Governance, Risk Management, and Compliance
From Wikipedia, the free encyclopedia
| This article may not meet the general notability guideline or one of the following specific guidelines for inclusion on Wikipedia: Biographies, Books, Companies, Fiction, Music, Neologisms, Numbers, Web content, or several proposals for new guidelines. If you are familiar with the subject matter, please expand or rewrite the article to establish its notability. The best way to address this concern is to reference published, third-party sources about the subject. If notability cannot be established, the article is more likely to be considered for redirection, merge or ultimately deletion, per Wikipedia:Guide to deletion. This article has been tagged since October 2007. |
Governance, Risk, and Compliance or "GRC" is an increasingly recognized term that reflects a new way in which organizations can adopt an integrated approach to these three areas. However, this term is often positioned as a single business activity, when in fact, it includes multiple overlapping and related activities within an organization, e.g. internal audit, compliance programs like SOX, enterprise risk management (ERM), operational risk, incident management, etc.
Governance is the responsibility of senior executive management and focuses on creating organizational transparency by defining the mechanisms an organization uses to ensure that its constituents follow established processes and policies. A proper governance strategy implements systems to monitor and record current business activity, takes steps to ensure compliance with agreed policies, and provides for corrective action in cases where the rules have been ignored or misconstrued.
Risk management is the process by which an organization sets the risk appetite, identifies potential risks and prioritizes the tolerance for risk based on the organization’s business objectives. Risk Management leverages internal controls to manage and mitigate risk throughout the organization.
Compliance is the process that records and monitors the policies, procedures and controls needed to enable compliance with legislative or industry mandates as well as internal policies.
Governance, Risk, and Compliance are highly related but distinct activities that solve different problems for different sets of constituents of an organization..
A specific definition of GRC can be challenging. According to Michael Rasmussen, an industry GRC analyst, the challenge in defining GRC is that individually each term has "many different meanings within organizations. There is corporate governance, IT governance, financial risk, strategic risk, operational risk, IT risk, corporate compliance, Sarbanes-Oxley (SOX) compliance, employment/labor compliance, privacy compliance . . . you get the picture."[document no longer available]
Initial interest in GRC systems was driven by the Sarbanes-Oxley Act, but GRC system requirements have changed and now are seen as a means to achieve Enterprise Risk Management. Specifically, this represents a movement from managing risk as a transaction or compliance activity to adding business value by improving operational decision making and strategic planning.
Industry groups have recently been started to focus on the GRC area. One leading such group is the OCEG (Open Compliance and Ethics Group). OCEG is a non-profit organization that provides a performance framework for integrating governance, compliance, risk management and culture, is one of the leading voices for GRC. OCEG has developed a Measurement and Metrics Guide (MMG) for assisting in measuring and reporting on the performance of compliance and ethics programs. This measurement platform advocates that program objectives be aligned with and contribute to the enterprise objectives in a tangible way. In order to achieve desired program outcomes, an organization should design processes and practices that effectively measure program dimensions on three key dimensions: effectiveness, efficiency and responsiveness. [1]
GRC Market Segmentation
A GRC Program can be instituted to focus on any individual area within the enterprise. However, the two most common areas would be Financial GRC and IT GRC. Financial GRC relates to the activities that are intended to ensure the correct operation of all financial processes, as well as compliance with any finance-related mandates. IT GRC relates to the activities intended to ensure that the IT (Information Technology) organization supports the current and future needs of the business, and complies with all IT-related mandates.
Analysts disagree on how these aspects of GRC are defined as market categories. Gartner has stated that the broad GRC market includes the following areas:
- Finance and Audit GRC
- IT GRC Management
- Enterprise Risk Management.
They further divide the IT GRC Management market into these key capabilities. Although this list relates to IT GRC, a similar list of capabilities would be suitable for other areas of GRC.
- Controls and policy library
- Policy distribution and response
- IT Controls self-assessment and measurement
- IT Asset repository
- Automated general computer control (GCC) collection
- Remediation and exception management
- reporting
- Advanced IT risk evaluation and compliance dashboards
The Burton Group offers a similar market taxonomy , which includes the following segments: [2]
- Financial GRC
- Operational risk management
- General compliance and audit management
- IT GRC
- Enterprise risk management
GRC Product Vendors
The distinctions between the sub-segments of the broad GRC market are often not clear. And, with a large number of vendors entering this market recently, determining the best product for a given business problem can be challenging. And, given that the analysts don’t fully agree on the market segmentation, vendor positioning can increase the confusion.
There are a large number of companies who offer a “GRC Platform” for managing and tracking GRC activities across an enterprise. These include large, enterprise software vendors such as CA, IBM, and Oracle as well as a variety of smaller companies who are targeting the GRC Platform market, including: BWise, AXENTIS, MetricStream, OpenPages, Paisley, QUMAS, and several others.
The Forrester Wave™: Enterprise Governance, Risk, And Compliance Platforms, Q4 2007 was released on December 21, 2007 and Forrester evaluated 15 leading enterprise governance, risk, and compliance (GRC) platform vendors across approximately 100 criteria. BWise, AXENTIS, MetricStream, OpenPages, Paisley, and QUMAS rounded out the Leaders category. [3]
However, due to the dynamic nature of this market, any vendor analysis is often out of date relatively soon after its publication.
[edit] External links
[edit] References
- ^ GRC 360 Degrees: Driving Principled Performance by Scott L. Mitchell, "More than Three Letters," Aug. 24, 2007 (OCEG blog) [1]
- ^ "Products for Managing Governance, Risk, And Compliance: Market Fluff or Relevant Stuff", March 8, 2008 by Trent Henry
- ^ "The Forrester Wave™: Enterprise Governance, Risk, And Compliance Platforms, Q4 2007" by Chris McClean, Michael Rasmussen with Alissa Dill, Jonathan Penn, Dec. 21, 2007 [2]
This article related to a type of software is a stub. You can help Wikipedia by expanding it.
