What Exactly Is GRC, And Why Do You Require It?

What exactly is GRC, and Why do you Require it?

162 views

Embed
Email

From

Username or Email (please add comma after each username or email)

Name	Email

Back

Menu 3

Eaque ipsa quae ab illo inventore veritatis et quasi architecto beatae vitae dicta sunt explicabo.

Proteusdiscovery

Uploaded on Feb 27, 2022

Category Business

Governance, risk management, and compliance are not always managed together, sometimes managed separately by different teams of people.

Category Business

Comments

What exactly is GRC, and Why do you Require it?
`
https://www.proteusdiscover
y.com/

What exactly is GRC, and Why do you
Require it?
Governance, risk management, and compliance are not
always managed together, sometimes managed separately
by different teams of people. That often results in redundant
controls, multiple variations on a process, and, in some
cases, inadequate protection against threats. However,
efficiency is a must when resources are scarce and risks
are great.
What is GRC?
GRC is the acronym that stands for Governance, Risk, and Compliance; refers to the coordination of
people, processes, and technologies involved in each of these areas in a company. The goal of GRC is to
improve insight into a company's risk posture. Governance, risk management, and compliance are not
new disciplines, but the need for an enterprise-wide approach includes the rising costs of compliance,
legal and shareholder demands for increased senior management accountability, and the rapid
proliferation of new risks.
“Compliance works best when you use risk management techniques to reduce not only liability but also
loss. Information governance compliance management works best when governance requires you to
identify risks to take and risks to avoid. And governance relies on risk management and compliance
activities to provide timely information about the organization's status and loss exposure,”.
GRC goes beyond silos to embed risk management in the fabric of the organization, but it remains a
challenge because many companies lack a common language for risk.
Who or what is affected by GRC?
Everyone in the organization. Each individual has risk implications. That said, the responsibility for
governance rests with senior executive management. By creating regular standards, governance
generates company transparency (and commercial value). In addition to the CEO and board of directors,
policymakers may include the CFO, chief risk officers, CIOs, and audit. Responsibility for governance of
IT, a technical discipline, rests with the CIO.
Responsibility for risk management is shared by business unit executives, the CIO, and the CFO. Policies
and tools to manage physical and personal security risks, as well as financial risks, have been developed
over the centuries. IT adds another dimension to risks as well as remediation.
Enterprise risk management (ERM) aligns performance and risk with business goals and objectives. ERM
can be applied across the enterprise or to meet the goals of a single department, such as IT. Although
ERM has many of the same goals as GRC, it is not a substitute for GRC.
What is the role of IT in the implementation of
GRC?
The IT area plays two roles in GRC. IT must deal with its internal risks: data breaches, privacy, internal
data governance, etc. Additionally, information security governance risk and compliance play a role in
enterprise-level GRC, implementing the tools that will help with the flow of information. IT, for example, will
help design the applications and platforms to conduct risk assessments and train employees, and pull
information from systems across the enterprise that measure risk.
However, the task of creating the rules and responsibilities of the GRC program (who will participate, how
often to conduct evaluations, etc.) should be decisions made by the board and the leadership level, not by
IT. If the GRC strategy doesn't come from the board, the CEO, the CFO, and the chief risk officer, it's
going to be a very limited program.
What are the most important frames?
Some experts point to two important frameworks for GRC: COSO and the Control Objectives for
Information and Related Technology, or COBIT.
Five major accounting associations formed the Committee of Sponsoring Organizations in 1985 to address
the factors that lead to fraudulent financial reporting and develop guidance on internal controls. COBIT is
an international open standard that defines the requirements for the control and security of sensitive data
and provides a reference framework. It is still widely accepted and used by audits for reviews.
In the end, it is worth remembering that a framework is a structured approach to common sense. If you
already have systems in place to identify, mitigate, monitor, and manage risk, then you have a framework.
GRC is more about combining audit, compliance, and risk best practices. Other standards that can help
organizations include COSO, ERM, and ISO 31000, in addition to the international governance, risk, and
compliance standards developed by the Open Compliance & Ethics Group (OCEG).
Proteus Discovery Group