The term ‘integrated GRC management’ is generally defined as an integrated approach to the development and operation of the required structures and processes to cover the three functions of Governance, Risk and Compliance Management. GRC management is a comprehensive instrument of corporate control. In the past, companies frequently developed separate, independent risk and compliance management systems resulting in what were described as silo functions or island solutions for the individual management functions and which were put into effect with a variety of different methods. This resulted in duplication, unclear segregation of responsibility, and a loss of general overview at the operating company and at group level. An integrated GRC Management monitors, analyzes, manages, and reports comprehensively across all business activities (legal entities, divisions and processes ) impacting risks and criminal offences.
With integrated GRC Management the situation cannot arise in which, for example, an increased address deficiency risk is notified by Risk Management but at the same time, for the same customer it is determined by Compliance Management that the customer is misaccounting for V.A.T. and/or is suspected of money-laundering because he is listed on a ‘restricted list’. With integrated GRC Management, this information all comes together. In the course of a business partner analysis in Risk Management, a counterparty compliance check will also be carried out simultaneously with regard to anti-money-laundering issues. A properly functioning GRC takes effect right across the company and applies uniform methods.
Through use of a structured questionnaire one can determine specifically and efficiently at which points in the company risks must be managed and controls must be implemented. The aim, amongst others, is to link GRC Management with company wide internal control systems (ICS).