Skip to content
Tiatra, LLCTiatra, LLC
Tiatra, LLC
Information Technology Solutions for Washington, DC Government Agencies
  • Home
  • About Us
  • Services
    • IT Engineering and Support
    • Software Development
    • Information Assurance and Testing
    • Project and Program Management
  • Clients & Partners
  • Careers
  • News
  • Contact
 
  • Home
  • About Us
  • Services
    • IT Engineering and Support
    • Software Development
    • Information Assurance and Testing
    • Project and Program Management
  • Clients & Partners
  • Careers
  • News
  • Contact

What is GRC? The rising importance of governance, risk, and compliance

The need to manage risk, adhere to regulations, and establish processes to govern those tasks has been part of running an organization as long as there have been businesses to run.

But those tasks have become increasingly critical to organizational success in the modern era, as the number of laws, the complexity of doing business, the types of risks, and the use of technology have exploded in recent decades.

Today even small-scale operations can have a global footprint, forcing them to contend with international laws and a slew of threats that could cripple or shutter their businesses if they’re not adequately managed.

As a result, managing risks and ensuring compliance to rules and regulations along with the governing mechanisms that guide and guard the organization on its mission have morphed from siloed duties to a collective discipline called GRC.

What is GRC?

Governance, risk, and compliance (GRC) is an operational strategy for managing an organization’s overall governance, enterprise risk management, and regulation compliance efforts. This disciplined approach enables an organization to align its governance, risk, and compliance endeavors to its strategic goals, business objectives, and the technology that enables its operations.

“GRC is overarching. It sets the tone and the strategy; it defines the policies and the procedures and what the expectations are,” explains Lisa McKee, director of governance, risk, compliance, and privacy at American Security and Privacy, as well as a member of the Emerging Trends Working Group with the governance association ISACA.

McKee compares GRC to roadways and driving laws, which establish lanes, boundaries, and limits as well as freeways so that drivers (like organizations) can get where they want to go as fast as they can while also minimizing the potential for mishaps by following established regulations and road signs.

Why is GRC important?

A well-planned GRC strategy produces significant benefits, including improved decision-making, more optimal IT investments, elimination of silos, and reduced fragmentation among divisions and departments.

Due to its increasing importance, GRC has become a high-level function within many organizations, with responsibilities and accountability for GRC assigned to C-level executives. Best practices, framework and technology have been developed to support this work.

“GRC is important in the modern business landscape for multiple reasons. With the increase of data privacy and protection laws, globalization, and interconnectedness, the regulatory environment has become more complex,” says Chris Stanley, content developer for the CGRC exam at training and certification organization ISC2. “This level of complexity requires a robust GRC framework to assist an organization with avoiding reputational damage and legal penalties.”

Stanley also notes that “technology advances, like AI, IoT and cloud computing, have also introduced compliance challenges and new cybersecurity threats.”

He adds: “Stakeholders trust organizations to protect privacy and data, and those stakeholders are increasingly holding organizations, including individuals at an organization, accountable. A strong GRC framework supports corporate responsibility and in turn increases investor confidence and financial stability.”

Even so, many organizations are still building up their GRC capabilities.

A 2023 survey of more than 1,300 respondents from around the globe who either influence or manage their organization’s risk and compliance programs found that only 53% rated their programs as mature. Furthermore, the State of Risk & Compliance Report, from GRC software maker NAVEX, found that 20% described their programs as early stage.

Breaking down what GRC stands for

Each element within GRC has its own objectives and processes, as outlined below.

Governance: The governance aspect of GRC aims to ensure that organizational activities, such as managing IT operations, align in ways that support the organization’s business goals while also adhering to the organization’s established risk parameters and compliance needs.

“Governance is who does what, how, and based on what data,” says Tilcia Toledo, senior managing director with FTI Consulting. “Governance is about who is in the room, what are they allowed to do or not do, what’s the data they rely on, and what’s the cadence of their actions.”

Toledo says governance applies to multiple levels within the organization, ensuring that the board, management, and workers understand the rules, follow the rules, and face consequences when they don’t.

Risk: The risk management component of GRC ensures that any risk associated with organizational activities is identified and addressed in a way that supports the organization’s business goals. In the IT context, this means having a comprehensive IT risk management process that rolls into an organization’s enterprise risk management function.

Risk speaks to the organization’s risk appetite, which establishes the risks that it is comfortable taking and those it does not, and then managing the residual risk — that is, the risks that remain even after controls for unacceptable risks have been implemented.

“Risk is about where the organization wants to play and where it does not want to play. It is about those boundaries it does not want to cross at this time,” Toledo adds, noting that enterprise risk is constantly evolving.

Compliance: The compliance function within GRC is aboutmaking sure that organizational activities happen in a way that meets the laws and regulations relating to those activities. For example, this means making sure that IT systems and the data contained in those systems are used and secured properly.

