Governance, risk and compliance are merging or blending to offer global enterprises a holistic approach and expansive frameworks to tackle business problems that are closely related (but may have been treated as individual silos in the past). GRC derives strength and veracity from the fact that it can be applied in a customized and targeted fashion to various business segments and perspectives, yet also can account for the interconnectedness of agendas. As more attention is paid to perfecting corporate performance measurement and risk mitigation, operational transparency and accountability are not always increasing as expected. However, GRC promises a more integrated and standardized approach to performance management and a better means of achieving a measurable improvement in accountability. It represents the next logical step in helping companies envision and treat their governance and qualitymanagement problems. With GRC, the sum of the parts becomes more effective than an often myopic focus on the individual components, which are often siloed further by business unit or department. Furthermore, currently accepted methodologies are scalable both vertically and horizontally - that is to say, they will be effective for companies of all sizes and can be applied across all strategic and operational lines of business.

The most commonly accepted approaches to GRC have emanated from the Open Compliance and Ethics Group, a nonprofit organization that has reconstructed the governance, risk and compliance regimens into a unified framework that is both intuitive and effective. According to the OCEG, "Seeing the big picture helps you eliminate overlapping activities and develop a stronger, leaner risk management program." Indeed, the OCEG Measurement and Metrics Guide has become an important asset in aiding organizations all over the world to better understand, report on and rectify gaps and issues with respect to each piece of the GRC whole. Taking inspiration from OCEG, software vendors (especially in the ERP and enterprise resource management space) have been quick to adopt the GRC lexicon and offer products that help streamline and improve these areas. For example, some of the world's largest software vendors have achieved great success in centralizing their clients' GRC data via repositories. These repositories centralize corporate policies, regulatory mandates and performance management routines, and sometimes let external customers (who participate in a complicated supply chain) access this data, making them active participants in the GRC process. This helps reduce liabilities throughout operational lifecycles. The ability to automatically spot business process risks and home in on compliance violations across organizational units frees senior management to concentrate on pressing marketplace opportunities and spend less time reacting to endless financial, legal, compliance and governance obstacles. A solid GRC infrastructure should offer real-time data and the ability to aggregate and pivot on different classes of GRC policies. As with any performance management paradigm, a clear roadmap of sustainable improvement must emerge from the chaos. It is important that GRC intelligence is timely, repeatable and represents the real-life picture of how a company is positioned with respect to both the regulatory environment and the global marketplace.

GRC often gains initial momentum in an enterprise due to its special diligence around risk. For many new to GRC, its most important ingredient centers on risk intelligence and how risk analytics and reporting can drive risk modeling and performance management. While governance and compliance agendas are rooted in concrete policy and audit controls, risk is an ever-changing animal that may depend on a wide variety of factors. Modeling risk is as much art as science in many cases. Having a platform that is able to address, classify and relate risk to other disciplines or silos is vital for maintaining competitive advantage and achieving operational consistency and continuity. The GRC platform will include risk modeling, risk charting, visualization, performance metrics and management capabilities that will be materialized into an executive dashboard or portal.

The recent turmoil in the world's financial markets is assured to result in new regulatory and compliance legislation and light a fire under organizations to better account for all classifications of risk. In fact, Forrester Research predicts that the GRC platform market will expand to more than $1 billion by 2011. As vendors continue to offer more scalable and detailed GRC functionality (that maps appropriately to underlying GRC methodologies such as those from the OCEG), these platforms and systems will inevitably mature to a point where adopting organizations will be able to more quickly achieve ROI on corresponding implementations.

More than ever, businesses need to analyze and socialize their internal- and external-facing risks and controls along every possible dimension of exposures, liabilities and perils. Unearthing and disseminating this information will continue to be a challenge for most organizations despite the increased awareness of the role risk and compliance management plays in the overall survival of a business entity.

Register or login for access to this item and much more

All Information Management content is archived after seven days.

Community members receive:
  • All recent and archived articles
  • Conference offers and updates
  • A full menu of enewsletter options
  • Web seminars, white papers, ebooks

Don't have an account? Register for Free Unlimited Access