GRC (Governance, Risk & Compliance) is a widely known concept. However, new acronyms, such as, DRM (Digital Risk Management) and IRM (Integrated Risk Management) are being introduced. The IRM concept was introduced in 2017 by Gartner to meet the increasingly complex needs related to digitalization, cyber
security, and risk management affecting most businesses across its operational domains. Gartner brings a slightly new concept to the market reiterating the inherent positive aspects of GRC under a new name, focusing more on the operational approach of GRC. Forrester states in its GRC vision 2017-2022
that “GRC efforts have evolved slowly over the past 15 years. However, in the next five years, unprecedented changes in business and technology will demand much more sophisticated, strategic, and proactive GRC
capabilities”. Why did Gartner see a need for redefining GRC?
Why so many companies perceive GRC as a negative initiative could have several explanations.
One observation is that although GRC is a paramount discipline in running a successful business, few and
compliance management, and governance. The capabilities required for enabling a sustainable, efficient, and effective GRC program aligned with strategy and performance is simply not present in such tools and will eventually lead to lack of value and broken promises. This leaves GRC with a negative reputation among top management.
A second observation is the consumer focus on companies’ shortcomings to good governance. This is driving a new trend referred to as “business integrity”. Regulators have been failing short in this domain and thus have not been broadly included in an immature business’ GRC program. Executives experience they are failing in this regard, even though they have been running GRC for years. It is worth mentioning that traditional GRC is often associated with check-box compliance and is a necessary evil that makes a company focus solely on the absolute minimum requirements for regulatory compliance – simply to pass a possible audit.
capabilities to achieve business value through effective and efficient performance, risk and compliance management – aligned with strategy.
Looking at GRC from the angle of these observations will give some indicators why top management has not experienced the potential value of GRC, but rather the opposite. In most businesses the primary business
objective is performance, and most top managers approve of the importance of GRC.
Risk and compliance managers, security professionals, management consultants, tactical managers, HSEQ professionals, project managers – they all are convinced of the value of GRC. To them, it is evident every
There is no gap between business strategy, tactics and operations from an external point of view, and the market does not care if the CEO’s explanation for the risk event was unpreparedness, unawareness or
That being said, a lot of companies are embracing the power of GRC – or GPRC, because they have experienced how integrated GRC can impact their performance. They are moving risk and compliance management from the back-bench to the board room in an enterprise context to achieving a holistic view of their risk profile, bridging the gap between strategy, tactics and operational silos, and they are embracing both regulatory and voluntary compliance from a selection of readily available proven best-practice frameworks to drive business performance.
This article was originally published by Corporater
Director – Global Program Management GPRC