Governance, Risk and Compliance (GRC) is by no means a new concept to organizations in the healthcare, financial or legal industries, or for the Fortune 1000 and publicly traded companies. For better or for worse, organizations must abide by a myriad of regulations.

In today's economy, however, GRC is taking on a new level of importance in sectors that may not have thought it applied to them before. Strategy Analytics' own research shows that organizations consider 45 percent of their workforce to be mobile--away from their home base more than 25 percent of the time--making GRC, literally, a moving target.

Before I talk about those issues, I thought it might help to provide a general definition of GRC. At the highest level, Governance, Risk and Compliance is a domain where organizations must ensure they operate in accordance with industry regulations, while balancing any internal or external "risks," and ensure that they can govern themselves according to regulatory compliance, while better grasping "the unknown."  Let's break down the three pieces:

• Governance: Do you have policies and procedures in place to most efficiently and effectively understand how your business is run? Can you map your business processes, the supply chain, the dependencies and the bottle necks to understand who the key constituents (both in and out of your company) are? How do you go about documenting these processes to make sure you can prove your word to any one or any group who may challenge your business practices?
• Risk: It can take on so many different meanings. There's risk of trade secrets coming out as well as the risk of litigation from partners, competitors, trade organizations and government bodies. There's also the risk of trade disputes, labor disputes, product quality control--never mind disaster recovery and/or business continuity. The key thing to remember here is that risk is omnipresent and that there is almost nothing at this point, in the business world that is "risk free."
• Compliance: HIPAA, Sarbanes-Oxley, OSHA, FDA and JCAHO, the list of acronyms goes on and on. This creates a potential nightmare for companies, or a wonderful business opportunity for the myriad consultants out there who work every day to ensure that your organization abides by industry/government regulations.

From the very basic bullets above, it's easy to see how GRC practices and experts already have a formidable challenge before them, in terms of managing and securing information. However, the challenges above have historically been addressed in the context of immobile information. In the past, data and important files (for the most) part stayed in the four walls of the company's office. There was no Internet. There were no laptops and no remote, home/office workers. There was no mobile professional. In other words, this isn't your father's GRC.

Continue reading...