GRC and ERM
GRC, ERM, ARGH... Buzzword bingo. But what does it all mean? And should I care?
Governance, risk, and compliance (GRC) is a broad term that refers to the processes and systems an organization puts in place to ensure that it operates in a compliant and ethical manner.
GRC includes risk (the effect of uncertainty on objectives) at all levels, including enterprise and operational. GRC also includes governance (the action or manner of governing) and compliance (the action or fact of complying with a wish or command). Risk is often seen as supporting the governance and compliance functions within an organization.
That is still pretty much a useless description so lets dig in a bit deeper:
Governance encompasses the system by which an organisation is controlled and operates, and the mechanisms by which it, and its people, are held to account. Ethics, risk management, compliance and administration are all elements of governance.
Risk, according to most dictionaries is something like "a situation involving exposure to danger". According to ISO31000:2018 Risk Management Standard however, risk is "the effect of uncertainty on objectives."
Compliance, in a more useful definition than the one in the previous paragraph might be described as "Compliance is the act of complying with a command, desire, wish, order, or rule. It can also mean adhering to requirements, standards, or regulations."
Wrapping that up into a single definition we end up with the following.
GRC (Governance, Risk, and Compliance) is a strategic framework for managing an organization's systems of accountability and control (governance), the effect of uncertainty on objectives (risk), and adherence to legal and regulatory requirements (compliance).
On the other hand, enterprise risk management (ERM) is a strategic approach to managing risk at the organizational level. It involves identifying and evaluating risks that could impact an organization's ability to achieve its goals and objectives and implementing measures to mitigate or manage those risks.
ERM is a helicopter view or aggregation of operational and tactical risks, and governance and compliance are seen as supporting elements in sound risk management. However, if not done well, governance and compliance can also be sources of risk.
Effective GRC and ERM practices are essential for any organization, as they help to ensure that risks are identified and managed effectively, allowing the organization to operate in a compliant and ethical manner.
By implementing robust GRC and ERM processes and systems, organizations can protect themselves against potential risks and enhance their reputation and credibility.
The precise methods for achieving this are diverse and multifaceted, but one common approach includes establishing clear policies, conducting regular risk assessments, maintaining transparent reporting, and fostering a culture of compliance and ethical behavior.
Culture is also critical to GRC. An organization's culture directly impacts the way governance, risk, and compliance are approached and handled. A strong, ethical culture encourages compliance, promotes risk management, and enhances governance. It helps establish a standard for behavior and decision-making that can influence all aspects of an organization, from the top leadership down to every employee.
Training, also plays a pivotal role in developing and reinforcing a high-performing culture. Effective training programs can help embed a culture of compliance, risk awareness, and good governance by educating employees about their responsibilities, the consequences of non-compliance, the nature of potential risks, and the importance of ethical conduct. However, while training is indeed a quick and efficient route, it is not the only one.
A high-performing culture is also built and sustained through clear communication, consistent enforcement of policies, recognition of good behaviors, and leading by example, especially from the top management. Moreover, the culture needs to be continuously nurtured and evolved as the organization grows and the external business environment changes.
The key takeaway:
A multi-faceted approach, with clear policies as a foundation and well conceived training is typically the most effective for embedding a high-performing GRC culture within an organization.