According to Michael Rasmussen, an industry analyst at Forrester Research, the challenge in defining GRC is that individually, each term has “many different meanings within organizations. There is corporate governance, IT governance, financial risk, strategic risk, operational risk, IT risk, corporate compliance, Sarbanes-Oxley (SOX) compliance, privacy compliance…you get the picture.”
Typically GRC solutions are enterprise software that enables businesses to comply with legal requirements. The most significant regulation in this context is the Sarbanes-Oxley Act, developed by two US congressmen, Senator Paul Sarbanes and Representative Michael Oxley, in 2002 and which defines significant tighter personal responsibility of corporate top management for the accuracy of reported financial statements.
Compliance in the USA generally means compliance with laws and regulations. These laws can have criminal or civil penalties or can be regulations. The definition of what constitutes an effective compliance plan has been elusive. On October 12, 2006, the US Small Business Administration re-launched Business.gov, which provides a single point of access to government services to conform to compliance measures.
There are a number of other regulations such as GLBA, FISMA, and HIPAA. In some cases, other compliance frameworks (such as COBIT) or standards (NIST) inform on how to comply with the regulations which are already framed. Failure to meet these standards can lead to severe legal penalties or civil liability.
Laws such as Sarbanes-Oxley drive businesses to:
- Continuously monitor compliance
- Improve predictability
- Reduce costs associated with compliance
Even Kate Plourd, an analyst, says that “to err is human and common.” She states that although the accounting standards are complex, it is the simple mistakes that cause most financial restatements. But she insists that because of compliance measures and risk monitoring, the problem will be solved drastically.
Sir Henry David Thoreau says, “Any fool can make a rule, and every fool will mind it. After all, a rule is a rule, one who does not obey it, is a fool.” Sounds contradictory, doesn’t it?
Compliance measures do have their loopholes, which are resented by many. But it is a fact that companies must comply with basic compliance rules in order to survive in the market.