We will launch an article series on this blog examining the various facets of IT security, Risk Management practices and the governance thereof and how they are currently applied within various organisations. During this examination, we hope that the esteemed reader will be able to recognise cases, pitfalls, and successes from their own areas of influence and take some value out of this content, to apply to their future endeavors in this topic.
However, let’s first start with an explanation of what GRC exactly is and attempt a general definition to frame the later discussion. According to Gartner's Paul Proctor:
GovernanceA set of processes which define and maintain policies and assign decision rights, as well as communicating them throughout the organisation.
Risk managementA set of processes which ensure that core business processes and activities are kept within an acceptable range, otherwise there will be an undesired uncertainty for key business objectives.
ComplianceA set of processes to achieve adherence to policies and decisions by defining corresponding controls. Policies can be developed from internal directives, procedures, and requirements, or external laws, regulations, standards, and contracts.
GRCA program that combines the above elements for assessing, monitoring, and reporting of risks and controls in support of decision making, business performance, and adherence to regulations, policies, and other mandates and agreements.
It is worth noting here that the term GRC has been used in the past years also for various other topic areas that do not quite fit to the basic general definition. For example, a number of software vendors have jumped onto the marketing bandwagon and added “GRC” to their products in order to leverage the management awareness for these topics. Recently, this has created the impression that GRC could stand for both everything and nothing at the same time and has become basically meaningless. This blog aims to rectify this situation and bring back sensible context and approaches to the GRC arena.
- GRC has been plagued by inconsistent interpretation of the terminology and meaning
- Software vendors and service providers have tried to capitalize on this confusion by tagging their products and services as GRC
- At its core, GRC is a collection of interlocking processes to agree on policies aligned to an organisation's external environment and risks situation, to measure adherence to policies, and to translate as-is risk state into actionable business risk outcomes.