From the beginning, OCEG defined GRC as "...the integrated collection of capabilities that enable an organization to reliably achieve objectives, address uncertainty and act with integrity"
Within these capabilities are people that come from several disciplines/professions and who have specific skills that address at least one dimension of GRC. We call these disciplines the "Critical Six" and use the acronym GRACE-IT to remember them:
- Governance & Strategy. This discipline includes skills to set, vet and implement strategy both directly (the role of management) and indirectly (the role of the governing body).
- Risk & Performance. This discipline includes skills to set objectives and address the threats/opportunities using various management actions to achieve the right balance of risk/reward.
- Audit & Assurance. This discipline includes skills to identify the most important areas (or mandates areas) to review or audit so that management, the board or outside stakeholders have objective information about how the business is running.
- Compliance & Quality. This discipline includes skills to identify requirements (either external mandates, customer mandates or internal policies) and implement solutions to address those requirements.
- Ethics & Culture. This discipline includes skills to address the "soft" side of human capital as we influence and persuade the workforce to focus on the right things at the right time and in the right way.
- IT / Information Technology. This discipline includes skills to address the "two sides of the IT/GRC coin." The first side is how IT can enable the other GRC capabilities more generally in the same way that IT enables capabilities like "customer service." In other words, the first side of the coin includes the way that IT implements technology solutions to track risks, controls and audits of any kind. The other side of the coin is how IT addresses its own "GRC domains" like information security, privacy and so on.
It is important that you integrate these skills into your team -- and even into your own career.
For example, if you are a Risk Professional, make sure that you develop skills in governance & strategy; and in compliance & quality so that you can be more effective at what you do. If you are a Compliance Professional, make sure that you develop skills in risk & performance; audit & assurance; and governance & strategy; etc.
You get the idea...
By doing this you maximize the value that your team, and that you personally contribute to your organization.
You can learn more about how GRC helps the "Critical Six" disciplines and we will write more about this over the next few weeks. Let me know if you have questions by starting a conversation in the lower right corner of the site (the "?" button).