Governance – the culture, policies, processes, laws and institutions the define the structure by which companies are directed and managed.
Risk – the effect of uncertainty on business objectives.
Compliance – The act of adhering to and demonstrating adherence to the external regulations and standards as well as corporate policies.
GRC is the coordination of these three areas to increase efficiency and produce more complete information for better decisions-making.
After all, bad information leads to bad decision-making.
The evolution to GRC came from one-off controls and testing as each new regulation came into place. The start was generally because of Sarbanes-Oxley. In the early days the internal audit and the general counsel operated separately from the operations group. The operations are run through the internal IT systems. As more compliance groups grew, they sent more and more audit and information requests to the operation groups. The goal is to unify and simplify the risk and compliance.
The siloed information makes it hard to determine the status of compliance and difficult to map controls to regulations. Sumner proposes a global repository of audits, risks, test and test results, cross referenced to unite the silos of information. A single source of truth for compliance, risk and governance.
The unified approach should result in giving you visibility into the state of operations and risks. This could allow you to remediate problems before they become critical.
The policy lifecycle starts with (1) identifying the requirements, (2) setting polices to meet requirements, (3) creating controls to enforce policies and then (4) monitoring and remediating the controls. This lifecycle should have feedback loops so that policies and controls stay up date and functional.
Sumner sees five management tools: regulatory content, risk management, policy management, controls management and project management.
For policy management you need support for the creation, review, self-assessment and update of policy documents. You need a workflow to track approvals. You need track people having attested that they have read, comply and will comply with the policy.
With regulatory content is difficult to develop the expertise, keep the information up-to date and translated into the control objectives. It is also great to harmonize the controls across regulations. That way you are not created redundant or even conflicting controls.
For controls management you want a centralized repository of controls mapped to the associated policies, regulations, risks and resources. You also want to store test results and assignment of actions to be done.
For project management, you want to track project status, support for an audit trail and support for reporting.
The key is to reduce costs, reduce disruptions, improve risk management, use it to drive operational improvement to gain competitive advantage.