What is GRC and how does GRC impact Operational Risk?

GRC, also known as Governance, Risk and Compliance is a description of the strategy, processes, procedures, policies, and controls built to help businesses and organizations manage operational risk, and guide employees to work towards shared business goals and objectives. 

We talked with Michael Rasmussen who is known as the Father of GRC after he coined the use for the acronym in 2002, to dive further into why GRC is important for businesses, and how organizations can decrease operational risk with strong policies and procedures. 

How do you define GRC?

The OCEG GRC Capability Model is the only publicly vetted standard and defines GRC as the capability to reliably achieve objectives [governance], address uncertainty [risk management], and act with integrity [compliance]. When broken down, Rasmussen explains GRC in the following way. 

“GRC is a capability to reliably achieve objectives. That’s the governance piece, setting objectives, whether they’re overall entity level objectives, division level objectives, or department, process, project, or even asset level objectives. In this context of objectives organizations need to address and manage uncertainty. That’s risk management. This all then filters down to the organization’s capability to act with integrity, to meet its commitments, values, ethics, and obligations.”

Why is compliance and risk control an important focus of modern business? 

Today’s world is an interconnected risk environment. “We need to understand as we achieve objectives that we’re managing the uncertainty and exposure we face, but also the integrity of the organization. Fritjof Capra, the physicist, said, the more we study the major problems of our time, the more we come to realize that they cannot be understood in isolation, they’re interconnected and interdependent. He’s talking about biological ecosystems in that quote, but it applies to business today. Our risks and our issues are interconnected and interdependent.”

“2020 is a great example with COVID-19. What starts as a health and safety risk has had downstream risk impacts of security risk in the work from home office to greater risks of fraud because employees are under constraints and concerned about their financial wellbeing, and increased risk of bribery and corruption.”

What financial risks are connected to employees more concerned about their financial wellbeing? 

“Employees that normally wouldn’t commit fraud are more likely to commit fraud. There’s increased risk of bribery and corruption. The supply chain has slowed down import export, slowed down along with customs and there’s limited contracts and there’s greater risk that somebody might bribe somebody to get a contract or to expedite goods through customs.”

What other risks arise from a work from home environment?

“With COVID-19 we’ve seen even harassment issues in which we work, specifically the move to the work from home environment. People are on zoom calls and they might be wearing their dress shirt or blouse on the call but they are wearing their pajama pants underneath the desk.”

“Everyone is much more relaxed because they are not in the corporate conference room and they are saying things that would cross the lines of harassment and discrimination. What starts off as a health and safety risk due to COVD-19 cascades and intersects with all these other compliance and ethical and operational risks.”

How do businesses stay ahead of and mitigate risk in real time? 

“Understanding what risks are, how they are changing and evolving and knowing how these risks interconnect. As an organization you have to be able to constantly monitor that and have triggers that if we start to see issues, we might send out reminders to people.”

What are the tools you recommend businesses implement to catch early warning signs?

Risk assessment technology, good risk monitoring, including issue intake and whistleblowing and case management systems. On the flip side to avoid risk requires good policy and training programs. I saw a lot of organizations that went into COVID-19 to find out they their policies were a mess.” 

What kinds of things can go wrong with messy policies?

“Businesses may not even know what policies they have until they go out and discover it. I know one organization who found they had 20 different policy portals and policies looked different on different portals. It was a complete mess. Going into the pandemic this hurt the organization as it tried to maintain corporate culture and instill confidence in employees in the midst of crisis and change.”

“If we move to a work from home environment and change home office expense policies, home office IT security policies, as well as remind employees about policies like harassment, discrimination, and conduct in a home office environment we need  employee engagement on policies and related training. You need singular visibility into a portal for policies and training, particularly when we want to strengthen the company culture and brand in a time of crisis.”

How important is a single source of truth for all policies?

“If you have 20 different policy portals in a time of crisis and change, then you have challenges. There is also a risk that any manager might think they’re a little bit smarter than anyone else and they might open up a word processor and write a document and call it a policy.”

“This puts a legal duty of care and exposure upon the organization. That’s a complete rogue policy in the organization but if a manager communicates that as a policy, it puts a legal duty of care and exposure upon the organization.”

How do organizations prevent rogue policies from occurring? 

“I’m seeing a lot of organizations crack down and say if it’s a policy, it will be in this template, it’ll be in this portal. If you find anything calling itself that it isn’t a policy in this template and properly indexed and numbered, and it’s not in this portal, you report it.”

Who is responsible for GRC and policy management? 

“There should be an internal governance team that helps manage the process, but it’s a federated process because there’s lots of departments that issue policies. You have corporate compliance and ethics and legal, IT security policies and other IT policies, accounting policies, HR policies, environmental policies, quality policies. It’s really a federated strategy across departments that most often I see led by corporate compliance and ethics, but sometimes it’s HR.”

Is there operational risk involved when there are too many policies? 

“Definitely but it’s hard to say what the right level of policies is because that all depends on the company, culture and industry and size of the organization.”

How should organizations handle policy change due to federal regulations changing? 

“You need to have the right architecture that maps the regulations to the policies. When there is a regulatory change, policies need to be reviewed.  My best practice recommendation is every policy goes through an annual review to make sure it’s still the right policy for the organization, but for some organizations that’s too much and they tier this. In addition to regular reviews there should be triggers in place for regulatory change. Financial services organizations see the most regulatory change. There’s about 200 regulatory change events every business day from approximately 1000 regulators in the financial services space around the globe.” 

What operational risk is present when a policy is not changed immediately following a change to regulatory requirements? 

“It all depends on the significance of that regulatory change. Is the change minor or major, what penalties are involved, and is the regulation actually being enforced. We can have regulations that are not enforced. Take HIPAA for example, the health insurance portability and accountability act that was passed in 1996.  I was a consultant in the late nineties, and I was telling hospitals that they have to be HIPAA compliant to the security and privacy requirements and they laughed at me. It wasn’t until 2006 that healthcare started taking these aspects of HIPAA seriously and it was because that’s when they started to get enforced and have penalties.”

Does a plan for integrating GRC come from regulations or an internal company need? 

“Both. Policies are governance documents. Policies help us reliably achieve objectives. You have a lot of HR policies, accounting policies, IT policies, manufacturing policies, and quality policies. Some might meet a regulatory expectation, but a lot are there so that we have consistent business processes and outcomes. Policies are also risk documents. We have policies because there’s a risk. There wouldn’t be a policy if there wasn’t a risk. And that risk was significant enough that we had to write down rules to control that risk in the policy.”

What is the risk when you don’t have a strong GRC plan in place?

“It could impact corporate culture. It can impact values and actions of the organization and cause the organization to go into a lot of different directions it never intended.”

“Having policies that you do not enforce can also harm corporate culture. A strong corporate culture is going to come down to having well-written policies on the values of the organization, but those policies also need to be adhered to and followed when people step outside of bounds.”


Michael Rasmussen is an internationally recognized expert on GRC, with over 27 years of experience helping organizations design and implement GRC architecture. We are honored that Michael was available to share his insights into GRC with us and hope that you found this information as interesting and informative as we did.