Governance, Risk Management, and Compliance (GRC)
Government organizations, industry agencies, and internal compliance departments have enacted many rules and regulations to compel desirable, ethical, and safe behaviors in financial, environmental, information and data security, employee relations, and other business practices. In the early 1990s, one of the pioneers of information security management, Edward Humphreys, identified and led a shift to turn compliance from an isolated IT-based responsibility to one driven by people, processes, and information.
Along with compliance, governance and risk management comprise the field known as GRC. Like Edward Humphrey’s work in information security management, GRC calls for "the integrated collection of capabilities that enable an organization to reliably achieve objectives, address uncertainty, and act with integrity." GRC is not a new discipline, but a paper published by Scott L. Mitchell in 2007 sparked an entire industry of GRC software and services.
According to Mitchell, the business units that must collaborate with information technology to drive principled performance include auditing teams, human resources, finance, and C-suite management. The units must work together to address and mitigate business uncertainties.
The specific focus of governance, risk, and compliance are as follows:
The governance process sets and provides mechanisms to achieve corporate goals.
Risk management tests for tolerance of business uncertainties, identifies where risks are found, and ranks them for severity.
Compliance personnel then develop the policies and procedures to reduce the impact of risks internally and in the regulatory environment outside the company.
What Is Compliance Management?
Compliance management, often called compliance risk management, is the management and adherence to the laws, regulations, standards, policies, and codes of conduct that apply to an organization. Many industry-specific regulations drive the core functions in healthcare, manufacturing, and finance. In fact, the Office of the Comptroller of the Currency (OCC) delivers a booklet, Compliance Management Systems, to guide OCC examiners inspecting national banks, federal savings associations, and federal banks for consumer compliance risk management.
Some compliance regulations are not industry-specific, such as those for employee safety, leave, and minimum wage. Compliance mandates often weave through many different business units, and they have unique guidelines and requirements.
Compliance management departments in large corporations set internal policies that keep the organization in line with the rules and guidelines set by outside regulations, laws, or industry standards. To do this effectively, compliance teams identify, manage, and monitor activities to reduce the risks associated with noncompliance. Due diligence in corporate compliance management may take the form of tackling large regulatory hurdles that can take years to achieve, such as clearance from the Food and Drug Administration (FDA). They can also be single issue-oriented, such as a home appraisal report associated with financial regulations.
Compliance is an ongoing initiative that responds to the changing regulatory environment, business growth, geographical reach, or newly enacted laws. Compliance management often follows mandates that are both voluntary standards and federal or global regulations, such as the following:
The International Standards Organization (ISO): Based in Switzerland, the ISO sets guidelines for quality standards in numerous industries, including manufacturing, healthcare, and transportation. The guidelines are not mandated by law, but are expected industry practice. External audits, conducted by third-party auditors, must take place on a regular basis in order for organizations to remain ISO compliant.
Committee of Sponsoring Organizations of the Treadway Commission (COSO): This organization provides a framework and process to enact internal financial controls for the prevention of fraudulent activities, such as bribery and campaign finance law violations.
The Federal Energy Regulatory Commission (FERC): This government agency sets standards under the Federal Power Act with a goal to protect critical infrastructures. All bulk power system owners, operators, and users must comply with approved reliability standards. Participants are required to register with NERC through the appropriate regional entity.
The Occupational Safety and Health Administration (OSHA): This federal agency was developed under the OSH Act of 1970 and is part of the U.S. Department of Labor. OSHA sets and enforces standards that require employers to provide a safe and hazard-free work environment.
The Food and Drug Administration (FDA): The FDA is a part of the U.S. Health and Human Services Department. It is responsible for protecting public health through regulations, enactments, and enforcement on drugs, medical devices, and biological products. FDA regulations also cover cosmetics and veterinary items.
Health Information Portability and Accountability Act (HIPAA): This law regulates, enforces, and administers fines when parties violate the use, storage, and transmittal of protected health and patient information.
The Importance of Compliance Management
Even today, there is a disconnect for some between the costs of maintaining compliance versus the associated costs of noncompliance. Some organizations allocate a part of their overall compliance budget to paying fines rather than spending on tightening or strengthening compliance management activities. This plan may have worked in an earlier time, but as stakeholder expectations increase and the public becomes more aware of information breaches and unethical behavior, consequences for noncompliance go far beyond financial reparation.
