Governance, risk and compliance (GRC) refers to a strategy for managing an organization's overall governance, enterprise risk management and compliance with regulations. Think of GRC as a structured approach to aligning IT with business objectives, while effectively managing risk and meeting compliance requirements.
A well-planned GRC strategy comes with lots of benefits: improved decision-making, more optimal IT investments, elimination of silos, and reduced fragmentation among divisions and departments, to name a few.
Here are answers to some common questions related to GRC.
Is it "governance, risk and compliance" or "governance, risk and control"?
According to Joanna Grama, director of cybersecurity and IT GRC programs for EDUCAUSE, the "C" in GRC refers to compliance, but she appreciates why some people equate compliance with control. In the IT environment, GRC has three main components:
Governance: Ensuring that organizational activities, like managing IT operations, are aligned in a way that supports the organization's business goals.
Risk: Making sure that any risk (or opportunity) associated with organizational activities is identified and addressed in a way that supports the organization's business goals. In the IT context, this means having a comprehensive IT risk management process that rolls into an organization's enterprise risk management function.
Compliance: Making sure that organizational activities are operated in a way that meets the laws and regulations impacting those systems. In the IT context, this means making sure that IT systems, and the data contained in those systems, are used and secured properly.
Meeting compliance involves IT controls, as well as auditing those controls to ensure they're working as intended. Organizations also use controls to manage identified risks. In fact, the term "GRC" came about in the early 2000s after many highly publicized corporate financial disasters, which resulted in enterprises scrambling to improve their internal control and governance processes (Gartner, 2016).
How does GRC work?
Grama says that organizations develop a GRC framework for the leadership, organization and operation of the organization's IT areas to ensure that they support and enable the organization's strategic objectives. The framework specifies clearly defined measurable that shine a light on the effectiveness of an organization's GRC efforts.
Although there are many good software options available to help streamline GRC operations, GRC is more than a set of software tools.
Many organizations consult a framework for guidance in developing and refining their GRC functions rather than creating one from scratch. Frameworks and standards provide building blocks that organizations can tailor to their environment. According to Grama, COBIT, COSO and ITIL are the big players in many different industries.
What is key to a successful GRC implementation?
The decision-making, resource and portfolio management, risk management, and regulatory compliance functions included in a GRC framework will not be effective unless the organization's executive leadership really supports cultural change.
"Implementing a framework will never be successful unless the organization's culture evolves to support GRC activities," says Grama.
Who employs GRC?
GRC can be implemented by any organization – public or private, large or small – that wants to align its IT activities to its business goals, manage risk effectively and stay on top of compliance.
"We are seeing a big push in higher education to implement GRC frameworks," says Grama, "not necessarily to meet a revenue goal, but to ensure that institutional missions of teaching, research, outreach and student success are met efficiently and effectively."
What are the top GRC certifications?
Professionals with a GRC certification must juggle stakeholder expectations with business objectives and ensure that organizational objectives are met while also meeting compliance requirements. That's an incredible amount of responsibility, and it's absolutely necessary in today's business climate.
All kinds of job roles require or benefit from a GRC certification, including CIO, IT security analyst, security engineer or architect, information assurance program manager and senior IT auditor, among others.
Here are our top picks for GRC certifications:
Certified in Risk and Information Systems Control (CRISC)
Certified in the Governance of Enterprise IT (CGEIT)
Project Management Institute - Risk Management Professional (PMI-RMP)
Certification in Risk Management Assurance (CRMA)
GRC Professional (GRCP)
What is a GRC tool/solution and what does it do?
An IT GRC solution enables you to create and coordinate policies and controls and map them to regulatory and internal compliance requirements. These solutions, which are usually cloud-based, introduce automation for many processes, which increases efficiency and reduces complexity.
There are many GRC solutions on the market. ServiceNow GRC, Metricstream, IBM OpenPages GRC Platform, MetricStream and Galvanize Enterprise GRC are a few examples of highly rated solutions. But they come with hefty price tags, too. More affordably priced (and even free) solutions are available, but they may lack the broad feature sets of higher-priced competitors.
Before looking into any software solution, you need to prepare your environment first. That means assessing your organization's risk and examining controls.
Do you have adequate controls in place?
Are existing controls working?
Add controls where needed and fix those that aren't delivering as intended.
You also need to create a GRC framework. Although GRC tends to focus heavily on IT, implementing a strategy involves an entire organization, and requires a hard look at all of the people and processes that will be affected.