Governance, Risk And Compliance (GRC) - Revision history

User at 10:45, 1 July 2023

2023-07-01T10:45:32Z

User at 12:22, 4 January 2023

2023-01-04T12:22:34Z

User at 12:17, 4 January 2023

2023-01-04T12:17:59Z

User at 17:51, 2 November 2022

2022-11-02T17:51:44Z

Show changes

User: The LinkTitles extension automatically added links to existing pages (https://github.com/bovender/LinkTitles).

2021-02-06T16:05:55Z

The LinkTitles extension automatically added links to existing pages (https://github.com/bovender/LinkTitles).

Show changes

User at 20:11, 25 September 2019

2019-09-25T20:11:22Z

User at 16:56, 5 June 2019

2019-06-05T16:56:37Z

User at 16:25, 5 June 2019

2019-06-05T16:25:03Z

User at 16:05, 5 June 2019

2019-06-05T16:05:16Z

User at 15:33, 5 June 2019

2019-06-05T15:33:16Z

@@ Line 75: / Line 75: @@
 *Risk, including financial risk, credit risk, market risk, strategy risk, operational risk, fraud risk, reputational risk, information security risk, technology risk, compliance risk, etc.
 *Compliance, including regulatory compliance ([[Sarbanes Oxley Act (SOX)|SOX]], [[Payment Card Industry Data Security Standard (PCI DSS)|PCI/DSS]], [[General Data Protection Regulation (GDPR)|GDPR]]), legal compliance (labor laws), organizational compliance (policies and standards), security (human, physical and information security), quality, ethics, and values.
-*Governance, management, and operations—governance involves setting directions, optimizing risks and resources, and monitoring performance and compliance to achieve an organization’s objectives. It can be broadly classified into corporate governance, business governance, IT governance, and legal governance. Management involves planning, organizing, leading, coordinating, controlling, and reporting. Operations include executing the process and function.
+*Governance, management, and operations—governance involves setting directions, optimizing risks and resources, and monitoring performance and compliance to achieve an organization’s objectives. It can be broadly classified into corporate governance, business governance, [[IT Governance]], and legal governance. Management involves planning, organizing, leading, coordinating, controlling, and reporting. Operations include executing the process and function.
 *Controls—in order to realize value from the business, resources should be utilized efficiently and effectively, and business attributes should be optimized. This is only possible when appropriate controls are implemented and executed. The controls can be classified as management controls, process controls, technical controls, and physical controls. Controls are applied to the resources as well as the attributes.
 *Assurance—independent assurance is required to ensure that controls are designed and operating effectively, and compliance requirements are met consistently. It is the responsibility of governance to monitor and obtain assurance. Assurance will be primarily through audits. There are several types of audits. Internal and external audits, certification audits, financial audits, IT audits, compliance audits, process audits and security audits, etc.
@@ Line 197: / Line 197: @@
 == See Also ==
-*[[IT Governance]]<br />
+*[[ITIL (Information Technology Infrastructure Library)|ITIL]]
-*[[ITIL (Information Technology Infrastructure Library)]]
+*[[Information Technology Risk (IT Risk)|IT Risk]]
 *[[Risk Governance]]

