with Michael Rasmussen, internationally recognized pundit on governance, risk management, and compliance (GRC)
The acronym “GRC” was first used by Michael Rasmussen in February 2002.
The common definition is that GRC is a capability to rely to the key objectives.
But regardless of how GRC is defined in a company there is no company that says, “we don´t govern the organization, we don’t care about risk and we don’t comply about the regulations”. Every organization has some approach to GRC. Whatever they call it GRC, ERM, or whatever it might be. This approach can be fragmented, broken or it can be very defined and agile. When people talk about GRC, they often talk about technology like GRC platforms. But at the end of the day, Governance, Risk & Compliance are actions of the organizations. Technology has the duty to make it more efficient and agile.
So GRC is a capability to rely to the key objectives while addressing uncertainty and act with integrity. That’s the official definition. Building an innovative GRC strategy means, that these overall processes should become more efficient, effective and agile. Regulations are changing, risks are changing and the business itself is changing too. GRC processes and technology should help organizations to become more agile.
Technology for GRC for has been used for ages. Papers and emails are forms of technology. But there are also platforms that help make GRC more efficient, effective and agile in the organization. There are 5 stages of GRC technology:
Organizations are dealing with a lot of regulatory change, especially in the financial sector. That could be a new law regulation, a changed law regulation or an enforcement action of a proposal making. There is also a changing risk environment. The stock market can go up and down. There are economic risks, political risks, or global crisis’ likes COVID-19. There is also the challenge of the changing business, employees and processes. It is important to keep all these issues in sync from legal regulatory changes, risk changes and business changes.
Another big challenge is about developing an architecture and strategy that helps companies to manage change in the business. It is important to see this interconnective nature of risk. The major problems of our time are interconnected and interdependent. Michael Rasmussen wrote a blog a few months ago about the fact COVID-19 hits us. In this context there are impacts on other risks. IT Security risks are increasing, particularly from the work from home environment. There are risks in terms of the economic tensions in the world. Human right risks, slavery risks are rising due to the COVID-19 pandemic. Risk cannot be managed in isolation. A lot of company’s enterprise risk management strategies are out of sync. They are dominated by IT Risk and don’t pay much attention to environmental-, health- and safety risks, which are some of the most significant risks.
This is the end of the first part of the podcast with Michael Rasmussen. The second part will appear in the coming weeks!
The first episode of the avedos GRC podcast started in February 2019. This series is all about the topics of integrated GRC, enterprise risk management, internal control system and information security management. Meanwhile 9 episodes are already available and can also be streamed via various well-known platforms such as Soundcloud, Spotify and Apple Podcast.
Get informed on the facts and latest trends in GRC – and stay tuned for upcoming events, webinars, podcast episodes or trainings.