GRC is an acronym for: governance, risk, and compliance which originated from the management consulting world to describe processes needed to bridge the gap between a board and the CEO. GRC establishes the context by which the "ends" defined by the board are met through the "means" of an organization.
The primary drivers for GRC originally stem from the United States of America’s Department of Justice (DOJ) sentencing guidelines as a way to:
Avoid prosecution,
Prevent loss, and
Demonstrate compliance
The purpose of GRC is to provide oversight, manage risk, and assure that legal and regulatory requirements are met. Evidence of these processes is demonstrated by audits conducted by internal functions which may include third parties.
GRC has mostly concerned itself with meeting prescriptive regulation applied to finance, code of conduct, and more recently data privacy (IT). The primary mechanism by which this is done is through the audit function. In fact, for many companies, the words compliance audit, and even GRC are used interchangeably. This is indicative of companies that use an audit-fix cycle as the means of steering their organizations.
This method of governance has been used for years for assuring the integrity of financial statements and correcting non-compliant processes. However, it is too slow and too late to address the effects of non-conformance leading to loss of life, reputation, stakeholder trust, and more generally where the effects are irreparable.
Unfortunately, when compliance only has an audit “hammer” everything looks like a nail which increases the tendency to "double down" on audits. This creates the side effect of reinforcing reactive behaviours that contributed to the need for doing more audits in the first place. As one board member asked, “how do we get ahead of all this?” This is the question that GRC is fundamentally trying to answer.
In addition to a compliance role, companies may also have a risk management function. This is gaining more support but suffers from a lack of effectiveness. Risk management at the corporate level has more to do with decision making regarding investments rather than buying down risk to ensure that the outcomes for decisions that have been made are achieved by the organization. The latter requires risk management approaches more aligned with improving safety than it does calculating value at risk.
In recent years, there has been an increased desire to integrate GRC across its functions (G, R, and C) and throughout the organization. The non-profit organization, OCEG, is well known in the industry as leaders in the advancement of this direction. Although, there are other standards and regulatory bodies such as COSO (Enterprise Risk Management Framework) and ISO who are also extending their body of knowledge to create a more integrated framework. However, most the work to-date has focused on improving audit efficiency and consolidating existing practices. Very little has been done to improve effectiveness.
To effectively bridge the gap between the board and the CEO, GRC must go beyond simply integrating disparate processes and improving efficiencies. A more holistic approach is needed based on proactive behaviours and practices.
One way to accomplish this is by viewing GRC as a capstone that connects management to the board rather than as isolated functions that sit outside the board and organizational structures.
Architecturally, capstones connect supporting members so that together they are able to carry all the weight. Although, and this is critical, capstones do not bear the primary load, however, without them the other members cannot bear their forces.
This approach can serve as an overarching framework and as an ideal for how GRC could be more effective. GRC would not bear the primary weight for governance, risk and compliance, but would connect the board and organizational structures so that they can.
GRC would become a form of self-regulation which is another way of describing the purpose behind GRC. In this context, GRC provides the processes to advance outcomes, address threats that hinder or opportunities that help to achieve those outcomes, and embed conformance in the same way that quality and safety are designed into products and services. The purpose of each function would now be to:
Regulate (steer towards) outcomes,
Ensure (make certain) outcomes are achieved, and
Assure (confirm) that outcomes were met.
GRC implemented in this fashion could better address all compliance objectives including: quality, safety, security, environmental, and regulatory objectives by reducing overall risk which would increase the certainty that progress is made by the organization towards its desired "ends." And this progress defines the measure of effectiveness not only for GRC, but also for the organization.