Governance, Risk & Compliance

from Wikipedia, the free encyclopedia

Governance, Risk & Compliance (Governance, Risk Management, and Compliance - GRC) summarizes the three most important levels of action of a company for its successful management:

  • Governance is corporate management based on defined guidelines. This includes the definition of corporate goals, the methodology used to implement them and the planning of the resources required to achieve the goals.
  • Risk stands for risk management with known and unknown risks through defined risk analyzes. An important factor here is dealing with risks at an early stage, providing strategies for risk minimization and preparing loss buffers when the risk occurs.
  • Compliance is the adherence to internal and external standards for the provision and processing of information. This includes, among other things, specifications from standardization efforts and the access regulations for the data as well as the legal framework for their use.

The English expression has established itself in German usage, so that the terms are not translated into German.

Management has to deal with a complex distribution of relationship levels: supra-regional and multinational business relationships, legal and social rules, company departments and their goals and specifications, as well as implementation, control and compliance with processes. In every process within the company, the most varied of manifestations of these influences are interrelated and have individual requirements.

example

In a process within a company colliding SOX conformity with national data protection provisions in the audit of headcount levels and salary data.

This example describes one of many processes within a company and brings together a large number of resources, rules and risks.

Possible solutions

The GRC model claims to introduce a framework to facilitate the organization of the multitude of interdependencies of the different processes. Solutions of this type are usually IT- heavy and try to take into account many, ideally all of the above-mentioned dependencies using computer-controlled tools. Many manufacturers offer components that support GRC ( identity management , risk management , workflow engines, ERP systems , etc.), and the first providers are already presenting holistic solutions for GRC architectures. The most important requirements here are standardized business objects , automated processes and their embedding in existing and future business processes .

GRC research

A validated definition was published for the first time in 2010 (Racz et al., 2010): "GRC is an integrated, holistic approach to organization-wide governance, risk and compliance, which ensures that the organization behaves ethically and in accordance with its risk appetite as well as internal and external guidelines , made possible by the coordination of strategies, processes, people and technology, which increases efficiency and effectiveness. " The authors derive a research framework for integrated GRC from the definition, which is intended to make research in this area easier for beginners.

Research framework for integrated GRC

The research framework consists of the GRC disciplines (governance, risk management, compliance), the GRC rules (internal specifications, external specifications, risk appetite), the GRC properties (integrated, holistic, organization-wide), the GRC components (strategy, Processes, people, technology), the GRC goals (ethical behavior, increased efficiency, increased effectiveness) and the activities controlled and supported by GRC (e.g. financial processes, IT management, etc.).

literature

  • SecurIntegration GmbH (Ed.): GRC in SAP environments . Mitp-Verlag, 2008, ISBN 978-3-8266-5954-6 .
  • N. Racz, E. Weippl, A. Seufert: A frame of reference for research of integrated GRC . In: Bart De Decker, Ingrid Schaumüller-Bichl (Ed.): Communications and Multimedia Security, 11th IFIP TC 6 / TC 11 International Conference, CMS 2010 Proceedings . Springer, Berlin 2010, ISBN 978-3-642-13240-7 , pp. 106-117 ( online ).

Web links