@@ Line 8: / Line 8: @@
 *Conflicting actions
 *Unnecessary complexity
-*Inability to assess the cascading effects of risk<ref>[https://riskonnect.com/resources/grc-guide/ What Does Governance, Risk, And Compliance (GRC) Mean?]</ref>
+*Inability to assess the cascading effects of risk<ref>[https://riskonnect.com/resources/grc-guide/ What Does Governance, Risk, And Compliance (GRC) Mean? - Risk Connect]</ref>
-Governance, risk management, and compliance (GRC) is a management discipline that takes an integrated firm-wide approach to meet internal guidelines set for each activity. [[Corporate Governance]], [[Enterprise Risk Management (ERM)]], and [[Compliance|Corporate Compliance]] have been integral to managing companies for a long time. But increasing amounts of regulation, increasing demands for transparency, and the exponential growth of third-party relationships have made a siloed approach to these activities costly, risky, and untenable. As an integrated approach, GRC is a relatively new management discipline. It can mean different things to different businesses, but integrating GRC processes typically aims to improve information gathering and quality, in order to operate more efficiently, and share information more effectively across the organization to avoid duplication of effort.<ref>Definition - What does Governance, Risk, And Compliance (GRC) Mean? [https://www.investopedia.com/terms/g/grc.asp Investopedia]</ref>
+Governance, risk management, and compliance (GRC) is a management discipline that takes an integrated firm-wide approach to meet internal guidelines set for each activity. [[Corporate Governance]], [[Enterprise Risk Management (ERM)]], and [[Compliance|Corporate Compliance]] have been integral to managing companies for a long time. But increasing amounts of regulation, increasing demands for transparency, and the exponential growth of third-party relationships have made a siloed approach to these activities costly, risky, and untenable. As an integrated approach, GRC is a relatively new management discipline. It can mean different things to different businesses, but integrating GRC processes typically aims to improve information gathering and quality, in order to operate more efficiently, and share information more effectively across the organization to avoid duplication of effort.<ref>[https://www.investopedia.com/terms/g/grc.asp Definition - What does Governance, Risk, And Compliance (GRC) Mean?  -Investopedia]</ref>
 Governance, Risk Management, and Compliance, also known as GRC, is an umbrella term for the way organizations deal with three areas that help them achieve their objectives. The main purpose of GRC as a business practice is to create a synchronized approach to these areas, avoiding the repetition of tasks and ensuring that the approaches used are effective and efficient.
@@ Line 20: / Line 20: @@
 *Operate within legal, contractual, internal, social, and ethical boundaries.
 *Provide relevant, reliable, and timely information to appropriate stakeholders.
-*Enable the measurement of the performance and effectiveness of the system."<ref>Defining Governance, Risk And Compliance (GRC) [https://www.webopedia.com/TERM/G/grc-governance-risk-compliance.html Webopedia]</ref>
+*Enable the measurement of the performance and effectiveness of the system."<ref>[https://www.webopedia.com/TERM/G/grc-governance-risk-compliance.html Defining Governance, Risk And Compliance (GRC)  -Webopedia]</ref>
-== GRC Practices<ref>The Three Practices of GRC [https://docs.microsoft.com/en-us/previous-versions/tn-archive/cc531020(v=technet.10) Microsoft]</ref> ==
+== GRC Practices<ref>[https://docs.microsoft.com/en-us/previous-versions/tn-archive/cc531020(v=technet.10) The Three Practices of GRC -Microsoft]</ref> ==
 The three practices that make up GRC—'''governance, risk management, and compliance''—share common and interrelated tasks. Because governance, risk, and compliance have overlapping areas of responsibility and process, they are more effective when they are integrated and dealt with as combined practices. This decreases data islands and silos of activity that ultimately slow down organizational responsiveness and contribute to greater risk by obscuring risk identification and producing inadequate risk impact assessments. Combining can streamline processes and provide transparency and accountability in an organization. It accomplishes this by:
@@ Line 44: / Line 44: @@
-== Governance, Risk And Compliance (GRC) Functions and Capability Elements<ref>The Eight Functions and Capability Elements of Governance, Risk And Compliance (GRC) [https://iasaglobal.org/itabok/capability-descriptions/governance-risk-and-compliance/ IASA Global]</ref> ==
+== Governance, Risk And Compliance (GRC) Functions and Capability Elements<ref>[https://iasaglobal.org/itabok/capability-descriptions/governance-risk-and-compliance/
 According to best practice principles, GRC can be broken down into eight functions and capability elements:
 *Organize and oversee – The ability to define outcomes, commitment, roles, and responsibilities as well as approach and accountability
@@ Line 59: / Line 60: @@
-== The Scope of GRC<ref>What is the scope of GRC? [https://www.capgemini.com/2017/10/grc-101-an-introduction-to-governance-risk-management-and-compliance/# CapGemini]</ref> ==
+== The Scope of GRC<ref>[https://www.capgemini.com/2017/10/grc-101-an-introduction-to-governance-risk-management-and-compliance/# What is the scope of GRC? -CapGemini]</ref> ==
 By definition, the scope of GRC doesn’t end with just governance, risk, and compliance management, but also includes assurance and performance management. In practice, however, the scope of a GRC framework is further getting extended to information security management, quality management, ethics and values management, and business continuity management.
