Governance, Risk & Compliance are three pillars that work together for the purpose of assuring that an organization meets its objectives.
Governance is the combination of processes established and executed by the Management Team (MT) that are reflected in the organization's structure and how it is managed and led toward achieving goals.
Governance ensures that stakeholder needs, conditions and options are evaluated to determine balanced, agreed-on organization objectives to be achieved; setting direction through prioritization and decision making; and monitoring performance and compliance against agreed-on direction and objectives.
This means that governance should:
- • Evaluate to determine balanced, agreed-on organization objectives to be achieved • Direct through prioritization and decision making • Monitor performance, compliance and progress against agreed direction and objectives.
Management, on the other hand, plans, builds, runs, and monitors activities to align with and support the governance objectives. If you’re trying to get the organizational separation straight, think of it like this: Governance is a responsibility of the MT, while management is a responsibility of the executive management.
Risk, is the probability or threat of damage, injury, liability, loss, or any other negative occurrence that is caused by external or internal vulnerabilities, and that may be avoided through preemptive action. The risk management is the set of processes through which management identifies, analyses, and, where necessary, responds appropriately to risks that might adversely affect realization of the organization's business objectives. The response to risks typically depends on their perceived gravity, and involves controlling, avoiding, accepting or transferring them to a third party.
Compliance means conforming with stated requirements. At an organizational level, it is achieved through management processes which identify the applicable requirements (defined for example in laws, regulations, contracts, strategies and policies), assess the state of compliance, assess the risks and potential costs of non-compliance against the projected expenses to achieve compliance, and hence prioritize, fund and initiate any corrective actions deemed necessary.