Can we agree that corporate governance, risk management and compliance (GRC) is not exactly a light responsibility? Described by the nonprofit Open Compliance & Ethics Group (more commonly called OCEG) as the “integrated collection of capabilities that enable an organization to reliably achieve objectives, address uncertainty and act with integrity,” GRC, in short, is pretty much everything. But how exactly does information governance vs. compliance work?
Those in an organization responsible for governance, risk management and compliance tend to have a lot on their plates. The whole idea of GRC really entered the corporate lexicon around the early aughts after some corporations stumbled a bit or, as the case may be, quite a lot when these various functions were siloed or not really addressed at all.
But no matter how large an organization’s governance, risk management and compliance steering committee is or how frequently it meets, the sheer breadth of its charge — dealing with all things GRC — means that not everything is going to be addressed at every single meeting. To put it delicately, in the real world, there is only so much space on the agenda. There can be some competition to get information governance and compliance as an agenda item. At any given meeting, a GRC steering committee “does not necessarily address all areas of governance, risk and compliance,” explains Iron Mountain’s Chief of Staff, Legal, Jill Mongeau Gaines, formerly the company’s director of policies, governance and corporate records management.
So, of course, governance, risk management and compliance steering committees talk about health and safety issues, environmental issues, information security, and other pressing concerns, but some steering committees tend to be more reactionary in their approach: They respond to matters (or, really, problems) that, for whatever reason, come to the forefront. Issues that are just as important but less flashy, like information governance vs. compliance, might command less attention.
But there need not be any information governance vs. compliance tension. Both GRC and IG should have their own steering committees. “Information governance is just a subset of governance, risk management and compliance,” Mongeau Gaines notes. “Governance, risk management and compliance are overarching.” Just having a bunch of committees at the same level without a chain of command is simply not that effective.
“Part of a governance program should be establishing a committee hierarchy,” Mongeau Gaines suggests. Companies — and their committees — need to develop a way to bring issues up the chain of command. While a GRC steering committee stands at the top of the hierarchy, subcommittees beneath it — including the IG steering committee — should address the particulars.
That way, the GRC steering committee only has to deal with more lofty matters that command a higher level of attention, such as the overall strategy of a program or timely matters that involve risk, including the General Data Protection Regulation.