- Original Date of Publication: December 28, 2023
Governance, risk, and compliance (GRC) is an operational strategy that helps organizations align IT activities to business goals, manage risk effectively, and stay in compliance with government and industry regulations.
The need to manage risk, adhere to regulations, and establish processes to govern those tasks has been part of running an organization as long as there have been businesses to run.
But those tasks have become increasingly critical to organizational success in the modern era, as the number of laws, the complexity of doing business, the types of risks, and the use of technology have exploded in recent decades.
Today even small-scale operations can have a global footprint, forcing them to contend with international laws and a slew of threats that could cripple or shutter their businesses if they’re not adequately managed.
As a result, managing risks and ensuring compliance to rules and regulations along with the governing mechanisms that guide and guard the organization on its mission have morphed from siloed duties to a collective discipline called GRC.
What is GRC?
Governance, risk, and compliance (GRC) is an operational strategy for managing an organization’s overall governance, enterprise risk management, and regulation compliance efforts. This disciplined approach enables an organization to align its governance, risk, and compliance endeavors to its strategic goals, business objectives, and the technology that enables its operations.
“GRC is overarching. It sets the tone and the strategy; it defines the policies and the procedures and what the expectations are,” explains Lisa McKee, director of governance, risk, compliance, and privacy at American Security and Privacy, as well as a member of the Emerging Trends Working Group with the governance association ISACA.
McKee compares GRC to roadways and driving laws, which establish lanes, boundaries, and limits as well as freeways so that drivers (like organizations) can get where they want to go as fast as they can while also minimizing the potential for mishaps by following established regulations and road signs.
Why is GRC important?
A well-planned GRC strategy produces significant benefits, including improved decision-making, more optimal IT investments, elimination of silos, and reduced fragmentation among divisions and departments.
Due to its increasing importance, GRC has become a high-level function within many organizations, with responsibilities and accountability for GRC assigned to C-level executives. Best practices, framework and technology have been developed to support this work.
“GRC is important in the modern business landscape for multiple reasons. With the increase of data privacy and protection laws, globalization, and interconnectedness, the regulatory environment has become more complex,” says Chris Stanley, content developer for the CGRC exam at training and certification organization ISC2. “This level of complexity requires a robust GRC framework to assist an organization with avoiding reputational damage and legal penalties.”
Stanley also notes that “technology advances, like AI, IoT and cloud computing, have also introduced compliance challenges and new cybersecurity threats.”
He adds: “Stakeholders trust organizations to protect privacy and data, and those stakeholders are increasingly holding organizations, including individuals at an organization, accountable. A strong GRC framework supports corporate responsibility and in turn increases investor confidence and financial stability.”
Even so, many organizations are still building up their GRC capabilities.
A 2023 survey of more than 1,300 respondents from around the globe who either influence or manage their organization’s risk and compliance programs found that only 53% rated their programs as mature. Furthermore, the State of Risk & Compliance Report, from GRC software maker NAVEX, found that 20% described their programs as early stage.
Breaking down what GRC stands for
Each element within GRC has its own objectives and processes, as outlined below.
Governance: The governance aspect of GRC aims to ensure that organizational activities, such as managing IT operations, align in ways that support the organization’s business goals while also adhering to the organization’s established risk parameters and compliance needs.
“Governance is who does what, how, and based on what data,” says Tilcia Toledo, senior managing director with FTI Consulting. “Governance is about who is in the room, what are they allowed to do or not do, what’s the data they rely on, and what’s the cadence of their actions.”
Toledo says governance applies to multiple levels within the organization, ensuring that the board, management, and workers understand the rules, follow the rules, and face consequences when they don’t.
Risk: The risk management component of GRC ensures that any risk associated with organizational activities is identified and addressed in a way that supports the organization’s business goals. In the IT context, this means having a comprehensive IT risk management process that rolls into an organization’s enterprise risk management function.
Risk speaks to the organization’s risk appetite, which establishes the risks that it is comfortable taking and those it does not, and then managing the residual risk — that is, the risks that remain even after controls for unacceptable risks have been implemented.
“Risk is about where the organization wants to play and where it does not want to play. It is about those boundaries it does not want to cross at this time,” Toledo adds, noting that enterprise risk is constantly evolving.
Compliance: The compliance function within GRC is aboutmaking sure that organizational activities happen in a way that meets the laws and regulations relating to those activities. For example, this means making sure that IT systems and the data contained in those systems are used and secured properly.
Compliance encompasses the laws and regulations that the organization must follow as it executes its strategy, Toledo explains. “In other words, what are the laws and the regulatory environment in which the business operates.”
Although governance, risk, and compliance each focus on specific requirements, Toledo says they overlap and work together. For example, the risk function relies on governance practices to mitigate risk by implementing controls and by alerting supervisors if actions go outside the organization’s risk boundaries.