In May 2017, the final judgment against the Walmart Photo Center breach cost the company hundreds of millions of dollars — as well as its reputation and possible future business. The plaintiff’s claim cited that the company exhibited “reprehensible conduct.” The final judgment agreed and identified failed customer protections, such as inadequate data encryption and faulty firewall protections.
Authorities also found that Walmart failed to heed and act upon numerous warnings of a system breakdown. In this case, as in many others, the costs of noncompliance included both tangible payouts for damages and the intangible losses from a damaged reputation.
Additional compliance risks include the following:
Environment: Damage to the environment as a result of organization’s activities
Workplace Safety: Accidents or injuries in the workplace
Cybersafety: Vulnerabilities within organization infrastructure
The Difference Between Compliance and Risk Management
Risk management is the process of identifying vulnerabilities and risk. These risks may be determined or predicted based upon industry or regulatory expectations. Risk management also notes the level of risk severity. Neil A. Doherty discusses integrated risk management in the insurance and financial fields in his book Integrated Risk Management: Techniques and Strategies for Managing Corporate Risk.
Compliance management then takes the findings of risk management and sets the policies and protections needed to control, mitigate, and monitor these risks. Risk severity factors into the choice and reach of the controls that compliance management puts into place. Higher-risk areas may demand more stringent policies and procedures for compliance.
What Is the Role of a Compliance Manager?
A compliance manager is tasked with administering the proper enactment of policies, procedures, monitoring, and reporting that meets business needs for compliance. The compliance manager works across departments to fulfill compliance functions and obligations that meet current regulations, industry guidelines, and global reach.
However, the main function of a compliance manager (often called a compliance officer) is to manage behavior. Ethical, safe, or responsible behavior is the motivation for many regulations and guidelines. The compliance manager sets the tone that compels desired behaviors through policies, plans of action, communication, and reporting. Therefore, it takes both a strong, independent administrative leader and a good communicator to fulfill the role. Compliance managers usually report to upper or C-suite management to ensure business goals are both set and met in an industry-appropriate compliant environment.
What Is the Role of a Risk Management Team?
A risk management team is responsible for setting up and monitoring a risk management plan. The team is usually made up of participants from many areas or business units to represent a wide variety of regulatory risk scenarios. Managers are often called upon to serve on risk management teams because they have a broader view of the business compared to rank-and-file employees.
The team is usually led by a full-time risk manager who sets timetables and schedules meetings. The team reviews internal and external audits. They also amend and recommend policy, as well as help identify new areas of vulnerabilities. Teams typically meet on a regular schedule but are available to respond to emerging risks as needed.
In many organizations, the risk management team is involved in strategic planning. They analyze the risk of new and existing initiatives, as well as advise on risks that may be exposed due to new strategies.
Authorities enact most regulations and laws, as well as voluntary industry standards, to enforce ethical behaviors. These compliance risks are also known as integrity risks. Organizations that don’t plan for these risks can see business loss through penalties, lower revenue, or damaged reputation. In certain instances or greater severity, noncompliance can also shut down a business.
Compliance risk is found throughout an organization, even those areas outside of the core business functions. These areas include workplace health and safety, environmental protections, and ethical financial reporting and practices. Compliance risk management sets the policies, processes, monitoring, and reporting that is used to compel desired behaviors, and when necessary, prove the organization is in compliance.
Governing bodies usually enact risk and compliance regulations when they uncover abuse, such as in the aftermath of the Enron and WorldCom collapses in the early 2000s. The U.S. Congress enacted the Sarbanes Oxley Act of 2002 (SOX) to regulate the accounting practices of publicly traded organizations and protect both investors and employees. These regulations enforce ethical behavior and foster accountability practices that eliminate conflicts of interest. Penalties for SOX noncompliance are stiff and include hefty fines and jail time for C-suite executives.
How to Evaluate Compliance and Risk
All companies and organizations deal with some level of risk. Since no two companies face the same risks, they must perform an assessment to identify risks and rank their severity. During an assessment, companies rank risks based on likelihood of occurrence and level of potential damage. This ranking also allows organizations to enact appropriate policies, monitoring, and mitigation procedures.
Like all compliance functions, risk evaluation is ongoing as companies identify new hazards and enact regulations. When they identify risks, organizations should also evaluate the legal, financial, business, and reputation impacts posed by the risk.
