What is Governance, Risk & Compliance (GRC)?

“Unlock the essence of Governance, Risk, and Compliance (GRC)! Explore how GRC serves as the backbone for organizational success. Understand its components – Governance, Risk Management, and Compliance, and discover the role of GRC professionals. Learn the essential requirements for implementing a robust GRC framework, emphasizing leadership commitment, comprehensive training, and the independence of the GRC function. Navigate the world of GRC effortlessly with insightful guidance.”

Governance, Risk and Compliance (GRC) is the backbone of every organisation, be it small or large. The objective of GRC is to ensure that all the organisational capabilities are working and the efforts are being made towards achievement of strategic goals of the Company. It is to ensure that the organisation is on the right track and not pathless. Let us see how it works.

There are three components of GRC – Governance, Risk and Compliance.

Governance is about setting the plans, policies and procedures required for the achievement of the strategic goals of the Company.

Risk Management is about mitigating the impact of uncertainties that may trigger during the course of working towards the achievement of the strategic goals of the Company.

Compliance is adherence to the regulatory obligations, voluntary obligations and the set of rules, policies and procedures (governance standards) to ensure that all the organizational capabilities are working together as per the strategy. Compliance is not just checking the boxes yes or no, but is working ethically and responsibly.

In order to better understand how GRC works, let us a look at the following presentation: –

Organisation, Mission, Vision and Strategy

Every organisation has a mission and vision and in order to reach such mission and vision, the organisation needs to set the strategy/ goal and then make a Work Programme/ Business Plan.

Resources and Planning

In order to execute the Work Programme/ Business Plan, the organisation needs to make various resources like men, material, machinery and the money available. The organisation also needs to prepare various other ancillary plans as may be required to execute the Work Programme/ Business Plan, e.g. Resource Mobilisation Plan, Resource Allocation Plan, Procurement Plan, Financial Planning, Quality Control Plan, Production Plan, Closeout Plan and many more.

Risk Management

During the course of execution, the organisation may encounter various uncertainties which must be identified and analysed in advance and the appropriate mitigation measures (Plan A) be developed and implemented to reduce their impact should they occur. In addition, the organisation should also have Contingency Plan (Plan B) like creating contingency reserves, performance bonds and insurances to control the damages should the uncertainties occur.

Governance and Internal Control

Every organisation has certain values and to maintain such values, it needs to have in place various governance policies and internal control tools, e.g.

• Standard Operating Procedures (SOP)
• Segregation of Duties (SOD)/ Workflows/Delegation of Authority (DOA)
• Documentation/ Record Keeping Plan/ Procedure
• Access Control Policy – Physical & IT
• Recruitment Policy
• Code of Conduct & Business Ethics
• Data Privacy Policy
• POSH Policy
• Code of Conduct for Prevention of Insider Trading
• Policy on Related Party Transaction/Conflict of Interest
• Gift & Hospitality Policy
• Code of Fair Competition and Prevention of Unfair Trade Practices
• ABAC Policy
• ESG Policy (HSE Plan & CSR Policy)
• Whistle Blower Policy

Compliance

Compliance is not only about checking the boxes, yes or no, but it means working legally, reliably, ethically and responsibly and in order to ensure the same, the organisation needs to have a comprehensive compliance programme which covers compliance with,

• Applicable laws
• Voluntary commitment (contractual obligations)
• Codes, Plans, policies and procedures

Audit & Assurances

There must be a frequency set for audit by internal auditors, e.g. quarterly to ensure that the GRC capability as discussed above is working reliably towards the achievement of the strategic goal of the company and to identify the loopholes in the entire governance system.

What is the Role of GRC professional?

GRC professional is required to work proactively and the primary responsibility of the GRC professional is to create risk, governance and compliance culture throughout the organisation and ensure that the governance, risk and compliance is reflected in the strategic decisions of the company.

Essential Requirements for Implementation of GRC Framework

GRC is owned by the Board/ Governing Body of the Organisation and therefore, the primary requirement for implementation of GRC is the tone from the top management. In the absence of tone from the top, the GRC function would fail in the organisation. It is the leadership of the organisation that has to take a call as to how effectively it wants the GRC to function.

The other important requirements for implementation of GRC framework are – training from top to bottom of the organisation. Every employee of the organisation must be mandated to have compulsory GRC training.

Independence of the GRC function is the most important factor for its success. GRC department is not necessarily the owner of all the plans, policies, procedures and compliances. The GRC work is advisory in nature and it has to oversee the entire programme and advise the people wherever required for the effective performance.