GRC are necessary within enterprises but businesses tend to structure and run them differently. For example GRC may operate as three separate, siloed functions in some companies. Other companies have a GRC function that includes GRC specialists if not GRC certified professionals.
Even when GRC operates as a combined organization, cyber security – another risk function – tends to operate separately. One of the reasons for that is because GRC functions are viewed as business functions while cyber security is viewed as more of an IT (technology-oriented) function. However, as any cyber security incident demonstrates, the scope of risk fallout tends to impact more than one function simultaneously.
Governance is often thought of synonymous with data governance, but corporate governance has a higher-level responsibility. Corporate governance balances the interests of various stakeholders and it helps the company realize its strategic objectives through frameworks, rules, practices, processes and performance measurement, among other things.
In a data-centric context, governance helps ensure that only authorized parties have access to the data they wish to use. Data governance rules eclipse compliance because the use of data is also governed by laws and regulations.
Traditional risk functions have focused on financial risks. Typically, this function has worked closely with, if not reported to, the CFO. Financial risks take several forms including vendor risks, business continuity risks and indemnification (insurance).
Traditional risk management can sometimes be at odds with other groups, particularly when it’s viewed as an obstacle to innovation. It’s therefore important to determine what an organization’s risk appetite is and to innovate within the scope of it. For example, Amazon has had some spectacular successes and failures because it was willing to take on significant risks to its bottom line, stock price and reputation.
Compliance focuses on legal and regulatory compliance. This function must understand which outside rules the organization must adhere to and translate those rules into practices and processes that ensure compliance.
Compliance is subject to audits internally and by third parties which may be consulting firms that are verifying whether their clients’ companies are compliant. Alternatively, a regulatory auditor, may be doing the same. The various audits tend not to be mutually exclusive undertakings since the last thing a company wants is for a government auditor to discover a problem. If that happens, then the company will likely be subject to regulatory fines and if it’s a public company, they’ll have to disclose the issue to shareholders. If the violation has also harmed customers (e.g., PII misuse), lawsuits could also result.
Modernly, compliance, like governance, has been strongly associated with data given the EU’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA). However, the compliance function is broader.