Friday, March 19, 2010

GRC and You and Me

What is GRC? What started it? Who is the best at it and how does it affect me? I will see if I can explain. Wickipedia defines Governance, Risk Management and Compliance (GRC) as “the umbrella term covering an organization’s approach across these areas. GRC typically encompasses activities such as corporate governance, enterprise risk management (ERM) and corporate compliance with applicable laws.”
The three most common areas within GRC are, Financial GRC, IT GRC and Legal GRC.

To some degree, GRC has always been a part of large corporate operation. GRC is not new but the emphasis on it by major corporations is basically a response to the increasing complexity of their operations, globalization, increased mergers, heightened regulatory scrutiny and the relatively recent multitude of corporate frauds and failures, some simply from greed and others from bad business decisions. But what really spurred the interest in GRC was the issuance of the US Sarbanes-Oxley Act (SOX) and the need for public US companies to design and implement suitable governance controls for SOX compliance. Sarbanes-Oxley, however, is no longer the main driving force behind GRC. A recent study commissioned by KPMG International found that companies are embracing GRC to avoid business failures and non-compliance by expanding their GRC departments. You can read the entire article at

Forrester Research, Inc. recently evaluated the top 14 enterprise GRC platform vendors using some 80 criteria. The objective of this research was to determine who the market leaders were in this area. Thomson Reuters – Paisley, BWise, and OpenPages earned the highest scores overall due to their comprehensive capabilities and strong strategies. You can access more information about the Thomson Reuters – Paisley group at

So how does this affect you? Well for one thing it has created a job boom in the GRC area with companies rushing to create Governance, Risk and Compliance departments and groups internally to address these issues. These efforts were often not completely successful because GRC initiatives require an integrated approach and an enterprise-wide view of risk and compliance. I think that the opportunities in this area will continue to grow for CPAs to use their experience and knowledge to make a valuable contribution to their employers and improve the company’s compliance and risk management. What do you think?

No comments:

Post a Comment