Growing significance of Governance, Risk and Compliance (GRC) Practices


Share on LinkedIn

Governance, Risk, and Compliance, almost always referred to as GRC, is the latest addition to the parade of three-letter acronyms that are used to describe the processes and software that run the business world. The goal of GRC is to help a company efficiently put policies and controls in place to address all its compliance obligations while at the same time gathering information that helps proactively run the business.

In this knowledge article we will be briefly touching upon the following topics:
• What is GRC?
• Business Value of GRC
• GRC Categories & Market Characteristics
• Key GRC layers
• Core Functions in GRC
• Key Users of GRC Solutions
• Overview of Enterprise GRC Platform Market
• Trends in Enterprise GRC Platform Market
• Approaches to GRC Solutions
• Concluding Thoughts

What is GRC?
Governance, Risk and Compliance or “GRC” is an increasingly recognized term that reflects a new way in which organizations are adopting an integrated approach to these aspects of business.
So as the abbreviation suggests GRC is a combination of
• Governance
• Risk Management
• Compliance

Governance: Setting the policies, structure and objectives for an organization and overseeing progress toward those objectives

Risk Management: Managing the risk-taking necessary for an organization to compete

Compliance: The management and monitoring of compliance with the organization’s own required policies and procedures that enable management of the risks endangering the organization

Many leading software vendors have started building and releasing software products that can automate the tasks involved in the GRC management. So this article will primarily talk about how this market is shaping up and what’s in store for the future.

A model GRC framework can be described in the following way:

“GRC is an integrated, holistic approach to organization-wide governance, risk and compliance ensuring that an organization acts ethically correct and in accordance with its risk appetite, internal policies and external regulations through the alignment of strategy, processes, technology and people, thereby improving efficiency and effectiveness.”

Business Value of GRC
Adopting an effective implementation strategy for GRC can significantly increase shareholder value and empower organizations to:
• Improve strategic business decisions by clearly defining associated risks and opportunities
• Minimize operational surprises with more proactive and effective monitoring
• Protect and enhance reputation and brand by capitalizing on business opportunities while reducing the likelihood of negative events
• Increase organizational efficiency
• Avoid fines, penalties and damage to reputation
• Streamline the business processes and increase predictability

GRC Categories & Market Characteristics
• GRC Categories according to Gartner’s Research – 3 Major Categories
1) Finance and Audit GRC – GRC solutions for financial reporting and auditing
2) IT GRC Management – GRC solutions for IT Governance and Management
3) Enterprise Risk Management – GRC for purely managing multiple forms of risk and other related aspects
• Vendor market categories
Vendors provide either of the below mentioned solutions
1) Integrated Governance, Risk & Compliance Solutions (iGRC – All in One solution)
2) Domain Specific GRC Solutions (Industry specific solutions)
3) Point Solutions to Governance, Risk or Compliance (Solutions targeting specific professionals like Risk Manager or Compliance Manager or Corporate Secretary)

Key GRC Layers
The various layers in the GRC domain are represented below:

The key layers in the GRC space are briefed below:
• Governance Layer: Corporate Reporting, Board/Entity Management, Audit Management
• Risk / Compliance Layer: Policy and Procedure Management, Compliance Management, Risk and Control Management, Issue and Action Management, IT Risk and Compliance Management
• GRC Support Layer: GRC Functional Support – Training, Credit/Market Risk Management, Regulatory/Risk Content, GRC Informational Support – Legal/Case Management, Asset Management, Environmental Management, Quality Management

Apart from the three layers mentioned above, there are two more layers which are indirectly related to GRC, they are Business Layer and IT Layer. These two layers are not directly served by GRC software packages.