@@ Line 84: / Line 85: @@
-== Maximizing the Value of GRC<ref>How to Maximize the Value of GRC [https://www.cleverism.com/how-to-maximize-the-value-of-grc-governance-risk-compliance/ Cleverism]</ref> ==
+== Maximizing the Value of GRC<ref>[https://www.cleverism.com/how-to-maximize-the-value-of-grc-governance-risk-compliance/ How to Maximize the Value of GRC -Cleverism]</ref> ==
 Businesses often manage governance, risk management, and compliance separately. The integrated GRC approach combines all three to streamline their governance, risk management, and compliance initiatives. This is more effective and efficient since it reduces or even eliminates duplication and redundancy of work. It saves time, effort, and money – resources that all businesses will do well to use wisely.
@@ Line 100: / Line 101: @@
-== GRC Implementation<ref>GRC Implementation [https://tallyfy.com/guides/governance-risk-management-compliance-grc/ Tallyfy]</ref> ==
+== GRC Implementation<ref>[https://tallyfy.com/guides/governance-risk-management-compliance-grc/ GRC Implementation -Tallyfy]</ref> ==
 The following five steps must be taken to make sure GRC is successfully installed at the heart of your corporate strategies:
 *Define what you aim to achieve – If this sounds like an obvious step, it’s because it is. However, it’s a step too often overlooked and one that can make all the difference between success and failure. After all, if you don’t know what you want to achieve and whether your new strategy can even help you get there, how can you possibly hope to effect any meaningful change? The key here is to gather key stakeholders and project staff together to understand collectively what GRC can mean to your organization and to come up with priorities based on that understanding.
@@ Line 109: / Line 110: @@
-== GRC Drivers<ref>GRC Drivers [https://www.oceg.org/about/what-is-grc/ OCEG]</ref> ==
+== GRC Drivers<ref>[https://www.oceg.org/about/what-is-grc/ GRC Drivers -OCEG]</ref> ==
 Organizations must address today’s challenging business climate. Even small businesses, nonprofits, and government agencies are facing issues that only large companies had to face in the past. Some or all of the following factors have to be dealt with:
 *Stakeholders demand high performance along with high levels of transparency
@@ Line 146: / Line 147: @@
-== GRC Challenges<ref>GRC Challenges [https://www.scripted.com/writing-samples/why-a-governance-risk-and-compliance-program-is-important-for-your-business Scripted.com]</ref> ==
+== GRC Challenges<ref>[https://www.scripted.com/writing-samples/why-a-governance-risk-and-compliance-program-is-important-for-your-business GRC Challenges
 There are many risks in the workplace as it relates to ensuring governance, risk management, and compliance. New regulations can be overwhelming if a company doesn’t have a person or team to ensure updates are in place. Additionally, a lack of cohesion in departments can also cause communication problems, as each department has its own rules and guidelines. Departments that run different software packages may not integrate fully and this can cause increased risk. Lastly, a lack of visibility in determining risks in operations can lead to inaccurate reports.
@@ Line 152: / Line 154: @@
-== Benefits of Taking an Integrated GRC Approach<ref>Benefits of Taking an Integrated GRC Approach [https://www.metricstream.com/whitepapers/html/GRC_frame.htm Metric Stream]</ref> ==
+== Benefits of Taking an Integrated GRC Approach<ref>[https://www.metricstream.com/whitepapers/html/GRC_frame.htm Benefits of Taking an Integrated GRC Approach  -Metric Stream]</ref> ==
 Many organizations find themselves managing their governance, risk, and compliance initiatives in silos - each initiative managed separately even if reporting needs overlap. Even though each of these initiatives individually follows the governance, risk, and compliance process outlined above, when they deployed software solutions to enable these processes, the selections were made in a very tactical manner, without a thought for a broader set of requirements. As a result, organizations have ended up with dozens of such systems to manage individual governance, risk, and compliance initiatives, each operating in its own silo.
@@ Line 168: / Line 170: @@
-== GRC Product Vendors<ref>GRC Product Vendors [https://en.wikipedia.org/wiki/Governance,_risk_management,_and_compliance Wikipedia]</ref> ==
+== GRC Product Vendors<ref>[https://en.wikipedia.org/wiki/Governance,_risk_management,_and_compliance GRC Product Vendors -Wikipedia]</ref> ==
 The distinctions between the sub-segments of the broad GRC market are often not clear. With a large number of vendors entering this market recently, determining the best product for a given business problem can be challenging. Given that the analysts don’t fully agree on the market segmentation, vendor positioning can increase the confusion.
@@ Line 180: / Line 182: @@
-== GRC Certifications<ref>What are the top GRC certifications? [https://www.cio.com/article/3206607/what-is-grc-and-why-do-you-need-it.html CIO.com]</ref> ==
+== GRC Certifications<ref>[https://www.cio.com/article/3206607/what-is-grc-and-why-do-you-need-it.html What are the top GRC certifications? -CIO.com]</ref> ==
 Professionals with a GRC certification must juggle stakeholder expectations with business objectives and ensure that organizational objectives are met while also meeting compliance requirements. That's an incredible amount of responsibility, and it's absolutely necessary for today's business climate.

