8/12/2016

Governance,riskmanagement,andcomplianceWikipedia,thefreeencyclopedia

Governance,riskmanagement,andcompliance
FromWikipedia,thefreeencyclopedia

Governance,riskmanagement,andcomplianceorGRCistheumbrellatermcoveringanorganization's
approachacrossthesethreeareas:Governance,riskmanagement,andcompliance.[1][2][3]

Contents
1 Overview
2 GRCtopics
2.1 Basicconcepts
2.2 GRCmarketsegmentation
2.3 GRCproductvendors
2.4 GRCdatawarehousingandbusinessintelligence
3 GRCresearch
4 Seealso
5 References
6 Furtherreading

Overview
"Governance,RiskManagement,andCompliance(GRC)arethreepillarsthatworktogetherforthepurposeof
assuringthatanorganizationmeetsitsobjectives....Governanceisthecombinationofprocessesestablishedand
executedbytheboardofdirectors(BOD)thatarereflectedintheorganization'sstructureandhowitismanaged
andledtowardachievinggoals.Riskmanagementispredictingandmanagingrisksthatcouldhinderthe
organizationtoachieveitsobjectives.Compliancewiththecompany'spoliciesandprocedures,lawsand
regulations,strongandefficientgovernanceisconsideredkeytoanorganization'ssuccess."[4]
GRCisadisciplinethataimstosynchronizeinformationandactivityacrossgovernance,riskmanagementand
complianceinordertooperatemoreefficiently,enableeffectiveinformationsharing,moreeffectivelyreport
activitiesandavoidwastefuloverlaps.Althoughinterpreteddifferentlyinvariousorganizations,GRCtypically
encompassesactivitiessuchascorporategovernance,enterpriseriskmanagement(ERM)andcorporate
compliancewithapplicablelawsandregulations.
OrganizationsreachasizewherecoordinatedcontroloverGRCactivitiesisrequiredtooperateeffectively.Eachof
thesethreedisciplinescreatesinformationofvaluetotheothertwo,andallthreeimpactthesametechnologies,
people,processesandinformation.
Substantialduplicationoftasksevolveswhengovernance,riskmanagementandcompliancearemanaged
independently.OverlappingandduplicatedGRCactivitiesnegativelyimpactbothoperationalcostsandGRC
metrics.Forexample,eachinternalservicemightbeauditedandassessedbymultiplegroupsonanannualbasis,
creatingenormouscostanddisconnectedresults.AdisconnectedGRCapproachwillalsopreventanorganization
fromprovidingrealtimeGRCexecutivereports.Likeabadlyplannedtransportsystem,everyindividualroute
willoperate,butthenetworkwilllackthequalitiesthatallowthemtoworktogethereffectively.

https://en.wikipedia.org/wiki/Governance,_risk_management,_and_compliance

1/5

8/12/2016

Governance,riskmanagement,andcomplianceWikipedia,thefreeencyclopedia

Ifnotintegrated,iftackledinatraditional"silo"approach,mostorganizationsmustsustainunmanageable
numbersofGRCrelatedrequirementsduetochangesintechnology,increasingdatastorage,marketglobalization
andincreasedregulation.

