Jump to content

Governance, risk management, and compliance: Difference between revisions

From Wikipedia, the free encyclopedia
Browse history interactively
← Previous editNext edit →
Content deleted Content added
VisualWikitext
No edit summary
added link to one book in reference list
Line 1: Line 1:
'''Governance, Risk Management, and Compliance''' or '''GRC''' is the umbrella term covering an organization's approach across these three areas. Being closely related concerns, governance, risk and compliance activities are increasingly being integrated and aligned to some extent in order to avoid conflicts, wasteful overlaps and gaps. While interpreted differently in various organizations, GRC typically encompasses activities such as [[corporate governance]], enterprise risk management (ERM) and corporate compliance with applicable laws and regulations.<ref>{{citation |url=http://books.google.co.uk/books?id=3aUyqPxYw10C |title=Governance, Risk, and Compliance Handbook |author=Anthony Tarantino}}</ref><ref>{{citation |url=http://books.google.co.uk/books?id=1Vi35vE6c1IC&pg=PA9 |title=SAP GRC For Dummies |author=Denise Vu Broady, Holly A. Roland |chapter=The ABCs of GRC}}</ref>
'''Governance, Risk Management, and Compliance''' or '''GRC''' is the umbrella term covering an organization's approach across these three areas. Being closely related concerns, governance, risk and compliance activities are increasingly being integrated and aligned to some extent in order to avoid conflicts, wasteful overlaps and gaps. While interpreted differently in various organizations, GRC typically encompasses activities such as [[corporate governance]], enterprise risk management (ERM) and corporate compliance with applicable laws and regulations.<ref>{{citation |url=http://books.google.co.uk/books?id=3aUyqPxYw10C |title=Governance, Risk, and Compliance Handbook |author=Anthony Tarantino}}</ref><ref>{{citation |url=http://books.google.co.uk/books?id=1Vi35vE6c1IC&pg=PA9 |title=SAP GRC For Dummies |author=Denise Vu Broady, Holly A. Roland |chapter=The ABCs of GRC}}</ref>


'''[[Governance]]''' describes the overall management approach through which senior executives direct and control the entire organization, using a combination of management information and hierarchical management control structures. Governance activities ensure that critical management information reaching the executive team is sufficiently complete, accurate and timely to enable appropriate management decision making, and provide the control mechanisms to ensure that strategies, directions and instructions from management are carried out systematically and effectively.<ref>{{citation |author = Lamm, Blount, etc. |title= Under Control: Governance Across the Enterprise}}</ref>.
'''[[Governance]]''' describes the overall management approach through which senior executives direct and control the entire organization, using a combination of management information and hierarchical management control structures. Governance activities ensure that critical management information reaching the executive team is sufficiently complete, accurate and timely to enable appropriate management decision making, and provide the control mechanisms to ensure that strategies, directions and instructions from management are carried out systematically and effectively.<ref>{{citation |url=http://www.amazon.com/Under-Control-Governance-Across-Enterprise/dp/1430215925 |author = Lamm, Blount, etc. |title= Under Control: Governance Across the Enterprise}}</ref>.


[[Risk Management|'''Risk management''']] is the set of processes through which management identifies, analyses and where necessary responds appropriately to risks that might adversely affect realization of the organization's business objectives. The response to risks typically depends on their perceived gravity, and involves controlling, avoiding, accepting or transferring them to a third party. Whereas organizations routinely manage a wide range of risks (e.g. technological risks, commercial/financial risks, information security risks etc.), external legal and regulatory compliance risks are arguably the key issue in GRC.
[[Risk Management|'''Risk management''']] is the set of processes through which management identifies, analyses and where necessary responds appropriately to risks that might adversely affect realization of the organization's business objectives. The response to risks typically depends on their perceived gravity, and involves controlling, avoiding, accepting or transferring them to a third party. Whereas organizations routinely manage a wide range of risks (e.g. technological risks, commercial/financial risks, information security risks etc.), external legal and regulatory compliance risks are arguably the key issue in GRC.

