What is GRC? (Governance, Risk and Compliance)
It is a fact that companies today can not be given as before. No matter your size, your responsibility, your product, your market all end up compromised, sooner or later, with challenges to sustain or grow (government), in addition to more regulations and standards imposed to operate or compete (compliance), assuming the costs and / or benefits involving uncertainty that require analysis and evaluation (risk).
So what is GRC?
It could be interpreted, therefore, that GRC is a simple acronym for the aforementioned activities involving governance, risk and compliance. However, it is more than that, because a first glance is that they are activities that can not be understood apart. It is also a road, thorny, involving decisions disposition / acquisition of resources and personnel, ongoing assessment of financing strategies and management policies to pursue goals and outcomes in the short or long term (management) which require controls, adjustments processes and actions of supervision and monitoring (assurance).
Leading and managing an organization, it is by definition a complex problem. Involves taking responsibility for managing a jungle of goals, when should consider things like maximizing financial performance, with resource constraints, regulated operating frameworks and strong uncertainties of external such as customers, competitors and markets critical factors combined to meet commitments regulatory. In short, they are the tasks to govern, manage and secure an undertaking compared with the paths imposed by the environment and the expectations of stakeholders. That is, it is not only government, must also management and assurance.
Now it is common to note decisions of the Board of Directors, headed by liberal members, requiring senior management, in light of the numbers, apply aggressive to increase market positioning and growth in sales of goods and services shares. In colloquialisms demanding better performance.
The task to be undertaken by the Administration therefore be oriented to consider market research, surveys positioning and interests of consumers, based on production capacity, technology requirements to significantly improve quality and lower costs product over volumes and profiles required. This effort must require the assessment of financing costs and available cash flows and determining changes in processes, functionalities of activities, procedures and information flows needed to support the new operating model. (Performance).
The evaluation, however, is not complete, until they are established and identify new risks that appear in the operation, liquidity and business (Risk) and controls to be implemented to pursue the results in a frame prudential. (Control) the conclusion is that the project should incorporate elements to safeguard the risks and controls, providing the monitoring information that is necessary, guide and propose to ensure the new tasks and challenges assume the company as well as the new requirements and mandatory and voluntary commitments that will honor the company. (Fulfillment).
The set of voltages to govern, manage and secure an organization to achieve the objectives and involving performance challenges, risk, control and compliance requires tools, practices and methods that enable a holistic and integrated management of the arrangement and acquisition of resources, interventions and adjustments in the areas, functions, processes, information and technology. GRC is a discipline that brings these instruments, under a, holistic, comprehensive and integrated approach, with the basics, from the theoretical point of view, and practices necessary to solve this complex web of relationships.
Concept, Method and Model GRC
They say that identifying a problem, involves recognizing 50% of the solution. This is a key statement for GRC: Governance, Risk and Compliance, because it is in fact one of the reasons why organizations do not find effectiveness in many of its corporate projects related to the achievement of objectives, optimizing processes, operational risk management, the effectiveness of controls, the adequacy of compliance, implementations of technology solutions, to name a few. The matter is natural because the issues are complex organizations with multiple origin and correlated and interrelated causes and consequences.
So, fast forward a draft GRC must consider three key elements: concept, method and model. The concept involves fully understand the elements, scope and benefits of GRC, and what their potential is. The method refers to how a project should be approached GRC, and the model is the definition of reference practices that support the achievement of a goal.
The concept of GRC must begin to recognize that GRC is not limited to the implementation of good governance, risk and assurance, supported in the regulations, as many understand. It goes far beyond. It is the ability to harmonize these and other practices to manage and secure, plus govern not only the risk and compliance, but also the performance in achieving objectives. Thus, the added value of the capacity of GRC is the “harmonization” through alignment, integration or orchestration of concepts, depending on the degree of maturity and involvement of the concepts in action.
According to OCEG [1], the overall structure of GRC can be illustrated in a framework like the one shown below, which should lead to performance based on principles: the reliable achievement of objectives, addressing uncertainty and acting integrity.
GobiernoGetionAseguramiento-01The method GRC provides the way how a problem should be addressed to identify viable solutions and alternatives. It was suggested that the organization is systemic in nature and therefore incorporates multiple and complex interrelations and correlations of governance, management and assurance of performance, risk and compliance are evident in different ways in the strategies, processes, people , technology and information. The premise is to identify alternatives requires decanting a problem in their original cause.
The application of a method of separating a GRC requires problematic parts to identify the source. Baker Tilly developed a methodology called GRCMaX [2] supporting this process through a systemic analysis based on four perspectives: The principled performance, governance, enterprise architecture and scope.
Cube-01Como warns, all perspectives are interrelated so that it will be necessary to identify elements that may be involved [3]. This vision will identify a problem and find a solution from several converging views. The performance perspective based on principles refers to the character of a performance-based, risk and compliance target. A key element to consider is that it incorporates the control shaft. Meanwhile, the prospect of governance refers to the character assurance for achievement and therefore develops the axes of senior management, operation and supervision as elements of management, consistent with good practices and standards of governance and ensuring. Enterprise architecture perspective considers the character of the seized objects or domains that can be engaged either from the intention: the strategy or guidelines to its operation: the organization and resources, processes, information and technology. Finally, the perspective of scope refers to the character of a specific jurisdiction problem, which may be the entire organization, an area, a project, a process or function. [4]
The method should identify the source of a problem and alternative solutions. To this end, it raises a number of steps that start construction of a diagnosis of the situation or state of maturity – as ischemic and defining critical paths and expected results. The subsequent dynamic structure involves the consequent stages as a project.
metodologiaGRC-01Finalmente, GRC model is a set of practices that should support alternative solution identified for achieving a specific goal. OCEG has issued a capability model consisting of components and elements that define practices that enable the efficient development of a project. The latest version – 3.0, emission process, incorporates four components and practices to understand, align, implement and review progress and results proposed in a specific project of GRC.
Practices are organized so that will identify the most convenient to understand the contexts and actions define goals, align the requirements and challenges, implement actions and controls required and to review and monitor the expected results. Of course, you are a referral practices and should complement all the others that the organization consider specific nature to an identified problem, from their cause originates