GRC in Simple Terms

If you’re in the IT or financial business, chances are that you hear the acronym GRC being bandied about all the time. GRC (Governance, Risk and Compliance) is still a somewhat amorphous concept and there’s no unanimity among folks as to what exactly GRC is.

You can, however, go past the jargon filled world of GRC to the essence of the concept. Governance simply refers to management control of the entire process, including the effective carrying out of risk related management strategies by the organization. The risk in GRC refers to several types of risk, including financial risk, technological risk and security risk, legal risk as well as the risk of running afoul of compliance regulations. As you can surmise, all the various types of risk are interlinked – database security risks will eventually lead to financial exposure and vulnerability, of course. However, most folks consider compliance related risks as the main focus in GRC implementation efforts. The compliance angle in GRC, of course, refers to conforming to applicable regulations such as Sarbanes-Oxley and PCI DSS. Compliance covers the whole gamut from the identification of the requirements that apply to you, estimating your current compliance status and the adoption of strategies to ensure quick (and cost effective) compliance with the regulations to avoid fines and legal exposure.

Regardless of one’s conception of what exactly GRC is, we can all agree on the following simple goal based definition of GRC: a set of policies and tools that ensure that you minimize risk by safeguarding customer and enterprise data, preventing fraudulent and unauthorized use of your systems, reducing your reporting time, creating solid audit trails – in other words, a proactive and prudent management of data and systems.

1 Comment » for GRC in Simple Terms
  1. You are so right about GRC is and how important it is.

    There is one area or policies and tools you should include in your list, maintenance. The maintenance of E-Business Suite or any other system introduces large numbers of changes and unless you know what the changes are and test them to be sure the risk of the change is close to zero, you are not only at risk, you are out of compliance.


Leave a Reply

Your email address will not be published. Required fields are marked *