@@ Line 10: / Line 10: @@
 *Inability to assess the cascading effects of risk<ref>[https://riskonnect.com/resources/grc-guide/ What Does Governance, Risk, And Compliance (GRC) Mean?]</ref>
-Governance, risk management, and compliance (GRC) is a management discipline that takes an integrated firm-wide approach to meet internal guidelines set for each activity. [[Corporate Governance]], [[Enterprise Risk Management (ERM)]], and [[Compliance|Corporate Compliance]] have been integral to managing companies for a long time. But increasing amounts of regulation, increasing demands for transparency, and the exponential growth of third-party relationships have made a siloed approach to these activities costly, risky, and untenable. As an integrated approach, GRC is a relatively new management discipline. It can mean different things to different businesses, but integrating GRC processes typically aims to improve information gathering and [[quality]], in order to operate more efficiently, and share information more effectively across the [[organization]] to avoid duplication of effort.<ref>Definition - What does Governance, Risk, And Compliance (GRC) Mean? [https://www.investopedia.com/terms/g/grc.asp Investopedia]</ref>
+Governance, risk management, and compliance (GRC) is a management discipline that takes an integrated firm-wide approach to meet internal guidelines set for each activity. [[Corporate Governance]], [[Enterprise Risk Management (ERM)]], and [[Compliance|Corporate Compliance]] have been integral to managing companies for a long time. But increasing amounts of regulation, increasing demands for transparency, and the exponential growth of third-party relationships have made a siloed approach to these activities costly, risky, and untenable. As an integrated approach, GRC is a relatively new management discipline. It can mean different things to different businesses, but integrating GRC processes typically aims to improve information gathering and quality, in order to operate more efficiently, and share information more effectively across the organization to avoid duplication of effort.<ref>Definition - What does Governance, Risk, And Compliance (GRC) Mean? [https://www.investopedia.com/terms/g/grc.asp Investopedia]</ref>
-Governance, Risk Management, and Compliance, also known as GRC, is an umbrella term for the way organizations deal with three areas that help them achieve their objectives. The main purpose of GRC as a [[business]] practice is to create a synchronized approach to these areas, avoiding the repetition of tasks and ensuring that the approaches used are effective and efficient.
+Governance, Risk Management, and Compliance, also known as GRC, is an umbrella term for the way organizations deal with three areas that help them achieve their objectives. The main purpose of GRC as a business practice is to create a synchronized approach to these areas, avoiding the repetition of tasks and ensuring that the approaches used are effective and efficient.
 While many experts and GRC vendors disagree on a standard definition for Governance, Risk, and Compliance, the Open Compliance and Ethics Group (OCEG) has published one of the most comprehensive GRC definitions. In its GRC Capability Model, Red Book, 2.0, the OCEG defines GRC as a "system of people, processes, and technology that enables an organization to:
-*Understand and prioritize [[stakeholder]] expectations.
+*Understand and prioritize stakeholder expectations.
 *Set business objectives that are congruent with values and risks.
 *Achieve objectives while optimizing risk profile and protecting value.
@@ Line 25: / Line 25: @@
 == GRC Practices<ref>The Three Practices of GRC [https://docs.microsoft.com/en-us/previous-versions/tn-archive/cc531020(v=technet.10) Microsoft]</ref> ==
-The three practices that make up GRC—'''governance, risk management, and compliance''—share common and interrelated tasks. Because governance, risk, and compliance have overlapping areas of responsibility and [[process]], they are more effective when they are integrated and dealt with as combined practices. This decreases [[data]] islands and silos of activity that ultimately slow down organizational responsiveness and contribute to greater risk by obscuring risk identification and producing inadequate risk [[impact]] assessments. Combining can streamline processes and provide transparency and accountability in an organization. It accomplishes this by:
+The three practices that make up GRC—'''governance, risk management, and compliance''—share common and interrelated tasks. Because governance, risk, and compliance have overlapping areas of responsibility and process, they are more effective when they are integrated and dealt with as combined practices. This decreases data islands and silos of activity that ultimately slow down organizational responsiveness and contribute to greater risk by obscuring risk identification and producing inadequate risk impact assessments. Combining can streamline processes and provide transparency and accountability in an organization. It accomplishes this by:
 Bringing the right groups of people together (governance) to clarify what needs to happen and evaluate what could get in the way (risk management).
@@ Line 35: / Line 35: @@