How to Mitigate Risk
In order to mitigate risk, you must first identify it. This generally takes a top-down commitment from board-level management. Leadership, along with the risk management team, places a priority on the personnel and tools needed for risk management. Mitigation begins with a risk assessment against industry-mandated or voluntary compliance standards. It is up to the risk management team to communicate risks and their severity with compliance management. Compliance then sets procedures, monitors, and reports findings against compliance goals.
In his article “Relationship Marketing Can Mitigate Product and Service Failures,” Randi Priluck, Assistant Professor of Marketing at Pace University, discusses how “consumers engaged in relational exchanges are more satisfied than those in discrete transactions.” This suggests that building a high-quality relationship with customers and taking their feedback and complaints seriously can help mitigate future risk when something goes wrong.
New risks are a common occurrence as cyberthreats, laws, or industry practices rapidly evolve. Mitigating risk is about staying ahead of threats with a commitment to risk management, a mitigation plan, and fluid response procedures. Below you will find best practices for risk mitigation:
Prioritize areas of high risk.
Create and act upon regulatory alerts and updates.
Rank the business, legal, financial, and reputational impacts of each risk.
Enforce regulations, but remain flexible when necessary.
Gain top-down commitment to compliance management.
Conduct risk assessments.
Evaluate the risk and compliance management practices of similar organizations.
Employ external compliance consultants.
Provide compliance training for all employees.
Define compliance management roles and responsibilities.
Address noncompliance quickly.
Implement compliance reporting and tracking.
Conduct compliance audits.
Maintain constant communication with all stakeholders regarding compliance.
What Is a Compliance (Risk) Management Framework?
Many organizations, either by mandate or industry best practice, turn to frameworks for compliance and risk management guidance. A framework is a guideline for processes that meet legal or voluntary regulations. For example, the Payment Card Industry Data Security Standard (PCI DSS) is a framework for the protection of financial information. It is a voluntary guideline that is common practice for any organization that accepts credit card payments.
The Federal Energy Regulatory Commission (FERC) mandates another guideline that is administered and delivered by the North American Energy Regulatory Commission (NERC). This framework provides guidance on practices for those buying, selling, and transmitting power.
Finally, another framework that allows global access to markets is found through the International Standards Organization (ISO). It provides industry-specific frameworks for compliance in global quality management. Today, there are frameworks that apply to all industries, across a variety of voluntary, industry-specific, and government-related regulations.
Benefits of Compliance Management
Compliance management, combined with risk management, identifies potential hazards to a company or business functions before risks become reality. By instituting compliance management, you enable your organization to address regulatory compliance mechanisms and reporting proactively. When you anticipate the severity or likelihood of harm, you allow for a proactive rather than reactive approach.
The benefits of compliance management include the following:
Identify issues before they become a problem.
Identify training areas.
Improve collaboration with cross-departmental workflows and processes.
Improve and maintain reputation.
Improve decision making and business performance.
Prepare for compliance audits.
Prevent and detect risks and violations.
Compliance management practices coupled with software solutions can also result in better reporting, identification, and mitigation of problems.
Challenges of Compliance Management
Many challenges come with maintaining compliance:
Laws and regulations, as well as internal policies, can change rapidly.
A compliance system takes manpower, resources, training, and leadership to be effective.
Proving compliance with the thousands of records, documents, systems, and processes can be difficult and time-consuming.
Compliance management is a never-ending process, and as regulations grow in complexity, more personnel and resources are needed.
Compliance is expensive, but as many organizations have experienced, the costs of ignoring regulations and noncompliance can be far greater.
What Is a Compliance Management System (CMS)?
Compliance management systems are usually top-down initiatives that are overseen by upper management and a board of directors. They are made up of documentation, roles and responsibilities, processes, and tools that enable compliance. These may include risk assessments, policy development, enforcement, and corrective action plans. The system ensures that organizations communicate and conduct proper training with all personnel, monitor compliance activities, and make reporting available. The system's audit activities provide measurements against goals to continual improvement.
Governance, Risk Management, and Compliance Solutions
Numerous risk management and compliance solutions are based on industry-specific regulatory compliance requirements. Industries such as finance, healthcare, life sciences, and manufacturing face many compliance obligations across numerous departments, and all demand monitoring, mitigation, and reporting. Many of today’s cloud-based GRC solutions meet governance requirements while identifying and reporting vulnerabilities and risk. These solutions support integrations and provide information that keep teams informed and on task.
