Governance, risk management and compliance and what it means to you

July 5, 2007 from Network World – “Get ready for a new buzz phrase to descend upon the IT department: “governance, risk management and compliance,” or GRC. You’re probably already familiar with compliance, especially if your company has to comply with regulations such as Sarbanes-Oxley, HIPAA, GLBA or any number of other government or industry regulations. Now it’s time to understand your role in corporate governance and risk management.

Looking at your company as a whole, there are people at the top who are trusted with running the company in an ethical way, making sure that the company establishes appropriate objectives and shows measured achievements toward those objectives. This is governance. Up until the days of Enron, WorldCom, et. al., governance took place quietly in the background. Now it has been thrust into the spotlight, and it is much more closely tied to risk management and compliance.

Risk management is the practice of identifying, measuring, reporting on and appropriately managing the risks that could impact the company’s governance objectives. For example, risk managers look for competitive threats, political situations and new government regulations that could impact the business. They study the known risks and come up with ways to mitigate them.

180 View – GRC has been around for years but seems to be taking off as the compliance component of Sarbanes-Oxley (SOX) work diminishes. For a more detailed explanation of GRC, click here for a whitepaper from the Compliance Consortium published May 16, 2005.