Information Technology Reference
In-Depth Information
A Conceptual Model for Integrated Governance,
Risk and Compliance
Pedro Vicente and Miguel Mira da Silva
Instituto Superior Tecnico, Universidade Tecnica de Lisboa,
Avenida Rovisco Pais, 1, 1049-001 Lisboa, Portugal
{
pedro.vicente,mms
}
@ist.utl.pt
Abstract.
As integrated Governance, Risk and Compliance (GRC) be-
comes one of the most important business requirements in organizations,
the market is incongruously struggling to satisfy organizations' needs.
The absence of scientific references regarding GRC is leading to a dis-
persion of concepts involving this topic. Without boundaries and correct
domain definition, poor implementation of GRC solutions can lead to low
performances and high vulnerabilities for organizations. This paper pro-
poses a set of high level concepts covering the GRC domain. Through
literature review and framework research we propose key functions of
governance, risk and compliance and their associations, resulting in a
reference conceptual model for integrated GRC. The model was evalu-
ated by comparing the GRC capability model from OCEG with a quality
model evaluation framework. We concluded that the proposed model is
valid and complete.
Keywords:
governance, risk, compliance, conceptual model, integrated.
1
Introduction
Some research is starting to finally arise in the study of governance, risk and com-
pliance as an integrated concept. Since PricewaterhouseCoopers introduced the
term GRC in 2004 [1], a bewildering amount of definitions have been presented,
distinguishing in terms of scope and levels of integration.
The first scientific definition for integrated Governance, Risk and Compliance
(GRC) was proposed by Racz et al. [2] and states that: “
GRC is an integrated,
holistic approach to organization-wide governance, risk and compliance ensuring
that an organization acts ethically correct and in accordance with its risk appetite,
internal policies and external regulations, through the alignment of strategy, pro-
cesses, technology and people, thereby improving eciency and effectiveness.
”
However, if you ask 10 organizations to describe governance, risk and com-
pliance, probably you will get at least 20 definitions [3]. Therefore, there is
not a common understanding of what GRC is. Instead, there are very different
perspectives [4].
Just like Enterprise Resource Planning (ERP), GRC is becoming one of the
most important business requirements of an organization [5], mainly due to the