GRC software solutions address several common compliance regulations and frameworks:
Model Audit Rule
Foreign Corrupt Practices Act
Bank Secrecy Act
In addition to supporting industry regulations, one of the most important functions of compliance management software is the ability to aggregate legal, industry-specific, and administrative regulations and guidelines into a single solution.
Consider the following functionality when searching for a compliance management software solution:
Ability to aggregate legal, regulatory, and administrative standards and guidelines into a single solution
Ability to configure
Policy approval management
Regulatory audit management
Compliance and risk assessment management
Road map creation
E-learning, training and development management
Compliance process design
Issue management, including incident management
Reporting and metrics
Benefits of Compliance Management Software Solutions
Once implemented, a compliance management solution provides many benefits to an organization, including the following:
Real-time reporting and intelligence for better decision making
Transparent information sharing for stakeholders (issues, ratings, and activity)
Activity and workflow automation
Increased compliance management efficiency
Ability to facilitate intelligent and information-driven discussions
What Is Compliance Management in HR?
Dozens of laws apply to employment practices. An HR department is often responsible for meeting and proving compliance in areas of paid leave, re-employment, health benefits, employee information, and financial disclosure.
What Is Risk-Based Compliance?
Risk-based compliance ranks risk against severity and likelihood when developing tools, policies, and procedures that define appropriate compliance activities.
What Is Authority Compliance Management?
Authority compliance places an emphasis on tasks and job requirements. Compliance personnel are viewed as necessary tools for compliance.
What Is Statutory Compliance Management?
Statutory compliance management provides the legal foundation and framework to ensure the ethical treatment of employees with regard to statutory issues such as minimum wage, paternity leave, gratuities, and Social Security.
What Is Regulatory Compliance Management?
Regulatory compliance management provides guidelines, policies, and activities to follow regulations and prove compliance of applicable laws and statutes.
What Is Security Compliance Management?
Security compliance management focuses on processes, technology, and procedures that protect information and data from loss, theft, or breach.
What Is Risk Compliance Management?
Risk compliance management first identifies and assesses the risks, then develops the policies, procedures, and internal enforcement to meet compliance goals.
What Is Asset Management Compliance?
Asset management compliance is used by investment management firms. It outlines the policies and processes to protect investors, financial stability, and reputation of the investment firm.
Frequently Asked Questions
Does your industry require continuity planning?
Companies use continuity planning to prevent or recover from threats such as disruption to supply chains, damage to infrastructure, or other disasters. Critical infrastructures are required to have business continuity plans in place.
Does the IT department factor into compliance requirements?
IT departments are a key component of many compliance activities, including protection of data and sensitive information. IT also supports non-IT-related software or hardware solutions to monitor, report, or mitigate compliance issues.
Why choose compliance management?
The concept of compliance is to ensure an organization acts legally and in a responsible manner. Compliance management will help an organization avoid costly fines, legal ramifications, and reputational impacts of non-compliance.
Why is compliance management crucial to your business?
Compliance management will help an organization identify and avoid violations of laws, regulations, standards, and other industry mandates that can result in costly fines, legal consequences, and reputation damage.
How much risk management functionality do you need?
Risk management functionality is industry and organization-specific. This article provides a software functionality checklist to help guide your decision.
Improve Compliance Management with Real-Time Work Management in Smartsheet
Compliance is about more than following the rules. It can also help your organization avoid fines, legal action, and reputation damage — all of which can take their toll on the bottom line. To succeed in compliance management, a number of teams across your organization must work together. They will need a powerful organizational tool that sets out their goals and regulatory needs. Smartsheet is such a tool.
Smartsheet is an enterprise work execution platform that is fundamentally changing the way businesses and teams work. Over 74,000 brands and millions of information workers trust Smartsheet to help them accelerate business execution and address the volume and velocity of today's collaborative work.
The familiar Smartsheet interface that is designed for how people actually work leads to rapid and broad adoption across your organization. Use self-service reports and dashboards in Smartsheet to provide real-time visibility into resources, status, and performance, so you can rapidly align operations with strategy.
Discover why millions of professionals around the world use Smartsheet to move from idea to impact fast.