Governance, Risk & Compliance (GRC) – Big Time Confusion!

By Arif Zaman , Head of Internal Audit, Emaar Industries & Investments, UAE


“It is important to understand the evolutionary need for GRC in the corporate world before we form an opinion.”

In the early 2000s many enterprises scrambling to improve their internal control and governance processes after many highly publicized corporate financial disasters. As a result, the GRC concept came into existence and as a savior to overcome the issues.

As per the GRC definition,

GRC (governance, risk management, and compliance) is the term used to describe an organization’s approach to addressing risks, staying compliant with the law, and managing company direction.

Despite the concept being there for more than a decade, I still found many audit and risk professionals wonder what GRC is all about? Many think it is nothing more than a marketing stunt by ERP vendors to sell their software.

It is important to understand the evolutionary need for GRC in the corporate world before we form an opinion.

In the three lines of defense risk governance model (3LOD model), each corporate layer of defense was working in isolation.

Similar functional areas were being reviewed or audited by the multiple stakeholders (audit, risk, compliance, fraud, internal control, HSE, information security, quality assurance, etc.) and each one of them were presenting separate reports to the management or to the Board on the governance health of the organization. As a result, a new problem emerged; stakeholders’ confusion, too many reports, duplication, and overlapping in roles which eventually lead to the waste of resources.

To overcome these problems, the first scholarly research on GRC was published in 2007. The concept is much taken has a relief to overcome the “silos” issue by introducing the GRC concept in the corporate world. The concept still in its infancy stage and yet to be mature, but overall it embeds the role of governance, risk and compliance by aiming to remove silos and have more coordination and collaboration among each layer within the organization.


Top 5 Common GRC Challenges

The concept of GRC translated in to have a new department in the organization known as GRC or Governance Department. Key challenges faced by the early adopter are the following:

  • Where to place GRC in the organization chart?
  • In which corporate defense layer, the GRC Department fall; first, second or third?
  • What shall be the scope and authority of the GRC Department?
  • What shall be the reporting line of the GRC Department and who shall report to GRC?
  • How the effectiveness of the GRC Department shall be monitored?


How to address these challenges?

To overcome these challenges, it is important to enhance the corporate culture by removing the adverse competition for recognition among departments and by encouraging more collaboration within a company. The GRC lead (or department) in any organization could work as a moderator and a single point of reference for the executive management and the Board to measure the governance health of the organization.

The aim should be a single report shall be presented to the executive management, which covers the overall aggregated effort of the second and third layer of corporate defense in a company. The same department should work to ensure the work of risk management, internal control, internal audit, compliance, and other oversight functions are working in harmony and sharing and receiving information among each other to avoid duplication and overlapping and ensure nothing falls between the cracks.

No alt text provided for this image



I would say there is no right or wrong practice as long as the objective of GRC is achieved i.e. to remove silos and since the GRC role or concept is still in its infancy stage with time it will further evolve and mature like other corporate disciplines.

“Implementing a framework will never be successful unless the organization’s culture evolves to support GRC activities” says Grama.

Arif Zaman