GRC is a popular acronym, and many large corporate entities have multiple Governance, Risk, and Compliance teams spread across different divisions and lines of business, but what is GRC really?
Governance, Risk, and Compliance is a set of capabilities that enable an organization to reliably achieve objectives while addressing uncertainty and acting with integrity. It includes enabling policy, procedure, and technology for good corporate governance, assurance, and management of performance, risk, and compliance. To break it down further:
The shape and form of GRC activities depends on the organization and business environment it operates within. There are heavily regulated industries such as the Financial Services sector, or the Pharmaceutical, Health Care, and Bio-tech sector which may lead to a requirement for specialist Compliance groups within the organization. In other industries, Enterprise Risk or IT Risk functions undertake specific GRC activities.
GRC activities can take place at all levels within an organization. The “three lines of defense” model is widely used:
Across the 3 lines of defense there are many specific and specialist tasks that need to be undertaken:
As can be seen above, GRC is broad and potentially complex space, and there are many specialist tools available, with some of the leading enterprise GRC platforms being IBM OpenPages, MetricStream GRC, SAP GRC, and Thomson Reuters Accelus.
These specialist tools tend to focus on the Regulations, control mapping, risk assessment, and controls elements of GRC and can significantly extend GRC’s abilities. Unfortunately, what these tools don’t do well—or at all—is manage the large volume of documents and emails that can be generated by assessments, testing, issues management, and complaints management.
As AIIM members and Information Management professionals (whether working in information management groups or governance functions such as record management teams) we can help our GRC colleagues with the expertise, processes, and technology to improve their efforts to manage the mass of unstructured information they generate and work with.
By leveraging the concepts of intelligent information management, GRC professionals can provide structure to processes and content repositories in order to improve efficiency and ultimately help our colleagues work smarter, not harder. Our GRC colleagues are subject matter experts in their own fields and may not have a good understanding of what metadata is and how it can help them search for information. Additionally, they may not have a good grasp of how to use Content Services, Enterprise Content Management platforms, or other technologies to store, organize, and retrieve a large number of documents, emails, and other artifacts generated by their governance, risk, and compliance processes.
As an example, in a major Canadian bank, my Knowledge Management team helped a Compliance team that had to review very large numbers of reports on a daily basis. Unfortunately, this meant printing thousands of pages of paper, physically marking up that paper to show their work, signing it, and scanning it in for return to the line of business. We changed this to a PDF based process, with highlighting and comments in the PDF, and gained approval that the process of saving the document into the document management system (DMS) with its “last modified by” and “last modified date” metadata provided a better audit trail than a date and signature on a scanned copy. This very simple set of improvements saved hundreds of hours across a year, made it far easier for Compliance specialists and their line of business colleagues to collaborate on a report when a discrepancy was identified, and saved a considerable amount of money in printing and storage of paper—which also worked towards the bank’s environmental impact goals.
Over the course of your career you may have GRC colleagues be proactive in reaching out to seek help; or, you may simply be presented with opportunities to educate and assist them as the need arises. As always, we should seek to understand their business problems and pain points in order to bring our expertise in intelligent information management to help them improve their situation.
How is your team currently working with the GRC colleagues without your organization? We’d love to hear your feedback! Email Brit Nowacki to share your thoughts.
"Great company, great products, great leadership, great people, great culture!"
"I love my team and peers. We are family, and we respect each other."
"NetDocuments encourages a good work/family balance."
"I feel respected and valued by leadership and my team."
"We work together and support/encourage each other to do our best work every day."
"From start to finish, my leaders are willing to guide me and let me try new things. This keeps work fresh, exciting, and fun so I don't burn out or get bored."
"I have clear direction in my work tasks and priorities. I also feel encouraged to put my family first and maintain a healthy work life balance."
"I work with highly motivated individuals who are smart and allow me to learn from them!"
"NetDocuments is committed to exceeding customer expectations by building leading products hosted in rock-solid environments."
"I'm empowered to try new things and think through processes and campaigns strategically. I can lean on my boss for support, but I'm not micromanaged, which is appreciated."