 What is our organization’s governance plan—who decides how and what to decide?
 What is our organization’s risk tolerance—where can we accept more risk, and in which areas should we be more cautious?
-Are there specific regulatory and compliance issues that apply to our [[industry]]?
+Are there specific regulatory and compliance issues that apply to our industry?
 What is our compliance culture—that is, how do we determine that we’re doing what we said we would do?
 By answering these questions and working on integrated GRC plans, the alignment of IT and business goals are improved because the right people are making the right decisions at the right time.
@@ Line 92: / Line 92: @@
 GRC will do wonders for your business. But only if it is done right. It is not enough that you have GRC programs in place. You have to make sure you maximize the value that you will derive from GRC. Let us take a look at how we can get the most out of our GRC programs.
-*Step 1: [[Design]] GRC programs to be flexible
+*Step 1: Design GRC programs to be flexible
 Keep in mind that GRC is not a one-time thing. It must continually reassess how the company can effectively and efficiently meet its strategic objectives.
 *Step 2: Simplify your GRC processes
@@ Line 133: / Line 133: @@
 === GRC Done Right (see figure below) ===
-Integrating GRC capabilities does not mean creating a mega-department of GRC and doing away with decentralized management. Nor does it call for the use of only one GRC [[software]] system to manage it all. Rather, it is about establishing an approach that ensures the right people get the right information at the right times; that the right objectives are established; and that the right actions and controls are put in place to address uncertainty and act with integrity. When GRC is done right, the benefits accrue. Organizations that integrate GRC processes and technology across all or many silos have:
+Integrating GRC capabilities does not mean creating a mega-department of GRC and doing away with decentralized management. Nor does it call for the use of only one GRC software system to manage it all. Rather, it is about establishing an approach that ensures the right people get the right information at the right times; that the right objectives are established; and that the right actions and controls are put in place to address uncertainty and act with integrity. When GRC is done right, the benefits accrue. Organizations that integrate GRC processes and technology across all or many silos have:
 *Reduced costs
 *Reduced duplication of activities
@@ Line 163: / Line 163: @@
 *Provide a “single version of the truth” available to employees, management, auditors, and regulatory bodies
-According to a recent note from Gartner, “For Sarbanes-Oxley, we put the burden on a global Bank at about 0.2 percent to 0.4 percent on [[Earnings Before Interest, Taxes, Depreciation, and Amortization (EBITDA)|EBITDA]]. So if the [[Securities and Exchange Commission (SEC)]] is one of 370 regulators for a global bank - to approach each regulatory program individually would eat up all the profits. Lots of companies have separate compliance programs for every regulatory regime. As regulatory regimes proliferate, a comprehensive compliance program keeps regulations from depressing earnings”. An integrated GRC approach enables an organization to integrate and streamline these individual compliance initiatives, so it can significantly reduce the cost of compliance.
+According to a recent note from Gartner, “For Sarbanes-Oxley, we put the burden on a global Bank at about 0.2 percent to 0.4 percent on EBITDA. So if the [[Securities and Exchange Commission (SEC)]] is one of 370 regulators for a global bank - to approach each regulatory program individually would eat up all the profits. Lots of companies have separate compliance programs for every regulatory regime. As regulatory regimes proliferate, a comprehensive compliance program keeps regulations from depressing earnings”. An integrated GRC approach enables an organization to integrate and streamline these individual compliance initiatives, so it can significantly reduce the cost of compliance.
-It is critical that a GRC solution must be able to address a wide range of compliance and risk management initiatives so that an organization can leverage GRC to deploy a consistent [[Framework|framework]] across the organization for compliance and risk management. Many vendors window-dress their point solution by re-labeling it as a GRC solution or adding support for a few additional regulations to claim a multi-regulatory label.
+It is critical that a GRC solution must be able to address a wide range of compliance and risk management initiatives so that an organization can leverage GRC to deploy a consistent framework across the organization for compliance and risk management. Many vendors window-dress their point solution by re-labeling it as a GRC solution or adding support for a few additional regulations to claim a multi-regulatory label.
@@ Line 195: / Line 195: @@
 == See Also ==
-[[IT Governance]]<br />
+*[[IT Governance]]<br />
-[[IT Governance Framework]]<br />
+*[[ITIL (Information Technology Infrastructure Library)]]
-[[Enterprise Architecture]]<br />
+*[[Information Technology Risk (IT Risk)]]
-[[Corporate Governance]]<br />
+*[[Risk Governance]]