Revision as of 22:27, 18 December 2010

Governance, Risk Management, and Compliance or GRC is the umbrella term covering an organization's approach across these three areas. Being closely related concerns, governance, risk and compliance activities are increasingly being integrated and aligned to some extent in order to avoid conflicts, wasteful overlaps and gaps. While interpreted differently in various organizations, GRC typically encompasses activities such as corporate governance, enterprise risk management (ERM) and corporate compliance with applicable laws and regulations.[1][2]

Governance describes the overall management approach through which senior executives direct and control the entire organization, using a combination of management information and hierarchical management control structures. Governance activities ensure that critical management information reaching the executive team is sufficiently complete, accurate and timely to enable appropriate management decision making, and provide the control mechanisms to ensure that strategies, directions and instructions from management are carried out systematically and effectively.[3].

Risk management is the set of processes through which management identifies, analyses and where necessary responds appropriately to risks that might adversely affect realization of the organization's business objectives. The response to risks typically depends on their perceived gravity, and involves controlling, avoiding, accepting or transferring them to a third party. Whereas organizations routinely manage a wide range of risks (e.g. technological risks, commercial/financial risks, information security risks etc.), external legal and regulatory compliance risks are arguably the key issue in GRC.

Compliance means conforming with stated requirements. At an organizational level, it is achieved through management processes which identify the applicable requirements (defined for example in laws, regulations, contracts, strategies and policies), assess the state of compliance, assess the risks and potential costs of non-compliance against the projected expenses to achieve compliance, and hence prioritize, fund and initiate any corrective actions deemed necessary.

Widespread interest in GRC was sparked by the US Sarbanes-Oxley Act and the need for US listed companies to design and implement suitable governance controls for SOX compliance, but the focus of GRC has since shifted towards adding business value through improving operational decision making and strategic planning. It therefore has relevance beyond the SOX world.

Governance, Risk, and Compliance or "GRC" is an increasingly recognized term that reflects a new way in which organizations are adopting an integrated approach to these aspects of their business.[4]

GRC Research

A publication review carried out in 2009 found that there is hardly any scientific research on GRC as of today. The authors went on to derive the first scientifically grounded GRC short-definition from an extensive literature review. Subsequently the definition was validated in a survey among GRC professionals. "GRC is an integrated, holistic approach to organisation-wide governance, risk and compliance ensuring that an organisation acts ethically correct and in accordance with its risk appetite, internal policies and external regulations through the alignment of strategy, processes, technology and people, thereby improving efficiency and effectiveness." The authors then translated the definition into a frame of reference for GRC research.

Frame of reference for research of integrated GRC

Governance, Risk Management and Compliance are the core disciplines of GRC. Each of the disciplines consists of the four basic components of GRC: strategy, processes, technology and people. The organisation's risk appetite, its internal policies and external regulations constitute the rules of GRC. The disciplines, their components and rules are now to be merged in an integrated, holistic and organisation-wide (the three main characteristics of GRC) manner – aligned with the (business) operations that are managed and supported through GRC. In applying this approach, organisations long to achieve the objectives of GRC: ethically correct behaviour, and improved efficiency and effectiveness of any of the elements involved. .[5]

GRC Market Segmentation

A GRC program can be instituted to focus on any individual area within the enterprise, or a fully integrated GRC is able to work across all areas of the enterprise, using a single framework.

A fully integrated GRC uses a single core set of control material, mapped to all of the primary governance factors being monitored. The use of a single framework also has the benefit of reducing the possibility of duplicated remedial actions.

When reviewed as individual GRC areas, the three most common individual headings are considered to be Financial GRC, IT GRC, and Legal GRC.

  • Financial GRC relates to the activities that are intended to ensure the correct operation of all financial processes, as well as compliance with any finance-related mandates.
  • IT GRC relates to the activities intended to ensure that the IT (Information Technology) organization supports the current and future needs of the business, and complies with all IT-related mandates.
  • Legal GRC focuses on tying together all three components via an organization's legal department and Chief Compliance Officer.

Analysts disagree on how these aspects of GRC are defined as market categories. Gartner has stated that the broad GRC market includes the following areas:

  • Finance and Audit GRC
  • IT GRC Management
  • Enterprise Risk Management.

They further divide the IT GRC Management market into these key capabilities. Although this list relates to IT GRC, a similar list of capabilities would be suitable for other areas of GRC.

