Blogs

Governance vs. Compliance: Avoiding the Tradeoff

By Karen Guglielmo posted 07-26-2018 16:34

  
​Can we agree that corporate governance, risk management and compliance (GRC) is not exactly a light responsibility? Described by the nonprofit Open Compliance & Ethics Group (more commonly called OCEG) as the “integrated collection of capabilities that enable an organization to reliably achieve objectives, address uncertainty and act with integrity,” GRC, in short, is pretty much everything. But how exactly does information governance vs. compliance work?

Those in an organization responsible for governance, risk management and compliance tend to have a lot on their plates. The whole idea of GRC really entered the corporate lexicon around the early aughts after some corporations stumbled a bit or, as the case may be, quite a lot when these various functions were siloed or not really addressed at all.

But no matter how large an organization’s governance, risk management and compliance steering committee is or how frequently it meets, the sheer breadth of its charge — dealing with all things GRC — means that not everything is going to be addressed at every single meeting. To put it delicately, in the real world, there is only so much space on the agenda. There can be some competition to get information governance and compliance as an agenda item. At any given meeting, a GRC steering committee “does not necessarily address all areas of governance, risk and compliance,” explains Iron Mountain’s Chief of Staff, Legal, Jill Mongeau Gaines, formerly the company’s director of policies, governance and corporate records management.

So, of course, governance, risk management and compliance steering committees talk about health and safety issues, environmental issues, information security, and other pressing concerns, but some steering committees tend to be more reactionary in their approach: They respond to matters (or, really, problems) that, for whatever reason, come to the forefront. Issues that are just as important but less flashy, like information governance vs. compliance, might command less attention.

But there need not be any information governance vs. compliance tension. Both GRC and IG should have their own steering committees. “Information governance is just a subset of governance, risk management and compliance,” Mongeau Gaines notes. “Governance, risk management and compliance are overarching.” Just having a bunch of committees at the same level without a chain of command is simply not that effective.



Read the full blog on InfoGoTo.com at https://www.infogoto.com/governance-vs-compliance-avoiding-a-tradeoff/
0 comments
7 views

Permalink