@@ Line 204: / Line 204: @@
 [[Government Enterprise Architecture (GEA)]]<br />
 [[Government Interoperability Maturity Matrix (GIMM)]]<br />
-[[IT Strategy (Information Technology Strategy)]]
+[[IT Strategy (Information Technology Strategy)]]<br />

@@ Line 13: / Line 13: @@
 *Provide relevant, reliable, and timely information to appropriate [[Stakeholder|stakeholders]].
 *Enable the [[Performance Measurement|measurement of the performance]] and effectiveness of the system."<ref>Defining Governance, Risk And Compliance (GRC) [https://www.webopedia.com/TERM/G/grc-governance-risk-compliance.html Webopedia]</ref>
@@ Line 93: / Line 113: @@
 *The harsh (and scary) impact when threats and opportunities are not identified
-'''GRC Done Wrong (see figure below)'''<br />
 OCEG's Maturity Survey finds that disjointed GRC activities cause a number of problems. To address these drivers, organizations develop departments and programs such as: performance management; risk management; compliance; corporate social responsibility; and so on. Unfortunately, these departments and programs are often siloed, ineffective and yield troubling drawbacks:
 *High costs
@@ Line 107: / Line 129: @@
-'''GRC Done Right (see figure below)'''<br />
+=== GRC Done Right (see figure below) ===
 Integrating GRC capabilities does not mean creating a mega-department of GRC and doing away with decentralized management. Nor does it call for the use of only one GRC software system to manage it all. Rather, it is about establishing an approach that ensures the right people get the right information at the right times; that the right objectives are established; and that the right actions and controls are put in place to address uncertainty and act with integrity. When GRC is done right, the benefits accrue. Organizations that integrate GRC processes and technology across all or many silos have:
 *Reduced costs
@@ Line 170: / Line 193: @@
 *Certification in Risk Management Assurance (CRMA)
 *GRC Professional (GRCP)

