Building the case for an integrated GRC policy

Background and introduction

Information is growing at a relentless pace worldwide, heralding an extraordinary digital information explosion. The IDC report in 2008 titled “The Diverse and Exploding Digital Universe” forecast the worldwide growth of the digital universe in 2011, to be 10 times the size it was in 2006. About 70 per cent of this information will be created by individuals but enterprises will be responsible for the security, privacy, reliability, and compliance of 85 per cent of this information. What is more interesting is that the individual’s 'digital shadow' will be larger than the digital information that an individual would actively create about oneself.

This information explosion with its collateral impact is the fundamental driver of unprecedented regulations and compliance requirements that organizations are required to follow, collectively called Governance, Risk and Compliance (GRC).

What is GRC?

Recent news items related to the sub-prime mortgage crisis in the US, rogue traders and corporate fraud have highlighted that despite existence and investment in Sarbanes- Oxley and a host of other compliance protocols, risk control and management disciplines, significant assurance gaps still exist. In the prevailing business climate where capital is constrained and expensive, profits diminished, key players are subject to greater risk of insolvency and increased burden of business impacting regulations, companies have little choice but to gear up better to manage risk. .

To address these shortcomings, the discipline and practice of Governance, Risk and Compliance (GRC) management has steadily gained ground. GRC is defined as "the organization’s practices and the various roles that the board and senior management, line management, and the rest of the organization play in relation to oversight, strategy, risk management, and strategy execution regarding compliance with laws and regulations and internal policies and procedures".

Most people think of GRC as a single business function but, in fact, it covers several overlapping and related activities such as internal audit, compliance programs, enterprise risk management, incident management, etc. What is important to know is that GRC cannot be approached in a divided manner. Governance, Risk, and Compliance are highly related and distinct practices which help address different potential problem areas in an organization. For example, if Governance is not in place, then Risk Management and Compliance cannot be meaningfully achieved.

GRC received considerable attention internationally with Basel II pronouncement and supplemented the Basel guidelines on corporate governance, risk management and compliance. Today, there are hundreds of regulations, and most of these regulations passed in the last decade are industry specific and have a significant IT impact. Well-known examples from the West include Sarbanes-Oxley (SOX) Act of 2002, Federal Rules of Civil Procedure (FRCP), Health Insurance Portability and Accountability (HIPAA) Act of 1996, and Gramm-Leach-Bliley Financial Services Modernization Act (GLBA) of 1999.

The Reserve Bank of India (RBI) has also been proactive in creating a regulatory level playing field for the Indian banking sector by prescribing GRC standards on par with international regulations. With new regulations constantly being added and old regulations continually evolving, GRC is becoming an increasingly vital component that organizations must keep up with, at all times.

Impact and challenges of GRC



Increased interaction with the global economy poses significant challenges of implementing global governance standards, compliance with multiple regulatory requirements and managing cross-border risks.

The Indian economy has been registering growth rates, averaging around 9 per cent per annum, and this has enabled Indian companies to expand globally, tapping into huge India-linked business opportunities, even as multinational companies continue to invest and grow rapidly in India. As the Indian markets become global, multiple international norms of corporate governance are actively coming in to play, forcing more and more companies to think of adopting a comprehensive and effective approach to their GRC management.

GRC challenges are especially critical given the fact that, while money is not restricted by borders, regulatory prescriptions for effective GRC framework are always at a national level. Therefore, expectations from GRC frameworks may differ from regulator to regulator and from nation to nation creating a challenge of dealing with multiple regulators in various jurisdictions.

No single organization can keep track of all of these regulations without a strategic, integrated and planned GRC programs that also includes automation. Governance, risk management and corporate compliance have, therefore, taken center stage and are closely tied in with a sound business strategy.

The expanse of regulations is not only affecting privacy, governance and security, but it is also accentuating related expenses creating enormous pressure to reduce costs. In the context of the current global economic scenario, business risks are rising in along with increasingly competitive and virtualized markets.

In such a situation, deploying a GRC solution today could actually help increase efficiencies, reduce risk and redundancies, ultimately supporting efforts to control costs. One example for how this is achieved is by harmonizing policies that may be common to two or more regulations, greatly simplifying and reducing the costs of compliance efforts.

On another note, the current global economic challenges have exposed the vulnerabilities of various organizations, necessitating a revised course of action. Implementing a GRC program in such a situation will help lend clarity to an organization’s objectives and risks and support putting in place a new business strategy for an organization with a renewed focus on core business goals.

Besides, due to its inherent characteristic, what a GRC solution does is also to centralize information and provide a comprehensive perspective of the organization’s processes and operations. This helps to identify redundancies, streamline processes and create open access to information across the organization.

GRC, therefore, is particularly relevant in the IT perspective and is a much needed regulation to evaluate access and distribution of information within and outside organizations. It can also help improve the quality of data due to consolidation, streamlining storage needs and supporting effective and business-relevant communication, especially on compliance issues.

Reiterating the case for integrated GRC policy

In summary, the case for an increased focus on integrated GRC policy and management is gaining strength, with the current challenging global scenario adding greater impetus. In an information-enabled and increasingly interlinked global economy, business critical digital information load is burgeoning while new regulations are constantly being introduced. More and more companies are realizing that implementing global governance standards, ensuring compliance with multiple regulatory requirements and managing cross-border risks has become a mission-critical business requirement.

Adopting an integrated GRC solution promises to help organizations streamline compliance and risk management, eliminate redundant or overlapping processes, ensure centralized control and overview of compliance activities and information, while helping improve the quality of critical compliance processes.

Sarv Sarvanan is the VP and MD, EMC India Center of Excellence