What's GRC? Governance, Risk & Compliance Explained

Enterprises these days are facing a triple threat: stiffer government policies, volatile cyberspace, and an extra-competitive economy. And without a well-planned strategy, it will be hard to survive all these and hit high-performance goals. Hence the need for an effective GRC strategy.

Since its invention in 2003, GRC as a strategy for achieving organizational goals amidst uncertainty and with integrity and has stayed true to its primary purpose despite the increasing turbulence in the economy.

In this piece, we’ll unpack the important bits about GRC. This includes:

• What GRC is
• Benefits of GRC
• Challenges with GRC
• How to implement a GRC strategy

What is Governance, Risk, and Compliance (GRC)?

GRC is the abbreviation for Governance, Risk, and Compliance. It’s a system that enables organizations to:

• Reach their objectives ethically. 
• Protect their assets.
• Align actions with expectations and regulatory requirements.

At its core, GRC is a way of ensuring organizations achieve principled performance. What this looks like in its different forms will be discussed later in the piece. For now, let’s go into more detail on the pillars or components of GRC.

Governance

Governance in GRC has no political connotations. Instead, it has to do with steering the ship of an organization — what its business model should look like, how to make crucial decisions, how departments are to collaborate, and the company’s ultimate goal. It’s all about laying the groundwork for operations.

You’re more likely to find governance activities handled by the leadership team. Governance leads to alignment by ensuring people, processes and technology align with the company’s goal.

Consider how DevOps ensures the IT and development departments are aligned on a goal; governance does this on a broader scale across more departments. This time, starting from the leaders to the employees. It plays out in areas like:

• Corporate strategy
• Organizational structure
• Internal communication and reporting
• Employee engagement
• Stakeholder relationship

For governance to work, every initiative must be critically evaluated, planned and backed by data and credible sources.

(Learn about data governance, one type of enterprise governance.)

Risk 

Here’s where we find the relevance of cybersecurity in GRC. Risk refers to any incident that distorts company operations and leads to colossal damage on different levels. It could be cyber threats and online attacks — cyber risk management — as well as financial, legal, and strategic risks. GRC includes a risk management program that will forestall and handle such incidents to ensure no interruption in the company’s operations. Risk management initiatives include:

• Auditing
• Risk assessment
• Risk control

(Related reading: risk management frameworks & business continuity & business resilience.)

Compliance

Shorthand for regulatory compliance, compliance is the observance and implementation of processes, rules, regulations, and policies that may come from regulatory bodies, industrial bodies, and even internal corporate departments. In discussing compliance, issues around ethics and legal obligations are brought to the fore. It has much to do with how companies...

• Interact with their customers.
• Follow tax rules.
• Stay free of fraud.

A compliant organization has fewer chances of getting hit by sanctions, fines, or even tainting its image. Hence, compliance can impact a company’s reputation and growth. 

(Related reading: continuous compliance & compliance-as-a-service.)

How to implement a GRC strategy

Oslo East Consulting Group (OECG), the organization behind GRC, has a handbook detailing all you need to know about GRC implementation called its capability model book.  However, here’s an easy five step process you can use to launch a GRC strategy in your organization:

1. Nail your why: Outlining the driver for the GRC strategy helps you develop a more precise action plan for your GRC strategy. For instance, an organization that has to curb repeated cyberattacks on its database will channel its resources and go for a more focused risk management GRC.
2. Get executive buy-in: The organization’s leaders must know the GRC framework you have in mind before you get the ball rolling. Also, since GRC works with a top-to-bottom approach, compliant management makes employees more likely to be compliant.
3. Opt for GRC software: At the enterprise level, technology exists for different tasks, and GRC is no exception. The right GRC product will give the best results, save time through automation and be customizable to fit your plan. Anything short of this can ruin your GRC strategy and slow its implementation.
4. Carry out small-scale testing: GRC is cost-intensive. Before you launch a company-wide strategy, be sure there’s a guarantee of results with the solutions you’ve come up with. So, start with one component only or a GRC-related issue in the company before increasing your momentum.
5. Track progress: You can’t manage what you don’t measure, and this quote is relevant to GRC implementation. You won’t know how far you’ve gone without monitoring your efforts and what needs to be tweaked. So, keep track of your milestones to guarantee success with this strategy.

The GRC capability model

Also known as OCEG Red Book, the GRC Capability Model enables organizations to achieve principled performance — objectives, ability to manage risks, and follow regulatory requirements.  This model can be used across various industries and subject areas to achieve principal performance in small and large businesses.

This model consists of 4 primary segments:

• Learn: Understand the organization's culture, values, and key stakeholders to set objectives and manage expectations. 
• Align: Here, you strategically ensure your actions are tied to the objectives while keeping identified risks in check.
• Perform: This is all about ensuring you get the desired outcomes while being proactive, resolving bottlenecks, and mediating issues.
• Review: Assess the objectives, evaluate your actions, and make changes when needed to improve the current approach.

