Governance, risk, and compliance or ‘GRC’ is an increasingly recognized term these days and widely talked about and discussed at various forums. GRC reflects a new way in which organizations are adopting an integrated approach to these important aspects of their business.
GRC is the umbrella term covering an organization’s approach across these three areas. Being closely related concerns, governance, risk, and compliance activities are increasingly being integrated and aligned—to some extent—to avoid conflicts, wasteful overlaps, and gaps. It is expected that companies would follow certain norms of governance, ensure that they have the right processes to recognize business risks and their mitigation and that they conform to the laws of the land.
As managements try to address these issues, the CIO has a fiduciary responsibility to assist the management in its efforts to address GRC issues. Let us understand each of the elements of GRC.
Governance describes the overall management approach through which senior executives direct and control the entire organization, using a combination of management control structures and the right management practices. One of the requirements of governance is that that the critical management information reaches the executive team in a form that is adequate, accurate, and timely to enable appropriate management decision making. It also involves providing the control mechanisms to ensure that strategies, directions, and instructions from management are carried out systematically and effectively.
So the CIO has his role cut out; he has to proactively provide the required support to the management through robust information and control systems. IT systems should also facilitate maintenance of documentation of various transactions, approvals, record of critical business discussions, decisions, etc.
Risk management is the set of processes through which management identifies, analyzes, and where necessary, responds appropriately to risks that might adversely affect realization of the organization’s business objectives.
The first need, therefore, is to do a risk assessment and identify all possible risks that the company could be exposed to. The next step is to analyze those situations and determine criticality of the risks and their possible impact on the organization.
Once the risks are analyzed, the company has to define measures that it can take to contain any adverse fallout. The response to risks typically depends on their perceived gravity, and involves controlling, avoiding, accepting, or transferring them to a third party.
It then becomes the duty of the CIO to introduce policies and technologies for risk coverage and mitigation. He covers risks against hacking by external users, institute measures for user authorization and control, ensure safety of data through regular back-ups, implement disaster recovery and business continuity plans, conduct user education sessions, etc.
Compliance means conforming to the stated requirements. At an organizational level, it is achieved through management processes which identify the applicable requirements (defined, for example, in laws, regulations, contracts, strategies, and policies), those which assess the state of compliance, and the ones that assess the risks and potential costs of non-compliance against the projected expenses to achieve compliance. It also involves defining management processes that can prioritize, fund, and initiate any corrective actions deemed necessary.
Here, the CIO has to be in touch with the company secretary / legal head or concerned departments to make a list of various statutory requirements that the company is required to comply with. He needs to facilitate the creation of facility to record requirements, to remind people on due dates, to help monitor compliance and help create a report on the status.
Various software packages are available that helps meet these requirements including those from leading ERP vendors, software majors, and many other small firms who create such specialized tools.
A 360-degree approach
GRC, therefore, is a holistic view of issues that the managements of companies are obliged to address. In my opinion, a CIO can play a significant role in helping his organization meet its obligations. Since most documents and processes reside on IT systems, it becomes incumbent on the CIO to ensure that all requirements are taken care of. Here is an opportunity therefore for the CIO to fill this space and rise to be an executive of significance.