March 17, 2015


Governance, Risk & Compliance ? Not an IT but a Business Game Plan

Every organization is looking for that unparalleled level of business growth. This growth, however, happens within the market and all strategies used to grow the business should comply with its continuously evolving set of rules and regulations. This results in the market becoming a figurative landmine for any growing business. Every step a business takes towards growth needs to be carefully weighed and examined with the aim to minimize risk, maximize compliance and establish sound governance.

When we talk about Governance, Risk and Compliance (GRC), most people approach them as three individual entities. While each of them may refer to different aspects, they are, in essence, a single, collaborative function. In a day and age when enterprises are expected to function smoothly amidst an expansive web of risks simultaneously complying with constantly evolving industrial standards, GRC becomes necessary.

Any potential loss to a business is a risk, and risks impact business. If we examine the businesses of today, it isn’t hard to see that GRC is intrinsically present across all horizontals and verticals. It may as well be the defining factor of an enterprise’s success or failure in the market.

Typically seen as an IT problem, risk and compliance actually relates to the underlying business process. IT is simply a vehicle for business – designed to streamline and accelerate processes that would otherwise be done manually. IT is, in fact, driven by processes which in turn are driven by mandates – mandates determined by an enterprise’s compliance policy. Therefore, a background understanding of the process driving technology becomes necessary to ensure no business process is throttled in the event of an IT downtime.

Outwardly it may seem that IT is running the show, however, the control procedure & mechanisms that IT implements are defined by the business process or function it serves.

IT personnel do exactly as they are instructed by those responsible for business operations. In your typical enterprise, these IT personnel may have little or no understanding of the relationship between IT and business operations or its implications on risk and compliance. Business operations run IT – Therefore, shortcomings in IT translate to shortcomings in the business process itself!

Laws and regulations that affect GRC policies are in a continuous state of evolution. They are not only increasing in number but also in complexity – especially at the global platform. While most companies today recognize the importance of investing in a sound GRC policy, the investments seldom achieve the end state companies expect. This is largely because of the “silo” approach that essentially separates the GRC policy across different organizational units. While this may outwardly appear as better streamlined, in truth it only creates room for inefficiencies and adversely affects any strategic decision making.

The best way to ensure a sound GRC strategy in an organization is by ensuring a top-down view of the business and the corporate objectives which get impacted by various risks and compliances. This increased visibility ensures a greater understanding of the GRC policies scattered across the enterprise – why they exist and how they affect the business process. Such a unified approach to GRC can greatly enhance the effectiveness and efficiency with which GRC policies are followed within an organization. A unified GRC framework ensures that all business units, including IT, are on the same page, thereby helping the company achieve its strategic goals with ease.