Compliance encompasses the laws and regulations that the organization must follow as it executes its strategy, Toledo explains. “In other words, what are the laws and the regulatory environment in which the business operates.”

Although governance, risk, and compliance each focus on specific requirements, Toledo says they overlap and work together. For example, the risk function relies on governance practices to mitigate risk by implementing controls and by alerting supervisors if actions go outside the organization’s risk boundaries.

The strategic nature of GRC in the digital era

Governance, risk and compliance have been longstanding elements for organizational success, but enterprise executives and GRC experts say GRC has become more of a top priority for organizations due to the increasing complexity of doing business in a digital era where being globally connected is standard, not the exception.

Modern threats such as cyberattacks and data breaches have heightened the need for a strong GRC strategy within all organizations, and the growing volume of laws and regulations around protecting and securing data also puts pressure on organizations to have a mature GRC function. So, too, do the consequences of falling short in any of the three areas, as organizations that suffer a successful cyberattack or fail to protect the data it holds can be significant if not catastrophic.

“I view GRC as something that is strategic because when it is functioning properly, it protects the organization. It helps preserve it and retain things like a strong reputation,” Toledo says.

How GRC works in the enterprise

Like other parts of enterprise operations, GRC comprises a mix of people, process, and technology.

To implement an effective GRC program, enterprise leaders must first understand their business, its mission, and its objectives, according to Ameet Jugnauth, the ISACA London Chapter board vice president and a member of the ISACA Emerging Trends Working Group.

Executives then must identify the legal and regulatory requirements the organization must meet and establish the organization’s risk profile based on the environment in which it operates, he says.

“Understand the business, your business environment (internal and external), your risk appetite, and what the government wants you to achieve. That all sets your GRC,” he adds.

The roles that lead these activities vary from one organization to the next. Midsize to large organizations typically have C-level executives — namely a chief governance officer, chief risk officer, and chief compliance officer — to oversee these tasks, McKee says. These executive lead risk or compliance departments with dedicated teams.

Smaller companies typically task GRC responsibilities to either directors or managers —a compliance manager or director or risk management — or they may assign GRC responsibilities to other executives.

GRC roles and responsibilities

According to Stanley, GRC often cascades down from the top tiers of leadership, with roles and responsibilities breaking down as follows:

  • Board of directors: provides oversight and approval of policies and strategic decisions
  • CEO: provides leadership and ensures GRC efforts are adequately resourced
  • Chief risk officer: provides leadership for risk management efforts, such as the assessment and reporting of risks to the board and executive management
  • Chief compliance officer: provides compliance oversight and training and communication regarding compliance
  • CIO/CTO: provides risk management for technology and digital assets, as well as and compliance and security for all IT
  • CFO: provides compliance and reporting on financial regulations and risk management of an organization’s financials
  • Legal: provides compliance to all legal requirements while managing legal risks
  • HR: implements HR-related GRC policies, such as an authorized use policy and employee behavior policies
  • IT: provides data protection and security with policies and controls
  • Department heads: implement GRC processes and controls within their respective departments and identify and manage risks specific to their department
  • Internal audit: provides independent evaluation and recommendations for improvement
  • Employees: adhere to policy and report any risk or compliance issues they observe

“There are also cross-functional GRC teams stood up for specific GRC initiatives, combining expertise from various departments,” Stanley adds.

Even so, GRC responsibility and accountability is shared, and they often roll up to the highest levels of the organization, with CEOs ultimately responsible and accountable, experts say.

GRC certifications

Although GRC professionals have various academic and professional backgrounds, many have earned certifications focused on risk, compliance, and/or governance, including the following.

  • ISACA Certified Information Security Manager (CISM)
  • ISACA Certified in Risk and Information Systems Control (CRISC)
  • ISACA Certified Information Systems Auditor (CISA)
  • ISC2 Certified in Governance, Risk and Compliance (CGRC)
  • OCEG GRC Professional (GRCP)
  • OCEG GRC Auditor (GRCA)

Other options include the Institute of Internal Auditors’ Certified Internal Auditor (CIA) certification, with a focus on compliance, and the Certification in Risk Management Assurance (CRMA), with a focus on risk.

GRC frameworks

GRC leaders typically use a framework to organize and execute GRC duties. GRC frameworks, like all frameworks, specify clearly defined measurables that shine a light on the effectiveness of an organization’s GRC efforts, providing building blocks that organizations can (and should) tailor to their environment.

Frameworks include:

  • ISACA’s COBIT for IT governance
  • ISACA’s IT Risk Framework
  • COSO for internal controls
  • Various NIST frameworks and standards

GRC software

GRC software also supports enterprise GRC programs by enabling organizations to create and coordinate policies and controls, as well as to map them to regulatory and internal compliance requirements.

