Three's company: Governance, risk and compliance
Three's company: Governance, risk and compliance

The promise of governance, risk and compliance technology is alluring, but getting it to work effectively is a different story, reports Alan Earls.

While governance, risk and compliance (GRC) management is nothing new, assembling these three disciplines continues to be challenging – particularly as companies look to optimize their compliance efforts to become more cost-efficient. 

The growing focus on GRC as a single, unified framework grew out of the passage of the Sarbanes-Oxley Act of 2002 (SOX) and the requirement for publicly held U.S. companies to devise and implement governance controls to support the compliance mandates of SOX. Risk management, an implicit element in the SOX formulation, essentially came along for the ride, as companies recognized the possibility of addressing these topics from a holistic point of view.

But even if one is unfamiliar with GRC, the reality is that its activities are usually already occurring in one's organization, he says. Internal audit has probably been evaluating processes and controls for years, or IT security has been managing compliance to various access rules. Similarly, business continuity programs are likely reviewing impacts and risks on a regular basis. “Really, any function that assesses a risk, evaluates a control, governs according to a regulation or common framework, or evaluates performance, is addressing a GRC function,” says Patrick Potter, GRC strategist at RSA Archer Business Continuity and Audit, a Hopkinton, Mass.-based information technology as a service (ITaaS) provider.

However, implementing a GRC program can be overwhelming because it can touch every part of the organization, engaging different domains and cutting across many management perspectives. But, the good news is that the pieces do fit together and can integrate successfully, although success varies, says Renee Murphy, a senior analyst covering GRC at Forrester. 

She says enterprise-wide acceptance is becoming universal. Typically, she says, one part of the organization will get the ball rolling, whether it is finance, security or some other domain. Once the idea of risk management gets airborne, says Murphy, “the tentacles go out to the rest of the organization and it boils up to become enterprise risk management.”

She says that while implementing GRC is important, learning to leverage it is equally critical. “Many organizations seem happy to simply know what their posture is – for example, relative to risk – but that information can be used to support better decision-making,” Murphy says.

Another obstacle to widespread acceptance is developing a taxonomy that is useful across the organization. For example, risk may be defined in different ways by HR or by the IT department. Having a means to discuss these holistically is important to successful integration.