The question every organization should be asking: how mature is your organization’s approach to GRC?
GRC is not something you buy, it is something you do. No GRC vendor can sell you a commodity that will solve all of your GRC related problems. GRC is part of business and extends across and into its operations. To that point we need to rethink our understanding of GRC.
GRC is a capability to reliably achieve objectives [governance] while addressing uncertainty [risk management] and acting with integrity [compliance].
Mature GRC requires an understanding of the business – its strategy, organizational structure, processes, risks, obligations, commitments, and objectives. The goal of GRC is to enable the organization to govern the organization and manage risk and compliance in the context of business.
Achieving GRC maturity requires a GRC architecture that leverages an understanding of enterprise architecture. GRC architecture is a process by which the organization has a structured understanding of the organization’s business, capabilities, processes and business context, and use it as a foundation to ensure that GRC processes are executable, repeatable, cost effective and in line with risk appetite. In doing so, the organization has the means to assess the efficiency of their programs and align them with the organization’s strategy. The mature GRC program will define and understand GRC as a process to translate business vision and strategy into effective enterprise-wide GRC oversight and alignment.
Another way to understand GRC architecture is to modify the MIT definition of enterprise architecture: GRC architecture is the organizing logic for GRC capability and its relationship to business processes and IT infrastructure reflecting the integration and standardization requirements of the company’s operating model.
The growth in GRC maturity within organization is accompanied by the growth of a new role within organizations: the GRC architect. This role is responsible for performing analysis of business structure and processes to draw and establish a framework of GRC that integrates with the business to reliably achieve objectives while addressing uncertainty and acting with integrity.
Mature GRC that is effective, efficient, and agile can only be reached by establishing a GRC architecture that will monitor, control and align the organization’s strategy, process, information, and technology.