Business professionals are often aware of a subject area called "governance, risk management and compliance" (GRC), but many don't have a handle on what it means or how it relates to their commercial activities. Such perplexity isn't surprising. GRC is a wide river to navigate - more like an estuary of interrelated streams of various widths and depths. The text below should get you up to speed on the absolute basics of GRC, at least in terms of material for the BI and dashboard world.
First off, what is it? Well, it's not just one activity or specific subject, it's more of a unified approach to a series of interrelated activities and responsibilities. And while "governance, risk management and compliance" are the core segments, GRC management often goes well beyond these areas, ranging from quality assurance to information security and privacy. This is why GRC programs typically relate to IT, financial and legal functions within an enterprise. In fact, with no standard definition of GRC management, different organizations label and deal with it differently.
GRC starts with government and many aspects of the topic relate to government, if not directly, then usually marginally. Corporate executives are tasked with the responsibility of ensuring they are following government regulations, policies and procedures within their particular industry, whether it's accounting/auditing principles or employment standards. A sound corporate governance strategy puts into practice systems to supervise ongoing business activity and invoke corrective action when compliance is in question.
And speaking of compliance, conformity to government mandates is not the only kind of compliance. Various industries are "self-regulating" where government statutes don't exist but compliance is still required to specific industry rules (the real estate and media industries come to mind). Alternatively, an individual company may have internal regulations it chooses to follow, which could include monitoring business processes, keeping records, using corrective actions when necessary and reviewing the system regularly.
The other element of GRC is risk management, which is also relatively broad. As far as GRC functions are concerned, risk management relates to the methods an enterprise uses to recognize risk and establish tolerance for it, based on their own goals. Risk-management guidelines define the tools and procedures used to help control uncertainty, business threats and anything that can impact the organization - whether they are weighing a customer's dicey credit record or calculating the costs and complications of changing their CRM system.
For BI professionals, GRC management can often be found in a variety of tools, with more GRC applications coming online that integrate individual solutions into immensely comprehensive packages. This means data is no longer being kept in distinct "silos," but is now part of a platform for enforcing and monitoring GRC procedures. GRC technology, like data analytics tools and digital dashboards, give administers the ability to quickly recognize a company's exposure to risk, measure progress and provide other key reports.
If you're curious about how widespread GRC implementations actually are, consider this: According to a report from AMR Research, Inc. (Market Demand for Governance, Risk Management, and Compliance (GRC), 2007–2008), GRC activities accounted for nearly $30 billion during that period, with a third of that spent on hardware, software and integration services. As a subject and industry, GRC is certainly growing. Some of that growth may originate with 2002's Sarbanes-Oxley Act, which responded to the famous accounting scandals of Enron, WorldCom and the like by establishing new/enhanced standards for all U.S. public company boards, management and public accounting firms.
So while issues related to governance, risk management and compliance may continue to seem a bit muddy, hopefully you're now better prepared to navigate the seemingly murky waters of GRC.
About the Author
Rob Hunter works as a software copywriter by day and as a Dashboard Insight editor by night (when he’s not playing his upright bass).