas, the three most common individual headings are considered to be Financial GRC, IT GRC, and Legal GRC.

• Financial GRC relates to the activities that are intended to ensure the correct operation of all financial processes, as well as compliance with any finance-related mandates.
• IT GRC relates to the activities intended to ensure that the IT (Information Technology) organization supports the current and future needs of the business, and complies with all IT-related mandates.
• Legal GRC focuses on tying together all three components via an organization's legal department and Chief Compliance Officer.

Analysts disagree on how these aspects of GRC are defined as market categories. Gartner has stated that the broad GRC market includes the following areas:

• Finance and Audit GRC
• IT GRC Management
• Enterprise Risk Management.

They further divide the IT GRC Management market into these key capabilities. Although this list relates to IT GRC, a similar list of capabilities would be suitable for other areas of GRC.

• Controls and policy library
• Policy distribution and response
• IT Controls self-assessment and measurement
• IT Asset repository
• Automated general computer control (GCC) collection
• Remediation and exception management
• reporting
• Advanced IT risk evaluation and compliance dashboards

The Burton Group offers a similar market taxonomy , which includes the following segments: ^[1]

• Financial GRC
• Operational risk management
• General compliance and audit management
• IT GRC
• Enterprise risk management------

GRC Product Vendors

The distinctions between the sub-segments of the broad GRC market are often not clear. With a large number of vendors entering this market recently, determining the best product for a given business problem can be challenging. Given that the analysts don’t fully agree on the market segmentation, vendor positioning can increase the confusion. Due to the dynamic nature of this market, any vendor analysis is often out of date relatively soon after its publication.

Broadly, the vendor market can be considered to exist in 3 segments:

• Integrated Governance, Risk & Compliance Solutions (Multi-Governance Interest, Enterprise Wide)
• Domain Specific GRC Solutions (Single Governance Interest, Enterprise Wide)
• Point Solutions to Governance, Risk or Compliance (Relate to Enterprise Wide Governance or Enterprise Wide Risk or Enterprise Wide Compliance but not in combination.)

Integrated governance, risk and compliance solutions attempt to unify the management of these areas, rather than treat them as separate entities. An integrated solution is able to administer one central library of compliance controls, but manage, monitor and present them against every governance factor. For example, in a domain specific approach, three or more findings could be generated against a single broken activity. The integrated solution recognizes this as one break relating to the mapped governance factors.

Domain specific governance, risk and compliance vendors understand the cyclical connection between governance, risk and compliance within a particular area of governance. For example, within Financial Processing - that a risk will either relate to the absence of a control (need to update governance) and/or the lack of adherence to (or poor quality of) an existing control.

Point Solutions to Governance, Risk & Compliance are marked by their focus on addressing only one of these areas (Governance or Risk or Compliance). In some cases of limited requirements, these solutions can serve a viable purpose. However, because they tend to have been designed to solve domain specific problems in great depth, they generally do not take a unified approach and are not tolerant of integrated governance requirements.

[edit] References

[edit] See also

• Conformity assessment