The strategic nature of GRC in the digital era
Governance, risk and compliance have been longstanding elements for organizational success, but enterprise executives and GRC experts say GRC has become more of a top priority for organizations due to the increasing complexity of doing business in a digital era where being globally connected is standard, not the exception.
Modern threats such as cyberattacks and data breaches have heightened the need for a strong GRC strategy within all organizations, and the growing volume of laws and regulations around protecting and securing data also puts pressure on organizations to have a mature GRC function. So, too, do the consequences of falling short in any of the three areas, as organizations that suffer a successful cyberattack or fail to protect the data it holds can be significant if not catastrophic.
“I view GRC as something that is strategic because when it is functioning properly, it protects the organization. It helps preserve it and retain things like a strong reputation,” Toledo says.
How GRC works in the enterprise
Like other parts of enterprise operations, GRC comprises a mix of people, process, and technology.
To implement an effective GRC program, enterprise leaders must first understand their business, its mission, and its objectives, according to Ameet Jugnauth, the ISACA London Chapter board vice president and a member of the ISACA Emerging Trends Working Group.
Executives then must identify the legal and regulatory requirements the organization must meet and establish the organization’s risk profile based on the environment in which it operates, he says.
“Understand the business, your business environment (internal and external), your risk appetite, and what the government wants you to achieve. That all sets your GRC,” he adds.
The roles that lead these activities vary from one organization to the next. Midsize to large organizations typically have C-level executives — namely a chief governance officer, chief risk officer, and chief compliance officer — to oversee these tasks, McKee says. These executive lead risk or compliance departments with dedicated teams.
Smaller companies typically task GRC responsibilities to either directors or managers —a compliance manager or director or risk management — or they may assign GRC responsibilities to other executives.
GRC roles and responsibilities
According to Stanley, GRC often cascades down from the top tiers of leadership, with roles and responsibilities breaking down as follows:
- Board of directors: provides oversight and approval of policies and strategic decisions
- CEO: provides leadership and ensures GRC efforts are adequately resourced
- Chief risk officer: provides leadership for risk management efforts, such as the assessment and reporting of risks to the board and executive management
- Chief compliance officer: provides compliance oversight and training and communication regarding compliance
- CIO/CTO: provides risk management for technology and digital assets, as well as and compliance and security for all IT
- CFO: provides compliance and reporting on financial regulations and risk management of an organization’s financials
- Legal: provides compliance to all legal requirements while managing legal risks
- HR: implements HR-related GRC policies, such as an authorized use policy and employee behavior policies
- IT: provides data protection and security with policies and controls
- Department heads: implement GRC processes and controls within their respective departments and identify and manage risks specific to their department
- Internal audit: provides independent evaluation and recommendations for improvement
- Employees: adhere to policy and report any risk or compliance issues they observe
“There are also cross-functional GRC teams stood up for specific GRC initiatives, combining expertise from various departments,” Stanley adds.
Even so, GRC responsibility and accountability is shared, and they often roll up to the highest levels of the organization, with CEOs ultimately responsible and accountable, experts say.
GRC certifications
Although GRC professionals have various academic and professional backgrounds, many have earned certifications focused on risk, compliance, and/or governance, including the following.
- ISACA Certified Information Security Manager (CISM)
- ISACA Certified in Risk and Information Systems Control (CRISC)
- ISACA Certified Information Systems Auditor (CISA)
- ISC2 Certified in Governance, Risk and Compliance (CGRC)
- OCEG GRC Professional (GRCP)
- OCEG GRC Auditor (GRCA)
Other options include the Institute of Internal Auditors’ Certified Internal Auditor (CIA) certification, with a focus on compliance, and the Certification in Risk Management Assurance (CRMA), with a focus on risk.
GRC frameworks
GRC leaders typically use a framework to organize and execute GRC duties. GRC frameworks, like all frameworks, specify clearly defined measurables that shine a light on the effectiveness of an organization’s GRC efforts, providing building blocks that organizations can (and should) tailor to their environment.
Frameworks include:
- ISACA’s COBIT for IT governance
- ISACA’s IT Risk Framework
- COSO for internal controls
- Various NIST frameworks and standards
GRC software
GRC software also supports enterprise GRC programs by enabling organizations to create and coordinate policies and controls, as well as to map them to regulatory and internal compliance requirements.
These software options, typically offered as subscription-based SaaS, also automate many processes, which increases efficiency and reduces complexity.
GRC culture
Although frameworks help organizations establish solid GRC programs and GRC software help enable them, the decision-making, resource and portfolio management, risk management, and regulatory compliance functions included in such frameworks will not be effective unless the organization’s executive leadership also supports cultural change.