GRCtopics
Basicconcepts
Governancedescribestheoverallmanagementapproachthroughwhichseniorexecutivesdirectandcontrol
theentireorganization,usingacombinationofmanagementinformationandhierarchicalmanagement
controlstructures.Governanceactivitiesensurethatcriticalmanagementinformationreachingtheexecutive
teamissufficientlycomplete,accurateandtimelytoenableappropriatemanagementdecisionmaking,and
providethecontrolmechanismstoensurethatstrategies,directionsandinstructionsfrommanagementare
carriedoutsystematicallyandeffectively.[5]
Governanceofriskmanagementistheattentiongiventopreventingexcessiveriskmanagementbykeeping
inmindtheorganisation'sappetiteforrisk.Sufficientcountermeasuresarerequiredratherthanexcessive,
unnecessaryandpointlessmeasures.Theriskofriskmanagementisthatthegoodintentionsbecome
wastefulexpenditureorimpedimentstogrowth,innovationandopportunity.
Riskmanagementisthesetofprocessesthroughwhichmanagementidentifies,analyzes,and,where
necessary,respondsappropriatelytorisksthatmightadverselyaffectrealizationoftheorganization's
businessobjectives.Theresponsetoriskstypicallydependsontheirperceivedgravity,andinvolves
controlling,avoiding,acceptingortransferringthemtoathirdparty.Whereasorganizationsroutinely
manageawiderangeofrisks(e.g.technologicalrisks,commercial/financialrisks,informationsecurityrisks
etc.),externallegalandregulatorycompliancerisksarearguablythekeyissueinGRC.
Compliancemeansconformingwithstatedrequirements.Atanorganizationallevel,itisachievedthrough
managementprocesseswhichidentifytheapplicablerequirements(definedforexampleinlaws,regulations,
contracts,strategiesandpolicies),assessthestateofcompliance,assesstherisksandpotentialcostsofnon
complianceagainsttheprojectedexpensestoachievecompliance,andhenceprioritize,fundandinitiateany
correctiveactionsdeemednecessary.

GRCmarketsegmentation
AGRCprogramcanbeinstitutedtofocusonanyindividualareawithintheenterprise,orafullyintegratedGRCis
abletoworkacrossallareasoftheenterprise,usingasingleframework.
AfullyintegratedGRCusesasinglecoresetofcontrolmaterial,mappedtoalloftheprimarygovernancefactors
beingmonitored.Theuseofasingleframeworkalsohasthebenefitofreducingthepossibilityofduplicated
remedialactions.
WhenreviewedasindividualGRCareas,thethreemostcommonindividualheadingsareconsideredtobe
FinancialGRC,ITGRC,andLegalGRC.
FinancialGRCrelatestotheactivitiesthatareintendedtoensurethecorrectoperationofallfinancial
processes,aswellascompliancewithanyfinancerelatedmandates.
ITGRCrelatestotheactivitiesintendedtoensurethattheIT(InformationTechnology)organization
supportsthecurrentandfutureneedsofthebusiness,andcomplieswithallITrelatedmandates.
LegalGRCfocusesontyingtogetherallthreecomponentsviaanorganization'slegaldepartmentandchief
complianceofficer.
AnalystsdisagreeonhowtheseaspectsofGRCaredefinedasmarketcategories.Gartnerhasstatedthatthebroad
GRCmarketincludesthefollowingareas:
https://en.wikipedia.org/wiki/Governance,_risk_management,_and_compliance

2/5

8/12/2016

Governance,riskmanagement,andcomplianceWikipedia,thefreeencyclopedia

FinanceandauditGRC
ITGRCmanagement
Enterpriseriskmanagement.
TheyfurtherdividetheITGRCmanagementmarketintothesekeycapabilities.AlthoughthislistrelatestoIT
GRC,asimilarlistofcapabilitieswouldbesuitableforotherareasofGRC.
Controlsandpolicylibrary
Policydistributionandresponse
ITControlsselfassessmentandmeasurement
ITAssetrepository
Automatedgeneralcomputercontrol(GCC)collection
Remediationandexceptionmanagement
Reporting
AdvancedITriskevaluationandcompliancedashboards