These software options, typically offered as subscription-based SaaS, also automate many processes, which increases efficiency and reduces complexity.

GRC culture

Although frameworks help organizations establish solid GRC programs and GRC software help enable them, the decision-making, resource and portfolio management, risk management, and regulatory compliance functions included in such frameworks will not be effective unless the organization’s executive leadership also supports cultural change.

More on IT governance:

  • What is IT governance? A formal way to align IT & business strategy
  • The keys to effective IT governance in the digital era
  • 7 IT governance myths
  • Top 10 GRC mistakes — and how to avoid them
  • The top 6 governance, risk and compliance (GRC) certifications
  • What is CMMI? A model for optimizing development processes

Compliance, IT Governance, IT Leadership
Read More from This Article: What is GRC? The rising importance of governance, risk, and compliance
Source: News

Category: NewsDecember 28, 2023
Tags: art

Post navigation

PreviousPrevious post:8 pressing needs for CIOs in 2024NextNext post:8 grandi fallimenti IT del 2023

Related posts

휴먼컨설팅그룹, HR 솔루션 ‘휴넬’ 업그레이드 발표
May 9, 2025
Epicor expands AI offerings, launches new green initiative
May 9, 2025
MS도 합류··· 구글의 A2A 프로토콜, AI 에이전트 분야의 공용어 될까?
May 9, 2025
오픈AI, 아시아 4국에 데이터 레지던시 도입··· 한국 기업 데이터는 한국 서버에 저장
May 9, 2025
SAS supercharges Viya platform with AI agents, copilots, and synthetic data tools
May 8, 2025
IBM aims to set industry standard for enterprise AI with ITBench SaaS launch
May 8, 2025
Recent Posts
  • 휴먼컨설팅그룹, HR 솔루션 ‘휴넬’ 업그레이드 발표
  • Epicor expands AI offerings, launches new green initiative
  • MS도 합류··· 구글의 A2A 프로토콜, AI 에이전트 분야의 공용어 될까?
  • 오픈AI, 아시아 4국에 데이터 레지던시 도입··· 한국 기업 데이터는 한국 서버에 저장
  • SAS supercharges Viya platform with AI agents, copilots, and synthetic data tools
Recent Comments
    Archives
    • May 2025
    • April 2025
    • March 2025
    • February 2025
    • January 2025
    • December 2024
    • November 2024
    • October 2024
    • September 2024
    • August 2024
    • July 2024
    • June 2024
    • May 2024
    • April 2024
    • March 2024
    • February 2024
    • January 2024
    • December 2023
    • November 2023
    • October 2023
    • September 2023
    • August 2023
    • July 2023
    • June 2023
    • May 2023
    • April 2023
    • March 2023
    • February 2023
    • January 2023
    • December 2022
    • November 2022
    • October 2022
    • September 2022
    • August 2022
    • July 2022
    • June 2022
    • May 2022
    • April 2022
    • March 2022
    • February 2022
    • January 2022
    • December 2021
    • November 2021
    • October 2021
    • September 2021
    • August 2021
    • July 2021
    • June 2021
    • May 2021
    • April 2021
    • March 2021
    • February 2021
    • January 2021
    • December 2020
    • November 2020
    • October 2020
    • September 2020
    • August 2020
    • July 2020
    • June 2020
    • May 2020
    • April 2020
    • January 2020
    • December 2019
    • November 2019
    • October 2019
    • September 2019
    • August 2019
    • July 2019
    • June 2019
    • May 2019
    • April 2019
    • March 2019
    • February 2019
    • January 2019
    • December 2018
    • November 2018
    • October 2018
    • September 2018
    • August 2018
    • July 2018
    • June 2018
    • May 2018
    • April 2018
    • March 2018
    • February 2018
    • January 2018
    • December 2017
    • November 2017
    • October 2017
    • September 2017
    • August 2017
    • July 2017
    • June 2017
    • May 2017
    • April 2017
    • March 2017
    • February 2017
    • January 2017
    Categories
    • News
    Meta
    • Log in
    • Entries feed
    • Comments feed
    • WordPress.org
    Tiatra LLC.

    Tiatra, LLC, based in the Washington, DC metropolitan area, proudly serves federal government agencies, organizations that work with the government and other commercial businesses and organizations. Tiatra specializes in a broad range of information technology (IT) development and management services incorporating solid engineering, attention to client needs, and meeting or exceeding any security parameters required. Our small yet innovative company is structured with a full complement of the necessary technical experts, working with hands-on management, to provide a high level of service and competitive pricing for your systems and engineering requirements.

    Find us on:

    FacebookTwitterLinkedin

    Submitclear

    Tiatra, LLC
    Copyright 2016. All rights reserved.