GRC – Governance • Risk • Compliance

What is GRC?

Governance, Risk, and Compliance (GRC) is a structured way to align IT with business goals while managing risks and meeting all industry and government regulations. It includes tools and processes to unify an organization’s governance and risk management with its technological innovation and adoption. Companies use GRC to achieve organizational goals reliably, remove uncertainty, and meet compliance requirements.

What does GRC stand for?

GRC stands for governance, risk (management), and compliance. Most businesses are familiar with these terms but have practiced them separately in the past. GRC combines governance, risk management, and compliance in one coordinated model. This helps your company reduce wastage, increase efficiency, reduce noncompliance risk, and share information more effectively. 

Governance

Governance is the set of policies, rules, or frameworks that a company uses to achieve its business goals. It defines the responsibilities of key stakeholders, such as the board of directors and senior management. For example, good corporate governance supports your team in including the company’s social responsibility policy in their plans.

Good governance includes the following:

  • Ethics and accountability
  • Transparent information sharing
  • Conflict resolution policies
  • Resource management
     

Risk management

Businesses face different types of risks, including financial, legal, strategic, and security risks. Proper risk management helps businesses identify these risks and find ways to remediate any that are found. Companies use an enterprise risk management program to predict potential problems and minimize losses. For example, you can use risk assessment to find security loopholes in your computer system and apply a fix. 

Compliance

Compliance is the act of following rules, laws, and regulations. It applies to legal and regulatory requirements set by industrial bodies and also for internal corporate policies. In GRC, compliance involves implementing procedures to ensure that business activities comply with the respective regulations. For example, healthcare organizations must comply with laws like HIPAA that protect patients’ privacy. 

Why is GRC important?

By implementing GRC programs, businesses can make better decisions in a risk-aware environment. An effective GRC program helps key stakeholders set policies from a shared perspective and comply with regulatory requirements. With GRC, the entire company comes together in its policies, decisions, and actions. 

The following are some benefits of implementing a GRC strategy at your organization.

Data-driven decision-making

You can make data-driven decisions within a shorter time frame by monitoring your resources, setting up rules or frameworks, and using GRC software and tools.

Responsible operations

GRC streamlines operations around a common culture that promotes ethical values and creates a healthy environment for growth. It guides strong organizational culture development and ethical decision-making in the organization.

Improved cybersecurity

With an integrated GRC approach, businesses can employ data security measures to protect customer data and private information. Implementing a GRC strategy is essential for your organization due to increasing cyber risk that threatens users’ data and privacy. It helps organizations comply with data privacy regulations like the General Data Protection Regulation (GDPR). With a GRC IT strategy, you build customer trust and protect your business from penalties.

What drives GRC implementation?

Companies of all sizes face challenges that can endanger revenue, reputation, and customer and stakeholder interest. Some of these challenges include the following:

  • Internet connectivity introducing cyber risks that might compromise data storage security
  • Businesses needing to comply with new or updated regulatory requirements
  • Companies needing data privacy and protection
  • Companies facing more uncertainties in the modern business landscape
  • Risk management costs increasing at an unprecedented rate
  • Complex third-party business relationships increasing risk

These challenges create demand for a strategy to navigate businesses toward their goals. Conventional third-party risk management and regulatory compliance methods are not enough. Hence, GRC was introduced as a unified approach to help stakeholders make accurate decisions.  (Reference: Amazon AWS)

Risk of Non-Compliance

If employees meet the criteria, they are entitled to leave or accommodations under the Americans with Disabilities Act (ADA), the Family Medical Leave Act (FMLA), and Worker’s Compensation. These are great things that you must provide your employees. The legal requirements of both the Family Medical Leave Act (FMLA) and the American Disabilities Act Amendment Act (ADAAA) are similar, yet at other times one law contradicts another. You find that you can’t comply with both laws at the same time, so which one takes precedence over the other? Where does Workers’ Compensation (WC) come in? 

But what if they are lying? What if you think that they aren’t injured or are using intermittent FMLA to go skiing?  You need to investigate, but you need to do it right to make sure you aren’t violating their rights.

Eligibility for ADA 
Eligibility for FMLA 
Eligibility for Worker’s Comp 
How often does fraud occur? 
Is it worth fighting? 
Gathering evidence 
Require certification 
Keep your job descriptions updated 
Importance of consistent call-in procedures 
Why you should consider an outside investigator 
How to avoid retaliation 
Take the doctor’s word (or pay for a second opinion) 
The difference between someone with a “serious health condition” under the FMLA and a “qualified individual with a disability” under the ADA/ADAAA. 
Situations where the FMLA and ADA/ADAAA may overlap.

OSHA Compliance Audits

Your company is required to maintain a record of serious work-related injuries and illnesses.

If you are an employer with more than 10 employees, although there are certain low-risk industries that are exempted, it is important to know how OSHA classifies a high-risk injury and how it defines a recordable injury or illness. Employers, workers and OSHA use this information to evaluate the safety of your workplace. This information helps in understanding industry hazards and lay out basic requirements to implement worker protections, so workplace hazards can be reduced and eliminated and the future workplace injuries and illnesses can be prevented.

OSHA requires affected employers to maintain and update OSHA 300 logs and to document recordable injuries and illnesses. OSHA also requires these employers to prepare the OSHA 300A summary by February every year. Affected employers are required to submit information from the OSHA 300A summary electronically on OSHA’s Injury Tracking Application (ITA) website.

2022 saw many changes in health and safety and updates to OSHA Recordkeeping regulatory guidelines. This has created a lot of questions and concerns from companies about what this requirement means and what OSHA will do with this information.