To ensure that businesses protect their information, have consistent cohesion departmentally, and follow all governmental regulations, a governance, risk and compliance (GRC) program is important as new regulations can be overwhelming if a company doesn’t have a person or team to ensure updates are in place.
What is GRC?
Many people think of a platform when referring to GRC. But GRC refers to a capability that helps an organization achieve its objectives, with responsibility running right across the organization. GRC is a set of processes and practices that runs across departments and functions. GRC might be enabled by a dedicated platform and other tools, although this is not mandatory. While organizations generally don’t need to maintain a separate GRC department, most organizations have a team in place to manage the GRC platform and tools.
What is the scope of GRC?
By definition, the scope of GRC doesn’t end with just governance, risk, and compliance management, but also includes assurance and performance management. In practice, however, the scope of a GRC framework is further getting extended to information security management, quality management, ethics and values management, and business continuity management.
What are the Elements of a GRC Framework?
- Resources—required to conduct business, including strategies, policies, standards, procedures, organizational structure, roles and responsibilities, people, processes, technology, information, physical, financial and intellectual assets, and third parties (suppliers, vendors and contract employees).
- Business attributes—the key attributes of a business include:
- Performance, including goals, targets, outcomes, profitability and SLAs, etc.
- Risk, including financial risk, credit risk, market risk, strategy risk, operational risk, fraud risk, reputational risk, information security risk, technology risk and compliance risk, etc.
- Compliance, including regulatory compliance (SOX, PCI/DSS, GDPR), legal compliance (labor laws), organizational compliance (policies and standards), security (human, physical and information security), quality, ethics and values.
- Governance, management, and operations—governance involves setting directions, optimizing risks and resources, and monitoring performance and compliance to achieve an organization’s objectives. It can be broadly classified into corporate governance, business governance, IT governance and legal governance. Management involves planning, organizing, leading, coordinating, controlling and reporting. Operations includes executing the process and function.
- Controls—in order to realize value from the business, resources should be utilized efficiently and effectively, and business attributes should optimized. This is only possible when appropriate controls are implemented and executed. The controls can be classified as management controls, process controls, technical controls and physical controls. Controls are applied to the resources as well as the attributes.
- Assurance—independent assurance is required to ensure that controls are designed and operating effectively, and compliance requirements are met consistently. It is the responsibility of governance to monitor and obtain assurance. Assurance will be primarily through audits. There are several types of audits. Internal and external audits, certification audits, financial audits, IT audits, compliance audits, process audits and security audits, etc.
A good GRC Framework is reviewed periodically at monthly/quarterly reporting events to provide a complete audit trail of risk identification and awareness, risk management, understanding and mitigation and remedial plans.
It should consist of:
- Policies, Procedures and TORs for committees (inc BOD)
- Known Control Exceptions or Financial Crime breaches
- External Audit & Compliance Reports (Compliance Monitoring Plan Results)
- Risk Profiles and Appetite
- Summary of Existing Risks
- The Risk Register
If you need to create, review or execute your Governance. Risk or Compliance strategy, call us today on 020 8087 2377 or email firstname.lastname@example.org.
At LS Consultancy, we offer a complete solution with a range of cost effective, regulatory compliance services including copy advice and copy development which are uniquely suited to supporting firms.
Why Not Download our FREE Brochures! Click here.
Call Us Today on 020 8087 2377 or send us an email.