Although risk is the often the most discussed element of GRC (Governance, Risk, Compliance), it is important to understand all aspects. Let's start with Governance.

In my last article, I talked about “What is GRC?” and recommended the Open Compliance and Ethics Group’s (OCEG) definition. The next step is to address its first element – Governance; again, there are multiple definitions.

The Many Ways to Define Governance in GRC

The Organisation for Economic Co-operation and Development (OECD) says Governance involves:

“A set of relationships between a company's management, its board, its shareholders and other stakeholder. Corporate governance also provides the structure through which the objectives of the company are set, and the means of attaining those objectives and monitoring performance are determined.”

The Cadbury Committee (the governance source for UK listed companies) has a simpler definition:

“The system by which companies are directed and controlled. Boards of directors are responsible for the governance of their companies.”

“The shareholders' role in governance is to appoint the directors and the auditors and to satisfy themselves that an appropriate governance structure is in place. The responsibilities of the board include setting the company's strategic aims, providing the leadership to put them into effect, supervising the management of the business, and reporting to the shareholders on their stewardship.”

The Corporate Governance Committee of Japan has this:

“Corporate governance is a scheme for ensuring that the executive managers, who have been placed in charge of the company, fulfill their duties.”

Forrester Research, an analyst firm, defines Governance as:

“The culture, policies, processes, laws, and institutions that define the structure by which companies are directed and managed. Corporate governance includes the relationships among stakeholders and the goals for which the corporation is governed.”

I like the one from the Australian Stock Exchange (ASX):

“The system by which companies are directed and managed. It influences how the objectives of the company are set and achieved, how risk is monitored and assessed, and how performance is optimized.”

The Institute of Internal Auditors’ (IIA) definition is:

“The combination of processes and structures implemented by the board in order to inform, direct, manage and monitor the activities of the organization toward the achievement of its objectives.”

OCEG says:

“Governance is the culture, values, mission, structure and layers of policies, processes and measures by which organizations are directed and controlled. Governance, in this context, includes but is not limited to the activities of the Board, for governance bodies at various levels of the organization also play a critical role. The tone that is set, followed and communicated at the top is critical to success.”

Differences in Governance Definitions

What do we make of all these?

  1. Some limit Governance to the activities of the Board:
    • Cadbury
    • Japan
    • IIA
  2. Others include management as well as the board (by talking about directing (board) and managing or controlling (management):
    • Forrester Research
    • Australian Stock Exchange
    • OCEG
  3. That leaves OECD, which I find ambiguous and therefore not very useful.
  4. All pretty much talk about:
    • Setting the objectives (strategy) of the company
    • Appointing leadership
    • Ensuring appropriate tone at the top (culture and values)
    • Managing risks (implicit if not stated)
    • Monitoring and optimizing performance

Each of us can determine whether we define Governance as including only board processes or also those of management.

But in the GRC model, it has to include how management ensures the directives of the board are achieved. Personally, I use either the OCEG or ASX definition. You can see my blog on the elements included in Governance here.