Generally speaking, the “function” of GRC as it may be performed by a group of individuals in an organization, is to act as a bridge between business and IT, managing fulfilment of business objectives and expectations on one end, while culminating data and information on the other end, in order to evaluate and report back on the performance of the functions of Risk and Compliance, back to the governing body.
In a typical organization, generally at an operational maturity level of 2.5 or below (reference: Gartner service maturity model), there is usually a clearly defined management layer and a clearly defined operational layer. However, the governance function is either loosely defined, not separated from the management function, or even completely missing. Then again, there are always exceptions to this general observation.
From an organizational placement perspective, the function of GRC has a better chance of prospering if it’s not placed under the IT organization, rather, a business entity that is tasked with managing organizational performance and risk management.
About the Author:
Faisal Ansari is a senior executive, a keynote speaker, and most importantly, an experienced practitioner in the domains of Information Privacy, Enterprise Risk, Cybersecurity, and Compliance. Having served global clients across a wide spectrum of industries, Mr. Ansari has also contributed to authorship of several international standards and frameworks from ISO, ISACA, and NIST.
Your Thoughts and Comments:
Author of this Trusted Insight would love to hear from you, and welcomes your feedback, comments, and suggestions to improve this article for the greater good of the business community. You can reach the author at firstname.lastname@example.org.
Thanks for visiting this Trusted Insight. Check out our other articles on this topic, as well as relevant service offering pages displayed on the right side of this article for more information on how we can be a catalyst to the success of your business initiatives.