Governance, Risk & Compliance – An introduction by Erwin Boeren


We have all heard the term: Governance, Risk & Compliance or simply GRC. But what exactly is Governance, Risk & Compliance and what are the challenges companies are dealing with?


Let’s start from the beginning and look at the basic definitions. Governance is the overall approach for controlling the business environment and how to give direction to the organization led by our core values and ethics (voluntary boundaries). This includes the various processes, rules, policies and laws that affect the success of a business. Risk is all about the obstacles that we will have to overcome to reach our business goals and what type of  controls you have in place to prevent those obstacles from happening (controls). Compliance gives guidance on the boundaries that we have to adhere to while trying to reach our objectives. So far so good. Let’s took a look at some real life examples.


Imagine that we are running a fictitious company. There are a number of things we have to do. An example of good governance is the protection of employees by labor rights (e.g. prevention of child labor). It could also be the company-wide travel expense policy that helps prevent improper spending. It could also be a company wide agreement on dealing with fair trade vendors only. In terms of risk , we might have to deal with a vendor not being able to deliver in time which might lead to claims from customers (a loss). A potential control for this risk could be a service level agreement with our suppliers to prevent this. And then there are also external regulations you have to comply with. This is the area of compliance. Regulations like Basel II for banks, the Solvency II for insurers and HIPAA for food handling belong to that category. No doubt – GRC is a broad area!


The challenge organizations are faced with is the complexity of all regulations and the relationship between core values, ethics, regulations and risk management. Unfortunately, too many businesses look at GRC as separated silos. They often pay a huge price tag for this. Leading businesses are following an integrated, or enterprise approach for GRC. Doing this creates significant rewards like lower cost for external auditors due to existing and well documented proof about business controls and procedures. The benefits also include the ability to make better decisions due to deep understanding of risk which will lead to better outcomes. And I am happy to say that proper GRC will also lower the administrative burden due a significant reduction of those infamous and tedious control tests that are required to prove your compliance. Last but not least, organizations can also get loans at a better interest rate or cheaper insurance policies because they have proven to be better in control and thus a lower risk.


Needless to say: IT can play a huge role in making GRC successful. It is no wonder then that IBM acquired one the leading software providers for Governance, Risk & Compliance solutions called Open Pages.

But let’s talk about Open Pages and how Governance, Risk & Compliance can add value to Performance Management in another article next week…

About Erwin Boeren

Erwin Boeren, IBMErwin Boeren is Governance, Risk and Compliance Leader at IBM Southwest Europe. Erwin has over 15 years experience in the software industry, in various roles in business intelligence, performance management and Governance, Risk & Compliance. Together with his family, Erwin resides in the Netherlands.

Twitter : @erwinboeren
Contact :





One response to “Governance, Risk & Compliance – An introduction by Erwin Boeren”