GRC as a discipline was initially adopted to deal with information system / information technology management and it has evolved alongside software solutions. It was also promoted by the significant reporting requirements of regimes such as Sarbanes-Oxley in the United States. It has evolved to draw Enterprise Risk Management (ERM) under its umbrella (Andronache, et al., 2021).
Figure 1 - GRC Structure (Adapted from Broady & Roland, 2011)
Governance
Governance is defined by the IIA in the 'Global Internal Audit Standards'' as:
The combination of processes and structures implemented by the board to inform, direct, manage, and monitor the activities of the organization toward the achievement of its objectives.
There are many other definitions of governance that are largely consistent with this.
According to the introduction to ISO 37000:2021 -
''Good governance of organizations lays the foundation for the fulfilment of the purpose of the organization in an ethical, effective and responsible manner in line with stakeholder expectations….[It] means that decision-making within the organization is based on the organization’s ethos, culture, norms, practices, behaviours, structures and processes."
When an organisation is considering the strategies necessary to implement its purpose, considering the associated risks is also wise. In the GRC context, the term “Governance” should be interpreted as meaning the “governance of risk”.
Risk Management
COSO defines enterprise risk management (ERM) as
“the culture, capabilities, and practices that organizations integrate with strategy-setting and apply when they carry out that strategy, with a purpose of managing risk in creating, preserving, and realizing value”. (Committee of Sponsoring Organizations of the Treadway Commission, 2017)
Risk management is defined by ISO 31000:2018 as
“coordinated activities to direct and control an organization with regard to risk”.
ISO 31000, like COSO ERM, states that the purpose of risk management is to create and protect organisational value.
The term “Risk” should be read in its broadest sense, meaning all the risks faced by the business: financial, operational, environmental, social and other regulatory.
Organisations build procedures and design processes to achieve their objectives. These procedures formalise and promulgate the internal controls selected by the organisation. Internal controls are intended to promote the achievement of objectives (Committee of Sponsoring Organizations of the Treadway Commission, 2013). These objectives include fulfilling regulatory requirements, the safeguarding of assets and successful routine operations. COSO also refers to broad objectives of the control framework: effectiveness and efficiency of operations, internal and external reporting (both financial and non-financial); and adherence to laws and regulations.
Compliance
Many procedures have been designed to meet corporate obligations.
ISO 37301:2021 Compliance management systems — Requirements with guidance for use describes compliance obligations as being of two kinds: those externally imposed and those voluntarily adopted. Compliance has been defined in the standard as:
"Meeting all the organization’s compliance obligations''.
Formal systems to manage compliance and compliance obligations can be set up. These are generally focused on assessing whether formal procedures are appropriate to the obligations and are followed. Certifiable processes such as ISO 9001 (quality management), ISO 14001 (environment) and ISO 45001 (safety) such processes.
Implementing GRC
It is important to harmonise language across the organisation. There are multiple sets of terminology in each of the several disciplines within governance, risk management and compliance. Many difficulties arise simply because of the misunderstanding that arises from different usage of language.
Organisations should develop a coordinated approach across the disciplines selecting language and approaches that best suits the organisation. It is not useful to adopt standard or packaged approaches without tailoring to local circumstances.
IIA-Australia has developed a range of toolkits to address common issues and provides discussions of terminology to address the fog of terms.
Implementing an integrated approach to GRC helps organisations to make better decisions by allowing responsible stakeholders to set policies and procedures for the management of risk and compliance from a shared perspective.