GRC - The Pathway to Principled Performance
If Principled Performance is the goal, then integrated GRC is the pathway to get there.
GRC is an acronym that denotes governance, risk, and compliance — but the real story of GRC is so much more
The acronym GRC was invented as a shorthand reference to the critical capabilities that must work together to achieve Principled Performance — the capabilities that integrate the governance, management and assurance of performance, risk, and compliance activities.
This includes departments like internal audit, compliance, risk, legal, finance, IT, HR as well as the lines of business, executive suite and the board itself.
Though the acronym GMAPRCFLITHROps may have been more inclusive, 3-letter acronyms are more memorable.
Nothing New. Totally Revolutionary.
It is important to remember that organizations have been governed, and risk and compliance have been managed, for a long time — in this way, GRC is nothing new.
However, many have not approached these activities in a mature way, nor have these efforts supported each other to enhance the reliability of achieving organizational objectives. In a forward-thinking organization, GRC is viewed as a well-coordinated and integrated collection of all of the capabilities necessary to support Principled Performance at every level. GRC doesn’t burden the business, it supports and improves it. — in this way, GRC is totally revolutionary.
Organizations are also dealing with today’s challenging business climate. Even small businesses, nonprofits, and government agencies are facing issues that only large companies had to face in the past. Think of how many of these factors you have to deal with:
- Stakeholders demand high performance along with high levels of transparency
- Regulations and enforcement are ever-changing and unpredictable
- Exponential growth of third-party relationships and risk is a management challenge
- The costs of addressing risks and requirements are spinning out of control
- The harsh (and scary) impact when threats and opportunities are not identified
The confidence of GRC professionals and executives to make the right strategic decisions becomes its own form of risk.
GRC Done Wrong
Our GRC Maturity Survey finds that disjointed GRC activities cause a number of problems.
To address these drivers, organizations develop departments and programs like: performance management programs; risk management programs; compliance programs; corporate social responsibility programs; and so on. Unfortunately, these departments and programs are often siloed, ineffective and yield troubling drawbacks such as:
- High costs
- Lack of visibility into risks
- Inability to address third party risks
- Difficulty measuring risk-adjusted performance
- Too many negative surprises
When these activities are siloed, it is highly likely that wrong or counter-productive objectives will be established, sub-optimal strategies will be selected, and performance will not be optimized.
GRC Done Right
Integrating GRC capabilities does not mean creating a mega-department of GRC and doing away with decentralized or programmatic approaches to risk and compliance management.
Nor does it necessarily call for the use of only one GRC technology system. Rather, it is about establishing an approach that ensures the right people get the appropriate and correct information at the right times, that the right objectives are established, and that the right actions and controls necessary to address uncertainty and act with integrity are put in place.
When GRC is done right, the benefits accrue. Organizations that integrate GRC processes and technology across all or many silos have:
- Reduced costs
- Reduced redundant or duplicative activities
- Reduced impact on operations
- Achieved greater information quality
- Achieved greater ability to gather information quickly and efficiently
- Achieved greater ability to repeat processes in a consistent manner
With the help of a panel of over 100 experts, OCEG embodied best practices in the GRC Capability Model (commonly called the OCEG Red Book)
- Unified vocabulary across disciplines
- Defined common components and elements
- Defined common information requirements
- Standardized practices for things like policies and training
- Identified communication for everyone involved; including strategic decision-makers.
GRC requires YOU!
People in risk management, compliance, audit, security and ethics make it happen
As your organization drives toward objectives, it can be difficult to stay within mandated boundaries (laws and regulations) and the voluntary boundaries that you set for yourself (company values and promises). It takes more than words. It takes systems and actions that YOU design and operate.