Governance, Risk Management & Compliance (GRC) is an overall label for companies to implement best practices in their business and IT process to protect consumers and financial markets.
The concept began in the mid-to-late 1990s when several large publicly traded companies were found to have implemented shady practices to defraud customers, falsely report earnings and evade Federal Regulations.
As a result U.S. Senator Paul Sarbanes (D-MD) and U.S. Representative Michael G. Oxley (R-OH) sponsored a bill known as the ‘Public Company Accounting Reform and Investor Protection Act’ (in the Senate) and the ‘Corporate and Auditing Accountability and Responsibility Act’ (in the House). The bill has become affectionately known as the Sarbanes-Oxley Act or simply SOx and was signed into law in 2002.
The bill was enacted as a reaction to a number of major corporate and accounting scandals including those affecting Enron, Tyco International, Adelphia, Peregrine Systems and WorldCom. These scandals cost investors billions of dollars when the share prices of affected companies collapsed, and shook public confidence in the US securities markets. ~ Wikipedia: SOx
I would include the Government Service Agencies Fannie Mae and Freddie Mac in that list as well. As the scandal behind these major corporations hit the airwaves, other companies believing they were above-board ordered audits. Fannie and Freddie both did this to ensure their customers and consumers that the were above reproach. Many companies discovered their books weren’t so clean. Fannie Mae’s audit discovered the corporation had over reported it’s earnings and fell into an $11 billion accounting scandal. (CorpWatch: US: Report Says Fannie Mae Manipulated Accounting).
Freddie Mac’s only saving grace was that they under reported earnings by $5+ billion. (NYTimes: Freddie Mac Says It Understated Profits by Up to $6.9 Billion). The corporate motto was “Steady Freddie”, a phrase that signaled the companies stead and upward growth. In the late 80s and early 90s the housing bubble created a blizzard of profits for many financial companies. Freddie’s profits shot up like a rocket during this period. But the company leadership determined this may not be a good sign for the overall market and that lean years were coming. A sign to many that at least at Freddie Mac, they knew the bubble was going to burst as it did in 2006/2007.
In order to survive the burst, Freddie Mac management held back profits and devised an accounting scheme to store the extra profit and hold it for a rainy day. When other companies were showing losses in profit, Freddie would pull from their slush fund and show a continued and steady growth. Giving the impression the corporation had a better grasp on business, remaining Steady Freddie.
In 2001 as these scandals were becoming apparent, congress took action. GRC was born and a new industry was born.
Range Of Governance
GRC not only hits the business side of your business, but also your IT side and that’s where I got my start in the grand scheme. Two areas of SOx define the foundation for IT in this new regulatory world. Section 404 – Management Assessment of Internal Controls and (to some extent) Section 302 – Corporate Responsibility for Financial Reports explain the Information Technology roll.
Streamlining your IT operations is not only necessary, it is also beneficial to your overall bottom dollar. It helps you reduce cost, improve performance and quality, and ensures the security of your corporate data and assets.
GRC is not restricted to public companies either. Any business, small or large, should be implementing some level of GRC. Especially those companies that want to go public one day. Start it up front and you’ll save the expense of going back and retro-fitting, which really can be very costly. But it will also save you money in every day IT business practices along the way as well.
Ensuring security is the driving force behind most compliance controls is a key issue. Every day you can read the headlines about another organization who has had a breach in security where customer data has been compromised. Recent headlines have shown that these violations in security have come from within the organizations; either by their own staff or from their own internal processes that helped breach security.
Whither you’re running a large corporation with a large IT organization or a small company that’s simply trying to become compliant to gain an advantage in the market place; implementing IT Governance, best practice initiatives and Sarbanes-Oxley compliance is beneficial to your organization and business. The advantages long-term seriously out weigh the cost and effort expended up front. With streamlined reusable processes and procedures that have built-in steps for risk management and compliance, you can deliver better, more secure and more effective products, quicker and under estimated costs.
See my IT Governance section for more information about IT Audit, and Governance, Risk Management & Compliance (GRC) and Risk, Security & Compliance Assessments (RSCA).
December 15, 2006
© 1997-2019 Springwolf, D.D., Ph.D., Springwolf’s Creations. All Rights Reserved.