Nov 3, 2018
It is a fact that today's companies cannot manage as before. No matter their size, their responsibility, their product, their market they all end up committed, sooner or later, with challenges to sustain or grow, in addition to more regulations and standards that are imposed to operate or compete, assuming costs and benefits that involve the uncertainty that require analysis and evaluation.
It could be interpreted, consequently, that GRC is a simple acronym of the indicated activities that imply governance risk and compliance. However, it is more than that, because a first glance is that they are activities that cannot be understood separately. Likewise, it is a thorny path, involving decisions on the disposition or acquisition of resources and personnel, permanent valuation of financing strategies and management policies to pursue goals and results in the short or long term, which require controls, adjustments in processes and actions of supervision and monitoring.
Directing and managing an organization is, by definition, a complex problem. It implies taking responsibility for managing a jungle of goals, when you should consider things like maximizing financial performance, with resource constraints, regulated operating frameworks and strong uncertainties of external critical factors such as customers, competitors and markets, in addition to fulfilling commitments. Regulatory in short, are the tasks of governing, managing and ensuring a company against the courses imposed by the environment and the expectations of interested parties. That is to say, that it is not only government; it must also be management and assurance.
However, it is common to note decisions of the Board of Directors, headed by liberal members, demanding that Senior Management, in light of the numbers, apply aggressive actions to increase market positioning and grow in sales of goods and services. In informal words demanding better performance.
Governance: ensure that the activities of the organization, such as the management of IT operations, are aligned in a way that supports the business objectives of the organization.
Risk: make sure that any risk associated with the organization's activities is identified and addressed in a way that supports the organization's business objectives. In the IT context, this means having a comprehensive IT risks management process that becomes the business risk management function of an organization.
Compliance: ensure that the activities of the organization operate in a manner that complies with the laws and regulations that affect those systems. In the IT context, this means making sure that the computer systems, and the data contained in those systems, are used and secured correctly.
What is the key to a successful GRC implementation?
The functions of decision making, resource and portfolio management, risk management and regulatory compliance included in a GRC framework will not be effective unless the executive leadership of the organization really supports cultural change. Before studying any software solution, you must prepare your environment first. That means assessing your organization's risk and examining the controls. You need to create a governance risk and compliance framework. Although GRC tends to focus on IT, the implementation of a strategy involves an entire organization and requires a hard look at all the people and processes that will be affected.