Updated: Aug 2
GRC is an acronym used to describe three functions: governance, risk, and compliance. The use of GRC originated from the management consulting world to bridge the gap between the board and the CEO to ensure that proper oversight, appropriate risk, and legal and regulatory requirements are properly met as evidenced primarily through audits.
The focus of GRC has mostly concerned itself with meeting legal and regulatory requirements applied to finance, ethical code of conduct, and IT. It is not uncommon to have separate company officers each responsible for each of these functions operating independently and in silos.
However, GRC is changing and now extends to the operations and management ranks of the organization. One way to think about GRC is that is provides the context by which the "ends" defined by the board are met through the "means" of the organization. The most important part of this context is culture by which the values of the organization are manifested.
In recent years, there has been an increasing desire to integrate GRC across its functions and throughout the organization. The non-profit organization OCEG is one of the groups that has worked to advance the area of GRC. Although, other bodies such as COSO (Enterprise Risk Management Framework), ISO, and others are extending their domain to tackle this area.
The primary drivers for GRC have come from its roots based on the Department of Justice (DOJ) sentencing guidelines. Fundamentally, GRC started as a way to:
Prevent Loss, and
Audit and Control
The primary emphasis from a systems and process perspective has been on the audit function to verify that organizations are conforming to legal and regulatory requirements.
The focus on audits parallels similar approaches applied to quality, safety and environmental programs. These programs are based on reactive models characterized by: lagging indicators, audit-fix cycles, and management controls. Correcting non-conformance after the fact is better than not addressing them at all. However, these are not enough when there is loss of life, loss of the reputation, loss of stakeholder trust, and more generally where the effects of non-conformance are irreparable.
As an example, with quality it is well known that you cannot inspect quality into a product, you must design it in. Therefore to improve quality you need a proactive approach that anticipates, plans, and then acts to embed quality into the product and manufacturing processes. This is why ISO 9001 recently introduced risk-based thinking along with a focus on outcomes to their standards. Risk-based thinking is fundamentally a proactive process which counterbalances the reactive processes implemented by quality control and the audit function.
Unfortunately, GRC appears to be preoccupied with this same reactive model correcting things after they have already occurred. There is an increasing emphasis on extending the audit role and driving that further down into the organization. This audit-based approach will exact a heavy burden on organizations. A conservative estimate of the cost of compliance (excluding the other GRC functions) is 10% of a worker’s time and salary just dealing with regulations. In high-risk industries this can easily be between 20%-30% to support all the necessary: quality, safety, regulatory, environmental, and dozens of other programs. It is easy to imagine that If compliance continues on its present course, compliance will require:
one person to ensure that compliance is met for every person doing the work.
Clearly, this approach is not sustainable or desirable for compliance and neither for GRC as a whole.
The reactive model on which GRC is based is not enough to achieve the desired outcomes for GRC never mind the outcomes for the organization. To effectively bridge the gap between the board and the CEO, a holistic approach is needed based on proactive behaviors and practices.
A proactive model would function as a regulated system (in the technical sense) focused on outcomes, threats and opportunities, and building in compliance in the same way that quality is designed into products and services. GRC would now serve as a means to improve organizational effectiveness by:
Regulating (steer towards) outcomes,
Ensuring (make certain) outcomes are achieved, and
Assuring (confirm) that outcomes were met.
Reportedly, 70% of companies do not measure the effectiveness of their compliance programs which is expected to be same for GRC programs. By following a proactive approach GRC is now able to properly evaluate effectiveness by the progress made towards outcomes and the costs associated to make certain and confirm progress.
Having clearly identified goals is essential for management to properly take ownership of its obligations. Proper delegation of accountabilities across the organization prevents GRC from being considered as a tyrannical force by replacing managerial accountability.
GRC works better better when seen as a capstone that connects management to the board. Architecturally, capstones connect supporting members that bear the majority of the forces. A capstone does not itself bear the primary load however without it the other members cannot. This same concept can serve as the ideal for how GRC could function.
In summary, a proactive approach to GRC allows companies to realize the benefits of GRC rather than only achieving conformance to prescribed rules. It offers a better way of steering (regulating) an organization to improve the probability of achieving its outcomes by connecting risk management to operational objectives and outcomes.
Proactive GRC also does not compete with or remove managerial accountability but rather acts as a capstone that connects all aspects of an organization so it can carry the full load necessary to meet all obligations.