GRCproductvendors
ThedistinctionsbetweenthesubsegmentsofthebroadGRCmarketareoftennotclear.Withalargenumberof
vendorsenteringthismarketrecently,determiningthebestproductforagivenbusinessproblemcanbe
challenging.Giventhattheanalystsdontfullyagreeonthemarketsegmentation,vendorpositioningcanincrease
theconfusion.
Duetothedynamicnatureofthismarket,anyvendoranalysisisoftenoutofdaterelativelysoonafterits
publication.
Broadly,thevendormarketcanbeconsideredtoexistin3segments:
IntegratedGRCsolutions(multigovernanceinterest,enterprisewide)
DomainspecificGRCsolutions(singlegovernanceinterest,enterprisewide)
PointsolutionstoGRC(relatetoenterprisewidegovernanceorenterprisewideriskorenterprisewide
compliancebutnotincombination.)
IntegratedGRCsolutionsattempttounifythemanagementoftheseareas,ratherthantreatthemasseparate
entities.Anintegratedsolutionisabletoadministeronecentrallibraryofcompliancecontrols,butmanage,
monitorandpresentthemagainsteverygovernancefactor.Forexample,inadomainspecificapproach,threeor
morefindingscouldbegeneratedagainstasinglebrokenactivity.Theintegratedsolutionrecognizesthisasone
breakrelatingtothemappedgovernancefactors.
DomainspecificGRCvendorsunderstandthecyclicalconnectionbetweengovernance,riskandcompliance
withinaparticularareaofgovernance.Forexample,withinfinancialprocessingthatariskwilleitherrelateto
theabsenceofacontrol(needtoupdategovernance)and/orthelackofadherenceto(orpoorqualityof)an
existingcontrol.AninitialgoalofsplittingoutGRCintoaseparatemarkethasleftsomevendorsconfusedabout
thelackofmovement.Itisthoughtthatalackofdeepeducationwithinadomainontheauditside,coupledwitha
mistrustofauditingeneralcausesariftinacorporateenvironment.However,therearevendorsinthemarketplace
that,whileremainingdomainspecific,havebegunmarketingtheirproducttoendusersanddepartmentsthat,
whileeithertangentialoroverlapping,haveexpandedtoincludetheinternalcorporateinternalaudit(CIA)and
externalauditteams(tier1bigfourANDtiertwoandbelow,informationsecurityandoperations/productionasthe
targetaudience.Thisapproachprovidesamore'openbook'approachintotheprocess.Iftheproductionteamwill
beauditedbyCIAusinganapplicationthatproductionalsohasaccessto,isthoughttoreduceriskmorequicklyas
theendgoalisnottobe'compliant'buttobe'secure,'orassecureaspossible.

https://en.wikipedia.org/wiki/Governance,_risk_management,_and_compliance

3/5

8/12/2016

Governance,riskmanagement,andcomplianceWikipedia,thefreeencyclopedia

PointsolutionstoGRCaremarkedbytheirfocusonaddressingonlyoneofitsareas.Insomecasesoflimited
requirements,thesesolutionscanserveaviablepurpose.However,becausetheytendtohavebeendesignedto
solvedomainspecificproblemsingreatdepth,theygenerallydonottakeaunifiedapproachandarenottolerantof
integratedgovernancerequirements.Informationsystemswilladdressthesemattersbetteriftherequirementsfor
GRCmanagementareincorporatedatthedesignstage,aspartofacoherentframework.[6]

GRCdatawarehousingandbusinessintelligence
GRCvendorswithanintegrateddataframeworkarenowabletooffercustombuiltGRCdatawarehouseand
businessintelligencesolutions.ThisallowshighvaluedatafromanynumberofexistingGRCapplicationstobe
collatedandanalysed.
TheaggregationofGRCdatausingthisapproachaddssignificantbenefitintheearlyidentificationofriskand
businessprocess(andbusinesscontrol)improvement.
Furtherbenefitstothisapproachinclude(i)itallowsexisting,specialistandhighvalueapplicationstocontinue
withoutimpact(ii)organizationscanmanageaneasiertransitionintoanintegratedGRCapproachbecausethe
initialchangeisonlyaddingtothereportinglayerand(iii)itprovidesarealtimeabilitytocompareandcontrast
datavalueacrosssystemsthatpreviouslyhadnocommondatascheme.'

