What is GRC and how does it work?
2 March 2023

The term GRC stands for governance, risk management and compliance. It can be described as a comprehensive set of capabilities that assists an organisation in achieving its objectives by ensuring fairness and integrity at all levels. The governance section encompasses the organisational activities which essentially include roles, responsibilities and expectations of the individuals who hold management positions as well as stakeholders. Risk management pertains to how well an organisation is prepared to address and mitigate both foreseeable and unforeseeable risks. Compliance refers to the organisation’s adherence to relevant laws and regulations, bylaws, organisation’s internal policies including those related to security controls.

Other domains of GRC

While governance, risk management, and compliance are the core areas of focus in GRC as the term implies, the significance of GRC is evident in a number of other interconnected areas of an organisation including IT governance, finance and audit, human resources, operations and supply chain to name a few. By being influenced by GRC, IT governance primarily relies on apposite frameworks, procedures, and policies which ensure that the organisation aligns with its objectives and compliance requirements. It is evident that the entire spectrum of finance and auditing within an organisation is profoundly influenced by GRC since the latter through different mechanisms such as internal control systems and auditing practices helps the organisation pass the test of transparency, accuracy and compliance with the relevant laws and regulations. GRC also holds significant relevance in various areas of operations and supply chain management, including product quality control, supply chain sustainability and vendor management. Moreover, the functions of human resources of an organisation can also be impacted positively by GRC, where the latter influences tasks that fall within the remit of human resources including employee diversity and inclusion, conduct, ethics, and the well-being of the employees.

The inevitable link between risk management and business continuity management

Risk management is often considered the heart of GRC. While the task of risk management is to mitigate or tackle problems, business continuity management obliges an organisation to stick to its advanced plan and act in accordance with it in situations where the organisation faces the worst possible results. The more robust risk management practice an organisation inculcates into its overall management system, the better, judicious, and measured planning and preparation it can come up with in dealing with unwanted results of its own activities, cyber-attacks, natural disasters, pandemics, etc. To put it differently, strong risk management in place helps an organisation understand what areas it should prioritise in its business continuity management in the event of any looming challenges. Business continuity management on the other hand acts as a strong weapon in mitigating risks. Risk management and business continuity management are so interdependent and considering them in silo may cause the organisation harm.

To effectuate business continuity management, organisations require overall monitoring and testing, and cross-functional collaboration on a consistent basis hence the absence of any risk management strategy in place and/or any flawed or inaccurate risk management can sink the organisation. The unforeseen recent demise of the two US banks (Silicon Valley Bank and Signature Bank) and a Swiss bank (Credit Suisse) due to poor risk management is a wake-up call for organisations not only within the financial industry but also in other industries such as health, food, and more, regardless of the organisation’s size.

Successful GRC implementation

Organisations are obligated to consider GRC components through various mechanisms in order to ensure smooth business operations and prevent any controversy regarding the functionality of their organisation’s GRC. The benefits of adopting a GRC strategy are enormous, and it would certainly not be an exaggeration to say that organisations lacking a well-defined GRC strategy in place are more likely to face collapse compared to those that do. Regarding the key to a successful well-defined GRC strategy, Joanna Grama, director of cybersecurity and IT GRC programs for EDUCAUSE said: “Implementing a framework will never be successful unless the organisation’s culture evolves to support GRC activities.”

There may be other ways to successfully implement GRC in an organisation, however, choosing GRC software tools, has been proven to be the most effective approach.