The new GRC (Governance, Risk Management, Compliance) – SRG

GRC has been used as an acronym for some time now – obviously growing out of the need to better govern organisations and seeing the way to do so a better perspective of risk and closer attention to compliance. The question begs though, “is GRC still an appropriate linking together of these three essential concepts?

We believe that governance has grown up and matured since the “Sarbannes-Oxley (SOX) response” to the failures of Enron, Worldcom and the like, a response that rippled around the globe.

SOX  (and similar governance requirements) was a response that imposed a whole host of external requirements onto organisations and created the false concept of governance as a set of structures that would ensure the responsible success of a company. In this view risk management became the way organisations reacted to risks as and when they arose with a specific focus on ensuring that no-one overstepped any legal issue, i.e. they complied.

We would argue that both risk and compliance are certainly key elements of governance but that governance is far more than either risk or compliance – it goes beyond the tangible things that can be measured to the intangibles that make up the entire value of the organisation.

Moving forward we believe that the emphasis has already shifted – governors of organisations are realising that they need far more than a static approach to governance, far more that structures, processes and reports. They are looking for a strategic alignment between what they do and how they govern it.

To achieve this alignment between strategy and governance a new approach is needed – we call this approach SRG – strategy, risk, and governance. This approach follows the logical flow of (i) determining strategy, (ii) identifying risks in the implementation of the strategy, and (iii) putting in place the appropriate governance framework that will enable the achievement of the strategy taking into account the risks faced.

Boards and directors need a new approach to fulfilling their duties – the old approach that understood governance as primarily structural and the main measure of value as financial no longer works. The new approach that sees governance as a dynamic response to strategy and ongoing risk assessment places a far greater responsibility on directors to not just manage structures but to ensure that the policy framework they create gives life to the strategy of the company.

To explore these concepts within your organisation please contact us on

Leave a Reply

Your email address will not be published. Required fields are marked *

%d bloggers like this: