THE ROAD TO EFFECTIVE GRC PRINCIPLES
• All business, and publicly traded corporations in particular have faced governance needs and requirements issues.
• An enterprise always faces risks that it will misinterpret rules or be found in violation of one or another of these multiple laws and regulations.
• There are also risks that an enterprise’s own established governance rules will not achieve the desired results or that the enterprise may face some outside event beyond its control, such as a significanteconomic downturn, a terrorist attack or act of war that impacts its sphere of operations, or a fire in a major facility.
• There is a need to understand and manage all of these risks on an overall enterprise level.
• Enterprises have always been concerned with various governance, risk, and compliance issues,
Business professionals had not even heard about this now increasingly familiar GRC acronym until early in this century. The first letter stands for governance, not just for IT governance but for concerns over the entire enterprise. In short, governance means taking care of business, making sure things are done according to an enterprise’s standards, regulations, board of directors’ decisions, as well as governmental laws and rules. It also means setting forth clearly the stakeholder expectations of what should be done so that all stakeholders are on the same page with regard to how the enterprise is run.
The R from GRC is risk. Everything we do and all aspects of business operations involve some element of risk. When it comes to an individual running across a freeway or a child playing with matches, it’s pretty clear that certain risks should just not be taken. When it comes to business, however, risk factors become a way to both help protect existing asset values and create value by strategically expanding an enterprise or adding new products and services.
The C in GRC is compliance with the many laws and directives affecting businesses and citizens today. Sometimes people will also extend that letter to include controls, meaning that it is important to put certain controls in place to ensure that compliance is happening. GRC is an increasingly recognized term that reflects a new way in which enterprises today are adopting an integrated approach to these aspects of their business. It is important to remember these core disciplines of governance, risk management, and compliance. Each of the disciplines consists of the four basic GRC components: strategy, processes, technology, and people.
Exhibit 3.1 illustrates these GRC concepts. Governance, risk management, and compliance principles should be tightly bound to tie these principles together. The diagram also shows that internal policies are the key factors supporting governance, that external regulations drive compliance principles, and that what we call an enterprise’s risk appetite is a key element of risk management.
• All business, and publicly traded corporations in particular have faced governance needs and requirements issues.
• An enterprise always faces risks that it will misinterpret rules or be found in violation of one or another of these multiple laws and regulations.
• There are also risks that an enterprise’s own established governance rules will not achieve the desired results or that the enterprise may face some outside event beyond its control, such as a significanteconomic downturn, a terrorist attack or act of war that impacts its sphere of operations, or a fire in a major facility.
• There is a need to understand and manage all of these risks on an overall enterprise level.
• Enterprises have always been concerned with various governance, risk, and compliance issues,
Business professionals had not even heard about this now increasingly familiar GRC acronym until early in this century. The first letter stands for governance, not just for IT governance but for concerns over the entire enterprise. In short, governance means taking care of business, making sure things are done according to an enterprise’s standards, regulations, board of directors’ decisions, as well as governmental laws and rules. It also means setting forth clearly the stakeholder expectations of what should be done so that all stakeholders are on the same page with regard to how the enterprise is run.
The R from GRC is risk. Everything we do and all aspects of business operations involve some element of risk. When it comes to an individual running across a freeway or a child playing with matches, it’s pretty clear that certain risks should just not be taken. When it comes to business, however, risk factors become a way to both help protect existing asset values and create value by strategically expanding an enterprise or adding new products and services.
The C in GRC is compliance with the many laws and directives affecting businesses and citizens today. Sometimes people will also extend that letter to include controls, meaning that it is important to put certain controls in place to ensure that compliance is happening. GRC is an increasingly recognized term that reflects a new way in which enterprises today are adopting an integrated approach to these aspects of their business. It is important to remember these core disciplines of governance, risk management, and compliance. Each of the disciplines consists of the four basic GRC components: strategy, processes, technology, and people.
Exhibit 3.1 illustrates these GRC concepts. Governance, risk management, and compliance principles should be tightly bound to tie these principles together. The diagram also shows that internal policies are the key factors supporting governance, that external regulations drive compliance principles, and that what we call an enterprise’s risk appetite is a key element of risk management.
Risk appetite is a relatively new term for many business and IT professionals. It refers to the amount and type of risk that an organization is prepared to pursue, retain, or take. For example, an investor who speculates in what are often called very risky “penny stocks” has a high appetite for risk, while an investor holding generally safe money market funds has a low appetite for risk. This same analogy can be translated to many enterprise business decisions.
The triangle diagram in Exhibit 3.1 also shows the components of strategy, effective processes, technologies (including IT), and the people in the enterprise to make all of this work. Off to the left side, the exhibit shows that an enterprise requires management attention and support, and that correct ethical behavior, organizational efficiency, and improved effectiveness are key.
No comments:
Post a Comment