Over the past few years, we’ve all been hearing a lot about “GRC”, or “Governance, Risk and Compliance”. Products are marketed as GRC Solutions and organizations are advised to implement strong GRC programs. GRC seems to be all the rage lately. But what is GRC?
First let me state for the record that I do not consider myself an expert in anything. I am not an industry analyst or a compliance consultant. However, as a policyIQ Product Director what I AM is a person who has spent a large amount of time listening to clients talk about the challenges in their organizations. I’ve helped countless organizations use technology (specifically policyIQ) to better manage their documentation – from policies and procedures to Sarbanes-Oxley compliance to account reconciliation tracking.
In my experience, it is all related to GRC.
What are the components of GRC?
Let’s talk for a moment about each of the components of GRC individually.
Governance is all about how your organization is driven to be an ethical and responsible company (or not) – established first and foremost by the “tone at the top”, and formally documented in your corporate policies and procedures. Legal regulations certainly play a part in how the organization defines “ethical”, but every organization has its own culture, which can be partly defined by the policies put in place to govern it.
Risk Management is just that – identifying and managing the risks to the organization’s success. Risk management isn’t just about defining the risks, though, but also determining the organizational appetite for risk. Will we shy away from risky ventures or seek out high payoff / high risk opportunities? Risk Management is about making good decisions based on the risk appetite of the corporation.
Compliance means making sure that at the end of the day, your employees are following the guidelines established. This might mean regulatory or legal compliance – such as Sarbanes-Oxley or Payment Card Industry Data Security Standards (PCI DSS). It also means compliance with those corporate policies – such as your internal Code of Conduct that dictates appropriate workplace behavior.
Does all of this sound familiar? Of course. Every organization is doing some degree of GRC management. The question is – are you doing it well and efficiently?
So is policyIQ a GRC solution?
policyIQ is a solution for GRC – policyIQ is not a GRC-specific solution. Clear as mud? Here is another answer: most of our clients are using policyIQ to manage their Governance, Risk and Compliance initiatives, but policyIQ wasn’t designed any more as a solution for GRC than it was designed as a solution for SOX, or policies and procedures, or internal audit workpapers, or contract management, or any number of other uses for which our clients are successfully leveraging policyIQ. In an industry analyst’s list of GRC vendors we might not be listed; that is their loss, considering the number of companies successfully using policyIQ for those needs.
Take advantage of ALL that policyIQ has to offer
Earlier I said that the question really is whether or not you are managing your GRC program well and efficiently. Whether you are doing it well is a question for another time. Whether you are doing it efficiently… well, that’s something that I might be able to help you with.
If you are already using policyIQ for some aspect of your GRC program, such as Corporate Policies or Sarbanes-Oxley compliance, why not expand your usage to encompass more? For example:
- Document regulations that apply to your organization and link those to the Policies that you have in place to meet those regulations. (Better yet, use Web Link objects where possible to link to the information on the regulatory website, so that the most current text is always accessible!) When updating a policy, you will be reminded to review the regulation to confirm that your changes are still in line with the regulation. Reporting on those linked relationships will highlight any regulations that might not have related policies documented.
- Build out policyIQ to encompass more areas of compliance management. If you are a retail organization using policyIQ for SOX, have you considered adding PCI DSS compliance to the application? Some controls may overlap – and by documenting everything in one place, you can identify those overlaps and streamline your testing!
- If you are using policyIQ to manage your policies, are you utilizing Forms to capture the annual sign-offs from employees confirming their ongoing compliance with those policies? If you aren’t yet managing your policies and procedures in policyIQ, consider the version control and compliance capabilities that the tool offers.
- Implement policyIQ to track your ERM program. Last month we presented a live training session (now available as a recording) that outlined how policyIQ can be used not only to capture your Risks and Capabilities as an ERM documentation repository, but how you can create a fully interactive and sustainable assessment tool for both Risks and Capabilities by using policyIQ forms.
Want to talk more about how policyIQ can add efficiencies in your organization and pull together your Governance, Risk and Compliance initiatives? Call your account manager or email our support team and we’d be happy to give you some ideas.