Every now and then someone asks me what GRC is and what if anything it has to do with business continuity and IT/disaster recovery. Keep reading for the answers to these and other questions about this acronym that turns up as often as the letters in a bowl of alphabet soup.
WHAT GRC STANDS FOR
GRC stands for governance, risk management, and compliance and it is an approach to managing organizations that in the opinion of myself and others is a big improvement on the traditional approach.
In the traditional approach, the three activities of governing the organization, managing risk at the organization, and ensuring the organization is compliant with the applicable laws, regulations, and standards take place in different silos.
GRC recognizes that these three areas are actually parts of the same high-level activity, that of helping the organizational get where it wants to go safely and responsibly.
GRC strives to bring these areas together for greater organizational coherence and efficiency.
By doing so, GRC can help leaders gain real control of their organizations.
GRC DEFINED
GRC is formally defined by the think tank that developed the concept (OCEG) as “the integrated collection of capabilities that enable an organization to reliably achieve objectives, address uncertainty and act with integrity.”
Think of the organization as a car driving down the highway. GRC takes in the functions related to making sure the car goes where it’s supposed to, stays in its lane, avoids road hazards, and obeys the traffic laws.
GRC takes in the mature, prudent, grown-up aspects of managing an organization.
If you were to compare the organization to a family, anything that seems like something a responsible parent would take care of is probably part of GRC.
In addition to corporate governance, risk management, and compliance, GRC is commonly seen as including the legal, audit, finance, and HR departments, as well as business continuity and IT/disaster recovery.
THE BENEFITS OF GRC
There are many benefits for an organization in adopting GRC. Two of the main ones are:
- It allows for better information-sharing among the three functions of governance, risk management, and compliance, leading to enhanced business intelligence and better decision making in all three areas.
- It reduces duplication of effort among the three functions, resulting in savings both for those areas and for those they impact.
Let’s take a closer look at the three components that make up GRC.
GOVERNANCE
Governance is the system of rules, practices, and processes by which the organization is controlled. These are established and executed by the board of directors and senior executives and are reflected in the organization’s structure.
RISK MANAGEMENT
Risk management may also be known as enterprise risk management (ERM). It is the activity of identifying and mitigating the internal and external risks that face your business.
A sound ERM program has the following seven components:
- Risk inventory. Identifying the 5 to 10 main risks the company faces.
- Risk committee. Establishing and staffing a cross-functional team to analyze all risks across departments and externally.
- ERM team. Identifying a head of enterprise risk or chief risk officer and identifying the roles needed to support this person.
- Common risk language. Identifying the terms that will be used to define the various aspects of the risk management program and taking steps to ensure they are used consistently.
- Risk appetite. Quantifying how much risk the organization faces with each inventory item and determining how much risk the leadership is prepared to live with.
- Action plans. Deciding what steps the organization will take to mitigate risk, how much it will invest in the way of resources, and who is responsible?
- Reporting. Identifying which metrics will be used to assess enterprise risk and deciding how they will be tracked.
There are four strategies to manage risk:
- Avoid the risk. Eliminate activities that bring on the risk.
- Reduce the risk. Take steps to reduce the likelihood of a negative event occurring.
- Share the risk. Take out insurance to help cover the risk.
- Accept the risk. Simply live with the risk, acknowledging that if the threat occurs the organization will have to bear the consequences.
COMPLIANCE
Compliance is about conforming with the laws, regulations, and standards that apply to the organization.
A VALUABLE AIM
GRC recognizes that governance, risk management, and compliance are all part of the same, high-level activity of getting the organization to the desired destination efficiently, safely, and responsibly.
BCMMETRICS’ suite of business continuity software tools—BIA OnDemand, Planner, BCM One, Compliance Confidence, and Residual Risk—can help your organization in achieving this valuable aim.
FURTHER READING
For more information on GRC and other hot topics in BC and IT/disaster recovery, check out these recent posts from BCMMETRICS and MHA Consulting:
- Go Like a Rocket: 3 Tools to Help You Manage Enterprise Risk
- Rethinking Risk: A Better Way to Think About Risk in Business Continuity Management
- The 5 Most Important Risk Mitigation Controls
- Ditch the Data Silos: Improve Your Resiliency with Integrated Information
- How to Manage Management: 8 Tips to Help You Bring Your Bosses on Board
- Everything You Always Wanted to Know About Managing Risk but Were Afraid to Ask
- What to Look for in Business Continuity Compliance and Risk Software