A commonly accepted definition of Integrated Governance, Risk, and Compliance Management [Racz et al. (2010)] – “a holistic approach that ensures an organisation acts ethically and in accordance with its risk appetite, internal policies and external regulations through the alignment of strategy, processes, technology and people, to improve efficiency and effectiveness.” Closely related concerns, GRC activities are becoming integrated and aligned in order to avoid conflicts, wasteful overlaps, and gaps.
Governance in general terms, is the formal system, processes and authority by which an entity conducts itself using a combination of management information and hierarchical management control structures. These are the policies, standards and guidelines that an organization has chosen to represent its rules system. If a company has unclear governance, it will be obvious in the ways and manner in which it conducts business. There will be a lack of accurate information, unclear lines of reporting, communication will be stifled, there will seem to be multiple ways to get things done, and there will be confusion as to who does what, and who should be doing what. Roles and responsibiilties tend not be formalized, accountability is usually determined by finger pointing exercises, and fire-fighting will inevitably become the daily routine.
Risk Management is the formalized process that management uses to identify, analyze and respond appropriately to risks that might affect realization of business objectives. The response to risks typically depends on their perceived impact, and involves controlling, avoiding, accepting or transferring risks to a third party. Risk Management requires a methodology, derived from Governance, that describes what a risk is, how it will be measured, recorded, and tracked, how it affects the company, what the tolerance of risk is within the organization, and what types of mitigation strategies and controls are available or are in play. Without risk Management, the organization is reduced to guessing as to which direction they should move, whether an investment is worthwhile or likely to produce returns, or what the organization’s position is.
Compliance contains a broad category of topics, but is most often used to refer to Regulatory Compliance. Regulatory Compliance is the minimalist strategy used to ensure that the manner in which the business conducts itself is within the boundaries of legal and industry regulations. These regulations are mandated, not optional, and will speak to specific concerns, such as Privacy legislation, or personal information handling laws, but Security standards, practices, internal policies, and other governance materials are also measured and administered through compliance directives. Individual metrics are developed under the compliance auspices in line with auditing practices, and are audited against to determine conformity.
Each of the terms in the GRC acronym has different objectives, but the same goal. Governance delivers the rules of engagement, Risk Management delivers decision guidance, Compliance delivers a standardized metric system for reporting successful policy adoption and conformity. There is a lot of overlap and interdepenencies in the 3 elements, all are built using the same 4 components (Strategy, Process, Technology, People) but each is unique. Together they present a solid foundation for sustainability, consistency, efficiency, and transparency of Information Security and business functions.
Quite often, several areas of a business may define GRC for themsleves out of necessity. It is common for mature Financial departments to have robust GRC processes developed. IT will often embark on a strategy to formalize their own GRC in order to streamline and sometimes align their operations. Legal teams will adopt GRC as a means to stay current and effective due to the volatility of their discipline. Privacy and Security groups have migrated towards GRC as their environments have become more complex. Unifying or integrating these GRC efforts further reduces complexity, aligns processes providing common inputs and outputs, and reduces costs.