Academic journal article Management Accounting Quarterly

GRC Integration: A Conceptual Foundation Model for Success

Academic journal article Management Accounting Quarterly

GRC Integration: A Conceptual Foundation Model for Success

Article excerpt

Many public and private organizations are im- plementing and integrating governance, risk, and compliance frameworks across multiple industries and sectors. To provide uniformity and continuity throughout an organization, these enterprise-wide frameworks place governance, risk, and compliance activities under one overarching umbrella known as GRC. These efforts are integrated strategically across an organization.

As with any new strategic initiative, however, there are dif- ficulties in presenting and tracking the initiative's maturity as the company implements it. Key stakeholders need to know that the initiative adds value and improves the organization as it matures during its life cycle. GRC integration is also experi- encing this same challenge with a similar pattern of frustration and concern. Organizations are looking for timely and practi- cal ways to better communicate and articulate what GRC means from an organizational alignment perspective and the value and success realized during its service life cycle.

This article introduces a new GRC Conceptual Foundation Model(TM) that establishes a more timely view or snapshot of the GRC framework for presentation to key stakeholders and to those who do not practice GRC. It also will highlight how a company can use this conceptual foundation economically as a basis to measure and guide success in integrating GRC.

Before I introduce the model, I will present the ac- cepted GRC general knowledge of professional organi- zations and industry professionals.

Overview of GRC

A critical business concept, GRC integrates a risk-based management approach that is proactive, effective, and can be used throughout an organization. It provides or- ganizations with a uniform view of information so they can align risk management with objectives, reduce com- plexity, diminish inconsistencies, and harness technol- ogy for desired outcomes. Not a replacement for inter- nal control or compliance testing, GRC goes well beyond testing to create a comprehensive framework for managing risk and improving performance. It orga- nizes risk management efforts rather than duplicating them, which reduces overall operating costs and assists in creating a more risk-intelligent organization.

Risk management professionals know that organiza- tions worldwide have been facing unprecedented pres- sure to demonstrate accountability and stewardship to control fraud and abuse as well as meet new informa- tion technology (IT) security compliance requirements. As budgets have decreased or have remained constant and companies need greater efficiency and effective- ness, the focus on accountability has changed. Organizations now focus on broader views with a more uniform outlook regarding how technology, planning, and business processes align with enterprise-wide risk, compliance, and governance, as well as where these ser- vices reside and where duplicate efforts exist.

Figure 1 illustrates a typical high-level representation of GRC and details how various organizational compo- nents interact within a GRC framework. This illustra- tion shows that governance, risk, and compliance activities-such as enterprise risk management, internal controls, and compliance testing-can and will indi- rectly or directly interact with and impact other key areas within a company's strategic planning, technology, and operation components.

As a company integrates GRC, practitioners expect common outcomes. These expectations further support the implementation of GRC across multiple business sectors and industries and are the primary outcomes and key areas tracked during the life cycle and maturity of GRC. Here are a few of the most common expected outcomes:

* Enterprise-wide risk framework and common language;

* Overall focus on strategic and tactical risks to stake- holder value;

* Maintaining an enterprise-wide perspective on gov- ernance, risk, and compliance;

* Sharing information and knowledge across GRC functions;

* Unified development and investment in technology and tools for GRC functions; and

* Integration of GRC activities. …

Search by... Author
Show... All Results Primary Sources Peer-reviewed


An unknown error has occurred. Please click the button below to reload the page. If the problem persists, please try again in a little while.