I have always had a fondness for risk management; in my career, there have been many times where I have argued against something because it was too risky, at least in my eyes. Governance and compliance always seemed to be burdens to me, and to be completely honest, I was fairly prejudiced against them. With compliance, I could see the benefit from a societal level, but at a certain point, I viewed it as checking off proverbial boxes. Through the course of research, however, I began to see GRC as a three-legged stool—all three components were equally important, and I began to expand my view about GRC as a whole.
Risk management, in my eyes, is where it all begins, the heart of GRC both literally and figuratively. People make these judgement calls every day—decisions about risk—from simple things like whether the coffee they’re drinking is going to be too hot or to more dangerous things like pulling onto the highway; risk is always around us. From a corporate perspective then, how can it be managed in a way that allows for the work to still be done? With the innate risk in life, can it be managed effectively? The first step in answering that question is to accept that there will always be unknowns in the risk management sector. Once that is accepted it is easier to reduce the scope of what risk can be taken into account and tracked, and keeping that scope specific to the business goals or objectives. Once the scope is set effectively, there needs to be a way to implement the rules and to track the progress on the items within that scope.
This brings us to the second part of the three-legged stool, governance—“the overall management approach through which senior executives direct and control the entire organization.” While this can seem daunting on first glance, it is simply a collection of tools that are used by managers and executives in order to properly track and enforce the gaps brought to light by the risk management section. Information needs to be propagated throughout a business, and gaps that are noted need to be filled in as best as possible; this is the realm of governance, without which there would be no finale to the beginning that risk management creates.
The last section of GRC is, of course, compliance, and this is the face that is shown to both of the other “legs,” and the governing bodies that are overlooking said businesses. There are a few different levels where compliance may come into play: the organizational, the governmental and the personal. In short, compliance is meeting stated requirements at all of these levels. Where risk management finds the gaps and solutions to those gaps, compliance assists in determining when these solutions are completed, and governance communicates this information throughout the business and other compliance sectors.
All sections of GRC are important to the effectiveness of the program as a whole. Any of the three may be a starting point toward moving in a positive direction, but they must all be implemented in order for any of them to be successful.