Every organization does GRC whether they use the acronym or not. All have some approach to governing the organization, managing risk, and addressing compliance. It could be scattered in silos and disconnected, or it could be highly collaborated and integrated. Organizations should not be asking if they should do GRC but are to ask how mature their organization’s approach to GRC is and how it can be improved.
The formal definition for GRC found in the OCEG GRC Capability Model is that “GRC is a capability to reliably achieve objectives [governance] while addressing uncertainty [risk
management] and acting with integrity [compliance].” In the ideal world there is a natural flow through to GRC.
- Governance sets objectives and directs and steers the organization setting the context for risk management.
- Risk management aims to understand and minimize uncertainty in those objectives and reduce exposure to loss while maximizing performance.
- Compliance assures that the organization operates with integrity to the boundaries established inorganization values, policies, regulatory and legal requirements, as well as boundaries set by risk limits and thresholds.
However, within many organizations there are often many GRC functions operating in isolation producing redundancy and gaps while remaining ignorant of the interrelationship of risk across silos. This has a measurable cost to the organization in
inefficiency, ineffectiveness, and lack of agility. Other organizations have mature and structured processes and reporting on GRC that brings together an integrated and
orchestrated view of GRC processes and information.
The goal of this 2017 OCEG GRC Maturity Survey report is to help organizations:
- Understand the level of integration of GRC within organizations;
- Differentiate the degree of confidence in performance with the ability to identify and manage risks and requirements;
- Examine the benefits of an integrated GRC capability and the negative effects of siloed operations.