@@ Line 82: / Line 82: @@
 *Demonstrate the benefits – With the approach above, there’s also the potential to gain some early wins that can help with the internal communications aimed at winning buy-in from staff. It’s not just a case of heading off the confusion and lack of support that can result from a poorly communicated change like this, it’s about demonstrating to key staff and managers the clear benefits of GRC, covering subjects like the drivers for it, the implication on staff, the controls in place and the next steps.
 *Define what would represent success – This is one of the most important steps because defining what would represent success is the way that you can demonstrate that the project has been worthwhile. Out of the benefits listed earlier, pick out the ones that are most relevant and put a number by them, whether it’s a financial target or one based on policies and procedures that be measured to show that GRC is making things better.
@@ Line 106: / Line 143: @@
 It is critical that a GRC solution must be able to address a wide range of compliance and risk management initiatives so that an organization can leverage GRC to deploy a consistent [[Framework|framework]] across the organization for compliance and risk management. Many vendors window dress their point solution by re-labeling it as a GRC solution or adding support for a few additional regulations to claim multi-regulatory label.

@@ Line 3: / Line 3: @@
 Governance, risk management and compliance (GRC) is a management discipline that takes an integrated firm-wide approach to meeting internal guidelines set for each activity. [[Corporate Governance]], [[Enterprise Risk Management (ERM)]], and [[Compliance|Corporate Compliance]] have been integral to managing companies for a long time. But increasing amounts of regulation, increasing demands for transparency and the exponential growth of third-party relationships have made a siloed approach to these activities costly, risky and untenable. As an integrated approach, GRC is a relatively new management discipline. It can mean different things to different businesses, but integrating GRC processes typically aims to improve information gathering and quality, in order to operate more efficiently, and share information more effectively across the organization to avoid duplication of effort.<ref>Definition - What does Governance, Risk And Compliance (GRC) Mean? [https://www.investopedia.com/terms/g/grc.asp Investopedia]</ref>
 While many experts and GRC vendors disagree on a standard definition for Governance, Risk and Compliance, the Open Compliance and Ethics Group (OCEG) has published one of the most comprehensive GRC definitions. In its GRC Capability Model, Red Book, 2.0, the OCEG defines GRC as a "system of people, processes, and technology that enables an organization to:
@@ Line 25: / Line 27: @@
 *Context and culture – The ability to define and incorporate external and internal business context, culture, values and objectives
-[[File:GRC_Elements.png|300px|GRC Elements]]<br/ >
+[[File:GRC_Elements.png|350px|GRC Elements]]<br/ >
 source: [https://iasaglobal.org/itabok/capability-descriptions/governance-risk-and-compliance/ IASA]
@@ Line 36: / Line 38: @@
 '''The dimensions of a business'''<br />
-[[File:Business_Dimensions.png|300px|Dimensions of a Business]]<br />
+[[File:Business_Dimensions.png|350px|Dimensions of a Business]]<br />
 source: [https://www.capgemini.com/2017/10/grc-101-an-introduction-to-governance-risk-management-and-compliance/# CapGemini]
@@ Line 51: / Line 53: @@
 '''The scope of GRC based on the definition and current trends<br />'''
-[[File:GRC_Scope.png|300px|Scope of GRC]]<br />
+[[File:GRC_Scope.png|400px|Scope of GRC]]<br />
 source: [https://www.capgemini.com/2017/10/grc-101-an-introduction-to-governance-risk-management-and-compliance/# CapGemini]
@@ Line 70: / Line 72: @@
 Within an organization, there are a lot of functions, most of which are markedly different from each other. It is now up to the organization to align those functions – even the highly differentiated ones – in order to make their GRC programs succeed.