GRCresearch
Apublicationreviewcarriedoutin2009foundthattherewashardlyanyscientificresearchonGRC.Theauthors
wentontoderivethefirstGRCshortdefinitionfromanextensiveliteraturereview.Subsequentlythedefinition
wasvalidatedinasurveyamongGRCprofessionals."GRCisanintegrated,holisticapproachtoorganisationwide
GRCensuringthatanorganisationactsethicallycorrectandinaccordancewithitsriskappetite,internalpolicies
andexternalregulationsthroughthealignmentofstrategy,processes,technologyandpeople,therebyimproving
efficiencyandeffectiveness."
TheauthorsthentranslatedthedefinitionintoaframeofreferenceforGRCresearch.
EachofthecoredisciplinesGovernance,RiskManagementandComplianceconsistsofthefourbasic
components:strategy,processes,technologyandpeople.Theorganisation'sriskappetite,itsinternalpoliciesand
externalregulationsconstitutetherulesofGRC.Thedisciplines,theircomponentsandrulesarenowtobemerged
inanintegrated,holisticandorganisationwide(thethreemaincharacteristicsofGRC)manneralignedwiththe
(business)operationsthataremanagedandsupportedthroughGRC.Inapplyingthisapproach,organisationslong
toachievetheobjectives:ethicallycorrectbehaviour,andimprovedefficiencyandeffectivenessofanyofthe
elementsinvolved.[7]

Seealso
Conformityassessment
ISO19600:2014
Recordsmanagement
Regulatorycompliance

References
1.AnthonyTarantino(20080225),Governance,Risk,
andComplianceHandbook,ISBN9780470095898
https://en.wikipedia.org/wiki/Governance,_risk_management,_and_compliance

4/5

8/12/2016

Governance,riskmanagement,andcomplianceWikipedia,thefreeencyclopedia

2.DeniseVuBroadyHollyA.Roland(20080425),
"TheABCsofGRC",SAPGRCForDummies,
ISBN9780470333174
3.Silveira,P.,Rodriguez,C.,Birukou,A.,Casati,F.,
Daniel,F.,D'Andrea,V.,Worledge&C.,Zouhair,T.
(2012),AidingComplianceGovernanceinService
BasedBusinessProcesses,IGIGlobal,pp.524548,
retrieved20130406
4.KurtF.Reding,PaulJ.Sobel,UrtonL.Anderson,
MichaelJ.Head,SridharRamamoorti,Mark
Salamasick,CrisRiddle(2013),"InternalAuditing:
Assurance&AdvisoryServices"
5.Lamm,Blount,etc.,UnderControl:Governance
AcrosstheEnterprise,retrieved20130406

6.Bonazzi,R.,Hussami,L.&Pigneur,Y.(2009),
"ComplianceManagementisBecomingaMajorIssue
inISDesign",inD'atri,AlessandroSacc,Domenico,
InformationSystems:People,Organizations,
Institutions,andTechnologies(PDF),Springer,pp.391
398,doi:10.1007/9783790821482,retrieved
20130406
7.Racz,N.,Weippl,E.&Seufert,A.(2010),BartDe
DeckerIngridSchaumllerBichl,eds.,Aframeof
referenceforresearchofintegratedGRC,
CommunicationsandMultimediaSecurity,11thIFIP
TC6/TC11InternationalConference,CMS2010
Proceedings,Berlin:Springer,pp.106117,ISBN978
3642132407

Furtherreading
AdamKrug(20110412),"GovernanceRiskandCompliance&HSESoftwareSystemCaseStudies(http://
www.cmocompliance.com/GRC_HSEQ_Safety_Environment_Software_Implementation_Case_Studies.ht
ml)",CaseStudies134
RadovanSemancik(20160217),"AccessCertificationinmidPoint(https://evolveum.com/blog/accesscerti
ficationinmidpoint/)"
Retrievedfrom"https://en.wikipedia.org/w/index.php?
title=Governance,_risk_management,_and_compliance&oldid=729340969"
Categories: Businesssoftware Enterprisemodelling
Thispagewaslastmodifiedon11July2016,at15:04.
TextisavailableundertheCreativeCommonsAttributionShareAlikeLicenseadditionaltermsmayapply.
Byusingthissite,youagreetotheTermsofUseandPrivacyPolicy.Wikipediaisaregisteredtrademark
oftheWikimediaFoundation,Inc.,anonprofitorganization.

https://en.wikipedia.org/wiki/Governance,_risk_management,_and_compliance

5/5