Governance, Risk, and Compliance or "GRC" is an increasingly recognized term that reflects a new way in which organizations can adopt an integrated approach to these three areas. However, this term is often positioned as a single business activity, when in fact, it includes multiple overlapping and related activities within an organization, e.g. internal audit, compliance programs like SOX, enterprise risk management (ERM), operational risk, incident management, etc.
Governance is the responsibility of senior executive management and focuses on creating organizational transparency by defining the mechanisms an organization uses to ensure that its constituents follow established processes and policies. A proper governance strategy implements systems to monitor and record current business activity, takes steps to ensure compliance with agreed policies, and provides for corrective action in cases where the rules have been ignored or misconstrued.
Risk Management is the process by which an organization sets the risk appetite, identifies potential risks and prioritizes the tolerance for risk based on the organization’s business objectives. Risk Management leverages internal controls to manage and mitigate risk throughout the organization.
Compliance is the process that records and monitors the policies, procedures and controls needed to enable compliance with legislative or industry mandates as well as internal policies.
Within the GRC realm, it is very important to realize that if the first one (Governance) is not in place, the second two (Risk Management and Compliance) become irreverent and probably cannot be meaningfully achieved. Working on the same logic, if second one (Risk Management) is not in place then achieving Compliance becomes irreverent and probably cannot be meaningfully achieved. This is the reason the acronym is designed as GRC and not other combinations. Governance, Risk, and Compliance are highly related but distinct activities that solve different problems for different sets of constituents of an organization.
Initial interest in GRC systems was driven by the Sarbanes-Oxley Act, but GRC system requirements have changed and now are seen as a means to achieve Enterprise Risk Management. Specifically, this represents a movement from managing risk as a transaction or compliance activity to adding business value by improving operational decision making and strategic planning.
Enterprise resource planning (ERP) is the planning of how business resources (materials, employees, customers etc.) are acquired and moved from one state to another.
An ERP system supports most of the business system that maintains in a single database the data needed for a variety of business functions such as Manufacturing, Supply Chain Management, Financials, Projects, Human Resources and Customer Relationship Management.
An ERP system is based on a common database and a modular software design. The common database can allow every department of a business to store and retrieve information in real-time. The information should be reliable, accessible, and easily shared. The modular software design should mean a business can select the modules they need, mix and match modules from different vendors, and add new modules of their own to improve business performance.
Ideally, the data for the various business functions are integrated. In practice the ERP system may comprise a set of discrete applications, each maintaining a discrete data store within one physical database.
The initials ERP originated as an extension of MRP (material requirements planning, and then manufacturing resource planning) and CIM (computer-integrated manufacturing) and was introduced by research and analysis firm Gartner. ERP systems now attempt to cover all basic functions of an enterprise, regardless of the organization's business or charter. Non-manufacturing businesses, non-profit organizations and governments now all use ERP systems.
To be considered an ERP system, a software package must provide the function of at least two systems. For example, a software package that provides both payroll and accounting functions could technically be considered an ERP software package.
However, the term is typically reserved for larger, more broadly based applications. The introduction of an ERP system to replace two or more independent applications eliminates the need for external interfaces previously required between systems, and provides additional benefits ranging from standardization and lower maintenance (one system instead of two or more) to easier and/or greater reporting capabilities (as all data is typically kept in one database).
Examples of modules in an ERP which formerly would have been stand-alone applications include: Manufacturing, Supply Chain, Financials, Customer Relationship Management (CRM), Human Resources, Warehouse Management and Decision Support System.
Some organizations — typically those with sufficient in-house IT skills to integrate multiple software products — choose to implement only portions of an ERP system and develop an external interface to other ERP or stand-alone systems for their other application needs. For example, one may choose to use human resource management system from one vendor, and the financial systems from another, and perform the integration between the systems themselves.
This is very common in the retail sector, where even a mid-sized retailer will have a discrete Point-of-Sale (POS) product and financials application, then a series of specialized applications to handle business requirements such as warehouse management, merchandising and logistics.
Ideally, ERP delivers a single database that contains all data for the software modules, which would include:
- Engineering, Bills of Material, Scheduling, Capacity, Workflow Management, Quality Control, Cost Management, Manufacturing Process, Manufacturing Projects, Manufacturing Flow
- Supply Chain Management
- Order to cash, Inventory, Order Entry, Purchasing, Product Configurator, Supply Chain Planning, Supplier Scheduling, Inspection of goods, Claim Processing, Commission Calculation
- General Ledger, Cash Management, Accounts Payable, Accounts Receivable, Fixed Assets
- Costing, Billing, Time and Expense, Activity Management
- Human Resources
- Human Resources, Payroll, Training, Time & Attendance, Rostering, Benefits
- Customer Relationship Management
- Sales and Marketing, Commissions, Service, Customer Contact and Call Center support
- Data Warehouse
- and various Self-Service interfaces for Customers, Suppliers, and Employees
Information Risk Management is the process of implementing and maintaining appropriate management controls including policies, procedures and practices to reduce the effects of IT risk to an acceptable level. The principles of IRM can be directed both to limiting adverse outcomes and achieving desirable ones. The process involves identifying, analyzing, assessing, treating and monitoring IT risks in all areas of operations and business.
It is no secret to security and risk management professionals that security is a function of people, processes and technology. But when it comes to spending, historical data tells a very different story. Most organizations have traditionally spent a disproportionately high percentage of their security dollars on technology, relying largely on product-based approaches to solve their security issues. Let’s bear in mind that deploying technology may be easier than changing how employees think, or instilling the rigor of process within organizations, but it may not be very effective by itself.