  • Controls and policy library
  • Policy distribution and response
  • IT Controls self-assessment and measurement
  • IT Asset repository
  • Automated general computer control (GCC) collection
  • Remediation and exception management
  • Reporting
  • Advanced IT risk evaluation and compliance dashboards

GRC Product Vendors

The distinctions between the sub-segments of the broad GRC market are often not clear. With a large number of vendors entering this market recently, determining the best product for a given business problem can be challenging. Given that the analysts don’t fully agree on the market segmentation, vendor positioning can increase the confusion.

Due to the dynamic nature of this market, any vendor analysis is often out of date relatively soon after its publication.

Broadly, the vendor market can be considered to exist in 3 segments:

  • Integrated Governance, Risk & Compliance Solutions (Multi-Governance Interest, Enterprise Wide)
  • Domain Specific GRC Solutions (Single Governance Interest, Enterprise Wide)
  • Point Solutions to Governance, Risk or Compliance (Relate to Enterprise Wide Governance or Enterprise Wide Risk or Enterprise Wide Compliance but not in combination.)

Integrated governance, risk and compliance solutions attempt to unify the management of these areas, rather than treat them as separate entities. An integrated solution is able to administer one central library of compliance controls, but manage, monitor and present them against every governance factor. For example, in a domain specific approach, three or more findings could be generated against a single broken activity. The integrated solution recognizes this as one break relating to the mapped governance factors.[6]

Domain specific governance, risk and compliance vendors understand the cyclical connection between governance, risk and compliance within a particular area of governance. For example, within Financial Processing - that a risk will either relate to the absence of a control (need to update governance) and/or the lack of adherence to (or poor quality of) an existing control. An initial goal of splitting out GRC into a separate market has left some vendors confused about the lack of movement. It is thought that a lack of deep education within a domain on the audit side, coupled with a mistrust of audit in general causes a rift in a corporate environment. However, there are vendors in the marketplace that, while remaining domain-specific, have begun marketing their product to end users and departments that, while either tangential or overlapping, have expanded to include the internal corporate internal audit (CIA) and external audit teams (tier 1 big four AND tier two and below, information security and operations/production as the target audience. This approach provides a more 'open book' approach into the process. If the production team will be audited by CIA using an application that production also has access to, is thought to reduce risk more quickly as the end goal is not to be 'compliant' but to be 'secure,' or as secure as possible.

Point Solutions to Governance, Risk & Compliance are marked by their focus on addressing only one of these areas (Governance or Risk or Compliance). In some cases of limited requirements, these solutions can serve a viable purpose. However, because they tend to have been designed to solve domain specific problems in great depth, they generally do not take a unified approach and are not tolerant of integrated governance requirements. Information systems will address these matters better if the requirements for governance, risk and compliance management are incorporated at the design stage, as part of a coherent framework.[7]

References

  1. ^ Anthony Tarantino, Governance, Risk, and Compliance Handbook
  2. ^ Denise Vu Broady, Holly A. Roland, "The ABCs of GRC", SAP GRC For Dummies
  3. ^ Lamm, Blount, etc., Under Control: Governance Across the Enterprise{{citation}}: CS1 maint: multiple names: authors list (link)
  4. ^ Xactium, What is GRC?
  5. ^ Racz, N., Weippl, E. & Seufert, A. (2010), Bart De Decker, Ingrid Schaumüller-Bichl (ed.), A frame of reference for research of integrated GRC, vol. Communications and Multimedia Security, 11th IFIP TC 6/TC 11 International Conference, CMS 2010 Proceedings, Berlin: Springer, pp. 106–117, ISBN 978-3-642-13240-7{{citation}}: CS1 maint: multiple names: authors list (link)
  6. ^ Free Integrated Governance, Risk, and Compliance Resources
  7. ^ Bonazzi, R., Hussami, L. & Pigneur, Y. (2009), "Compliance Management is Becoming a Major Issue in IS Design", Information Systems: People, Organizations, Institutions, and Technologies (PDF), Springer, pp. 391–398, doi:0.1007/978-3-7908-2148-2 {{citation}}: Check |doi= value (help)CS1 maint: multiple names: authors list (link)

See also


Retrieved from "https://en.wikipedia.org/w/index.php?title=Governance,_risk_management,_and_compliance&oldid=403083962"