Chapter 1The ABCs of GRCIn This Chapter Getting to know GRC Discovering the GRC stakeholders Understanding GRC by the letters Deciding on your app
first time, is a common way for a private company to become a public one.But other events such as selling bonds or issuing other forms of debt canalso
Smaller companies generally have more issues with segregation of duties forobvious reasons. Segregation of duties requires dividing key steps amongemp
organized in spreadsheets or other simple ways, and then used to make surethat the company was complying with all requirements. While this sort of man
GRC stakeholders inside a companyLike every other major trend affecting business, increased attention to GRCconcerns is having its effect on the organ
Besides investors, the other important external groups are institutions insideand outside of government that set rules that must be followed. This gro
GovernanceGovernance is a general term. The way that a board of directors works with aCEO is a form of governance, for example. The governance in GRC
Figure 1-2 shows the way that the three core activities of governance, riskmanagement, and compliance interact.Figure 1-2 shows GRC from the top down.
detail. In preschool, you may have learned letters by remembering that A isfor apple: The same approach can be taken with GRC. We take the bottom upap
Although stopping people from bad behavior is a great idea, preventativecontrols are too blunt an instrument to enforce complex policies that mayprohi
which can drive up auditing and personnel costs (and the cost of doing busi-ness). Replacing manual controls with automated controls is one way to all
Some parts of the domain of GRC — measures to prevent financial fraud, forexample — are as old as business itself. Making sure that money isn’t leakin
Financial complianceFinancial compliance these days is dominated by the regulations that havebeen introduced by Sarbanes-Oxley. Section 302 of the law
What goods qualify under trade agreements? How must goods be labeled? What information is required to clear customs? Is a license required? Is a
not explicitly stated in the guidelines, what is required to meet them is basi-cally, in fact, a systematic approach to managing and monitoring risks.
Kidnapping TerrorismFor example, if a key supplier is going to be taken over by a competitor, thesooner a company knows about it, the better. Or pe
Self-governance means adding policies, procedures, and controls to enforcethem to those already imposed by external parties. Self-governance helpscrea
Most auditing activity involves examining the transactional record of a com-pany that is kept in various sorts of audit trails that record corporate a
In 2004, companies went through the sprint phase. Risks were identifiedand managed with appropriate controls. Roles and user access werecleaned up.
As companies grow in their maturity, they cut costs for compliance and audit-ing, increase the scope of activities that are monitored by GRC processes
Integrated GRC systems not only have a system for managing access controlbut they also have rules that take into account the thousands of specifictran
Systematic application of a GRC solution leads to a process that constantlydeepens management’s understanding of what is going on in a business andinc
Because it is concerned with creating a sustained stream of high-quality infor-mation about a business, GRC has a large overlap with Corporate Perform
38Part I: Governance, Risk, and Compliance Demystified 05_333174 ch01.qxp 4/4/08 7:15 PM Page 38
The third force driving the urgency of GRC is the rising concern aboutenergy consumption and the environment. Instability in the Mideast,scarcity of
One way of thinking of GRC is to compare the process of managing a companyto driving a car. When you drive a car, you have a certain set of rules that
policies occur, behavior must be checked and monitored. As people are pro-moted or job descriptions change, controls must be put in place so that com-
to place their money. If confidence drops too far, all companies, not just thosewho have engaged in bad behavior, will find it harder and more expensi
tighter regulations for governance and reporting, audit problems can includethe lack of adequate controls, improper segregation of duties, insufficien
The rising costs that occur after a failed audit are a powerful motivator for acompany to automate its GRC processes so that controls and testing arem
Comments to this Manuals