Read this article which explains how to build a sustainable GRC program; what the key components are, and best practices to follow.


Gone are the days when Governance, Risk, and Compliance (GRC) was, at best, a back-office function, and at worst, the department of “No.” Today, GRC has evolved into a powerful and positive force for the business – one that not only helps stakeholders preserve organizational credibility, and protect brands, but also strengthen performance. With companies increasingly under pressure to demonstrate high levels of performance, a robust GRC program can make all the difference. So, how do you build such a program? How do you bring together people, processes, information, and technology to make GRC a true business enabler?

Building Blocks of a Robust GRC Program

The business drivers of GRC have shifted over the last few years. Instead of focusing solely on compliance, or even downside risk management, GRC has become an important tool for companies to drive growth and profitability. The key is to build a mature, sustainable GRC program that includes the following components.

1. The Big Picture of Risk

The hallmark of a successful GRC program is the ability to deliver comprehensive visibility into both current and emerging risks. Organizations want to understand how risks across the enterprise interact with each other and with controls, regulations, and policies. They need risk reports that are relevant, timely, and rich with insights.

It starts with establishing an integrated framework of risk and control data that can be leveraged by various GRC functions to ensure alignment and consistency among them. An integrated framework provides a rich, well-rounded context to risk by mapping it to organizational objectives, processes, controls, and key risk metrics. The end result is better risk intelligence which enables management to better balance risks and opportunities.


In a recent MetricStream Research survey, 70% of the respondents indicated that the top business driver for GRC investment is the need to improve risk oversight.

2. A Strong Tone at the Top

As with any other business initiative, the success of a GRC program depends a great deal on the “tone at the top,” and how well it is communicated across the organization. That, in turn, requires policies and procedures that are well-written and regularly updated, so that employees know exactly what is expected of them.

The other important factor is to ensure that GRC activities are embedded deep into business systems and processes, rather than being managed as separate or distinct projects. The more pervasive GRC is, the more effectively employees will embody the firm’s risk and compliance vision in their day-to-day decisions and actions.

3. Integration and Collaboration

The benefits of integrated GRC are well-known - improved risk visibility, better coordination, and greater efficiency. However, the level of integration across GRC functions is still a major issue globally, although it has improved over the years.

In many organizations, the risk, compliance, and audit departments still run their respective programs in silos with limited or no data-sharing. As a result, they end up duplicating effort, increasing costs, and being unable to get a clear picture of risk. A better approach would be to establish an integrated GRC strategy, supported by a robust GRC solution that enables the enterprise to manage the entirety of its GRC initiatives on a single platform. Both the GRC program and solution should strengthen collaboration and cohesiveness across GRC roles, processes, activities, and information.

To drive this initiative, organizations should look at creating a dedicated group of people with cross-functional expertise who can bring together various teams and departments, and ensure smooth collaboration among them. Ultimately, the effectiveness of a GRC program depends, to a great extent, on the level of communication and coordination across teams.


The OCEG 2017 GRC Maturity Survey found that organizations with integrated GRC strategies show greater confidence that their governing bodies (e.g., board of directors) are receiving the right level of risk and compliance detail to aid in the establishment and achievement of organizational objectives.



4. Well-Defined Roles, Responsibilities, and Processes

As C-level roles evolve, GRC responsibilities and reporting lines are also changing. For example, in many companies, the compliance function, which earlier reported to the Chief Legal Officer (CLO), now reports to the Chief Risk Officer (CRO). Similarly, GRC activities, which were earlier managed by a limited group of people, have now become a central business priority.

With all these changes taking place, it is important for companies to define their GRC goals and objectives, break them down into tactical steps, and align each of those steps with the relevant functions or departments. This structured approach helps establish everyone’s roles and responsibilities clearly, while also improving accountability.

Training is another key factor. With GRC requirements continuing to evolve, GRC professionals need to keep updating their skills and knowledge, so that they are prepared to deal with the changes ahead.

5. GRC Embedded in the Organizational Culture

As millennials move up the corporate ladder, their views, attitudes, and approaches to work are changing the way businesses are run. Social media, mobility, and the cloud have become the tools of choice at the workplace. Agility, flexibility, and a “never-say-die” attitude are the new modes of work - but matters of GRC cannot be neglected. Companies need to evaluate how to make GRC an integral part of the organization’s culture, even as they adapt to a millennial style of working.



According to Aberdeen Group’s 2017 Report “Manage Risk Efficiently with Integrated GRC Solutions,” users of GRC solutions are 4.1 times as likely to assess and track exposure to audit risk, as those who don’t use such solutions.

6. The Right Information at the Right Time

Against a backdrop of growing geopolitical uncertainties, cyber-attacks, and rapid regulatory changes, business leaders need to make decisions faster than ever. They have to be able to draw valuable insights quickly from large volumes of data, and leverage those insights to enhance business planning and strategy. The most important aspect is speed. Today, there are powerful tools for data visualization, analytics, and reporting– all of which enable business lines to make swift, risk-aware decisions that drive performance.

7. Effective Tools and Technology

A truly successful GRC program is enabled as much by technology, as by people and processes. One of the biggest benefits of a GRC technology solution is automation - it improves efficiency, and reduces costs. A GRC solution can also help companies enhance cross-functional collaboration on GRC activities, and transform raw GRC data into meaningful intelligence.

In a business environment that is increasingly mobile, social, global, and virtual, the focus must be on simplifying GRC programs, and achieving a high degree of agility. Companies have to be able to adapt quickly, and respond to a risky business landscape, evolving regulatory environment, and the ever-changing context of how business is done. Technology plays an important role in achieving this objective.


About MetricStream GRC Solution

The MetricStream Enterprise GRC Solution provides a single, integrated system to manage, coordinate, and track multiple types of GRC activities. The solution cuts across organizational silos, strengthening collaboration and communication. It helps establish a systematic, holistic approach to GRC, while also rolling up risk and compliance data from across the enterprise, and transforming it into actionable business intelligence.


With the MetricStream GRC Solution, you can:





Ready to get started?

Speak to our experts Let’s talk