If you’re in the IT or financial business, chances are that you hear the acronym GRC being bandied about all the time. GRC (Governance, Risk and Compliance) is still a somewhat amorphous concept and there’s no unanimity among folks as to what exactly GRC is.
You can, however, go past the jargon filled world of GRC to the essence of the concept. Governance simply refers to management control of the entire process, including the effective carrying out of risk related management strategies by the organization. The risk in GRC refers to several types of risk, including financial risk, technological risk and security risk, legal risk as well as the risk of running afoul of compliance regulations. As you can surmise, all the various types of risk are interlinked – database security risks will eventually lead to financial exposure and vulnerability, of course. However, most folks consider compliance related risks as the main focus in GRC implementation efforts. The compliance angle in GRC, of course, refers to conforming to applicable regulations such as Sarbanes-Oxley and PCI DSS. Compliance covers the whole gamut from the identification of the requirements that apply to you, estimating your current compliance status and the adoption of strategies to ensure quick (and cost effective) compliance with the regulations to avoid fines and legal exposure.
Regardless of one’s conception of what exactly GRC is, we can all agree on the following simple goal based definition of GRC: a set of policies and tools that ensure that you minimize risk by safeguarding customer and enterprise data, preventing fraudulent and unauthorized use of your systems, reducing your reporting time, creating solid audit trails – in other words, a proactive and prudent management of data and systems.