What Does GRC Mean – in Theory and in Practice?
There are three main components of GRC:
- ► Governance — Aligning processes and actions with the organization’s business goals
- ► Risk — Identifying and addressing all of the organization’s risks
- ► Compliance — Ensuring all activities meet legal and regulatory requirements
In the past, organizations often approached Governance, Risk, and Compliance as separate activities. Processes or systems frequently were created in response to a specific event – e.g., new regulations, litigation, a data breach, or audit finding – with little thought as to how that worked within the whole. The result was a tangle of inefficiencies, redundancies, and inaccuracies, including:
- Lack of visibility into the complete risk landscape
- Conflicting actions
- Unnecessary complexity
- Inability to assess the cascading effects of risk
The reality is that there is plenty of overlap between Governance, Risk, and Compliance. Each of the three disciplines creates information of value to the other two – and all three impact the same technologies, people, processes, and information. An organization, for instance, might be subject to a new data-privacy regulation (a compliance activity), while also holding itself to certain internal data-protection controls (a governance activity), both of which help mitigate cyber risk (a risk management activity).
When the three disciplines of GRC are managed separately, there is substantial duplication of tasks. Multiple teams end up spending hours collecting the same data – and hours more untangling email threads and spreadsheets just to begin analysis.
More damaging, disconnected processes and lack of transparency leave the organization blind to insights and interrelationships between risks, undermining the whole system by allowing gaps and redundancies of controls to go unnoticed. Siloed teams also have no understanding on how their particular domain influences the company’s risk position as a whole or its overall success.
In short, managing GRC in separate silos is a lot of extra effort – and that effort produces very little reward. Without an integrated view of all GRC-related activities, it’s nearly impossible to identify issues and inconsistencies. A damaging risk can easily slip by undetected and unaddressed because you couldn’t gauge the full impact until it was too late.