Core Functions in GRC
There are four core functions in GRC; they are Audit Management, Policy Management, Compliance Management and Risk Management. They are briefly described in below:
• Audit Management: Supports internal auditors in managing work papers, and scheduling audit related tasks, time management and reporting
• Policy Management: Includes a specialized form of document management that enables the policy life cycle from creation, review, change, mapping and archiving of policies
• Compliance Management: Supports compliance professionals with documentation, workflow, reporting and visualization of control objectives, controls and associated risks, surveys and self-assessments, testing and remediation. Can not only support financial reporting compliance but also can support other types of compliance like ISO, Industry specific regulations etc.
• Risk Management: Supports risk management professionals with documentation, workflow, assessment and analysis, reporting, visualization and remediation of risks. ORM (Operational Risk Management) is the generally available component in EGRC platforms but ERM (Enterprise Risk Management) is emerging as the more specialized version of risk management

Key Users of GRC Solutions
The below mentioned roles are the possible users of GRC solutions. Apart from the mentioned roles there can be other roles which can come up on a need basis:

• Corporate Secretary
• Risk Manager
• Compliance Manager
• Internal Auditor
• Infrastructure Professionals
• Operational Professionals
• Performance Managers
• Investigations Professionals
• Anti-fraud Professionals
• Legal Professionals
• Sales and Marketing Professionals
• Security Professionals
• Sustainability Professionals
• Quality Professionals

Overview of Enterprise GRC Platform Market
EGRC Software Platforms’ need has increased because of the customer’s need to improve the oversight of corporate governance – including
• Financial Reporting Compliance
• Enterprise Risk Management (ERM)
• Audits

Also many organizations want to consolidate other GRC activities into a single platform.
GRCM (GRC Management) is defined as the automation of the management, measurement, remediation and reporting of controls & risks against objectives, in accordance with rules, regulations, standards, policies and business decisions
Any software platform that addresses the GRCM objectives can be categorized as an EGRC Platform.

Trends in Enterprise GRC Platform Market
• The SOX (Sarbanes Oxley) Act’s domino effect – This led to other countries adopting similar stringent financial reporting and audit regulations
• Customers’ need for better analytics and alignment to strategic business objectives
• An increasing regulatory focus on anti-corruption and bribery in the aftermath of the financial crisis
• ERM to support the transparency objectives of the regulators and the decision making of business leaders
• Regulatory content services and change management to deal with the regulatory proliferation
• Consolidation of market players, i.e. smaller best of breed players to one dominated by large players
• GRC Metrics are increasingly seen as key indicators of business performance and stability
• GRC customers are increasingly finding new ways to use the EGRC platform
• GRC software vendors’ increasing focus on platform technology

Approaches to GRC Solutions
There are two approaches to implementing GRC solutions:
• Top-Down approach
• Bottom-Up approach
There are several tools that address the two ways of approaching GRC solution deployment, but the ideal way would be to use tools that can satisfy the requirements of both the approaches.
The chart represented below will clearly identify the characteristics of both the approaches:

Concluding Thoughts
• GRC Market is predicted to be at more than $20 Billion in the next five years
• GRC is thought to be the next big area on the lines of Enterprise Solutions like ERP, CRM, BPM etc.
• If Infosys can build enough competency in this area and partner with the right vendors, then we can make a mark in this industry as we have made in the Enterprise Solutions space
• Building solid domain competency in each and individual area within GRC like Policy Management, Risk Management, Compliance Management, Audit Management etc. is really crucial

Vijay Muthupalaniappan
Vijay Muthupalaniappan is a Senior Consultant with Infosys Ltd. Currently engaged as a CRM Business Analyst for a Large Australian Telecom Company. Experience working on projects under Waterfall and Agile practices with hands-on Project Management and Estimation. Been a part of large IT Business Transformation projects advising clients with planning and formulating IT implementation / migration strategies.


Please use comments to add value to the discussion. Maximum one link to an educational blog post or article. We will NOT PUBLISH brief comments like "good post," comments that mainly promote links, or comments with links to companies, products, or services.

Please enter your comment!
Please enter your name here