GRC frameworks

As we have tried to enforce in this article, GRC as a system helps organizations manage governance, risk and compliance. Depending on industry, geographic location, and objective, organizations could employ any of these GRC frameworks to mitigate risks better and make business decisions. Here are a few of the GRC frameworks:

• Integrated GRC Framework: This framework aims to provide each component of the GRC frameworks under a unified approach. OCEG GRC Capability Model and GRC-Pundit are a few examples.
• Risk/Compliance Management Frameworks: Here, we focus more on identifying, accessing, managing risk and ensuring compliance with regulations and industry standards. A few examples are COSO ERM, ISO 31000, and NIST Cybersecurity Framework.
• Modular GRC Framework: This framework is more flexible as each component of GRC is broken down into smaller, independent modules. A few examples are RSA Archer and Thomson Reuters Accelus.
• Specialized GRC Framework: Here, the GRC is tailored to address the industry's needs, regulatory requirements and compliance challenges. A few examples include HIPAA, PCI-DSS, and GDPR.
• Governance frameworks: This framework focuses more on designing a solid governance process to help guide decision-making and risk management — for example, BS 13500, COSO Enterprise Governance, and ISO 37000.

Benefits of the GRC framework

The first scholarly research paper on GRC, written in 2007 by Scott Mitchell, describes GRC as “a framework for driving principled performance.” This phrase — principled performance — captures the layers of benefits which companies with a solid GRC framework get to enjoy. Some of which are what we’ll look at now.

Enhanced productivity 

With GRC eliminating the siloed mentality at work, more hands will collaborate toward a goal aligned with the company’s vision. Issues around compliance and operational flow that would have disrupted output in your organization are also handled by an effective GRC strategy.

Strengthened cyber resilience

Just as compliance and governance lead to a healthy relationship with regulatory bodies, and higher productivity, risk management helps with cyber resilience. The flip side of this would be an organization battling with cybersecurity attacks that would have led to a loss in company profit and a tainted reputation (stories of cybercrimes over the years attest to this).

Reduced operational cost

By keeping up with changing regulations, a GRC strategy will help quell the constant fires between your organization and regulatory bodies. GRC software can also help rectify GRC-related errors, which are costly and can be recurring if not managed in time.

(Related reading: operational expenses vs. capital expenses.)

Increased transparency and visibility

With streamlined business operations courtesy of the GRC framework, monitoring what happens in an organization will be easier. By logging into the GRC software and going through the necessary reports, you can check out…

• Activities of different departments
• Areas that are improving
• Work that still needs to be done

Improved third-party business relationships

Business partnerships are common despite the shaky business landscape. But it won’t happen if your organization hasn’t nailed its internal operations or if such a partnership will put the other party at risk (of cyberattacks due to shared data or a tainted public image due to compliance issues). A solid GRC framework boosts an organization’s chances of partnering right as it says a lot about their integrity.

(Related reading: third-party risk management.)

GRC challenges (with solutions)

As impressive and practical as GRC is, there’s no guarantee it will work in all conditions. The following factors can kill the effectiveness of your GRC strategy.

Poor organizational culture

Updating regulatory and compliance policies can be a hassle in an organization with a poor working culture, especially one that is not flexible. Since GRC primarily works at enterprise levels, if the company is bureaucratic and has employees who struggle to keep up with trends, a GRC strategy won’t flourish as expected.

Solution: Before you implement a GRC strategy, do a pulse check on your organization's work culture. Are employees working under the right conditions? Are they being productive and given room to be creative? What kind of challenges does the HR team have on their desk?

With this, you’ll know whether GRC is the right step or whether you’ll need to spend more time building the company culture.

Flawed GRC implementation

There’s a reason why competent hands are employed to handle a GRC strategy, despite the availability of many GRC solutions. It’s because certain areas must be addressed manually and cross-checked by human eyes. If you compromise at any point while implementing, it will yield poor results and become a major expense for your organization.

Solution: there should be no shortcut when implementing GRC. Evaluate and work with the right software. Develop a thorough GRC plan that considers every tiny detail.

Lack of support from leadership

Every GRC implementation program must have buy-in from company executives. Initially, this may be easy to obtain to get the ball rolling. But as maintenance costs for the program accumulate, whether from the GRC software, restructuring or payment to regulatory bodies, organizations can become less enthusiastic about the strategy. What will be left is a strategy that’s no longer as holistic or effective.

Solution: Forming allies with critical members of an organization can help. This could be the CFO or any other on the management team. Such a person will help present a solid case for constant support for the program to stay consistent.

Poor data management

GRC is not a once-and-done concept. It has to be updated and reviewed occasionally. Data is the fuel that makes this possible. But suppose the different departments are not as forthcoming with the correct data, mainly due to their poor data structures. In that case, this can affect the credibility of the ongoing GRC program.

(Read more about effective data management.)

Splunk to the compliance rescue

In theory, the GRC framework sounds like a lot of work. And it is — only if you don’t know the right way to get started. Working with a software can make a huge difference in demystifying the myriad of GRC related issues your organization needs to tackle. Which is where Splunk comes in.

Learn about compliance with Splunk >

If you need to adhere to compliance requirements while reducing operational overhead, errors and costs, Splunk can drive this data-centric approach for compliance that is in your control. Essential compliance features of products including Splunk Cloud Platform, Splunk Enterprise and Splunk Enterprise Security include:

• Automated data collection
• Continuous risk assessment
• Easy reporting and auditing

Splunk software helps with security monitoring and data privacy issues, while providing operations visibility all on a single platform.