Although governance, risk management and compliance laws and regulations may vary greatly depending on the jurisdiction, issuing authority, regulator and target industry, there appear to be certain common GRC issues that can be used to group mandates into categories. For example, the following nine GRC issues (with examples) may represent a useful taxonomy for the key common GRC issues: (1) corporate governance, (2) risk assessment and risk management, (3) privacy & security, (4) documentation, (5) records and information management, (6) audit and controls, (7) reporting, (8) certification, and (9) know your customer.
1. Example of Mandates Dealing With Corporate Governance:
2. Example of Mandates Dealing With Risk Assessment and Risk Management
3. Example of Mandates Dealing With Privacy and Security
4. Example of Mandates Requiring Documentation
5. Example of Mandates Dealing with Records & Information Management
6. Example of Mandates Dealing With Audit & Controls
7. Example of Mandates Requiring Reporting
8. Example of Mandates Requiring Certification
9. Example of Mandates Dealing With “Know Your Customer”
In order to better understand the IT and business impact of international, U.S. Federal and state laws and regulations, it could be helpful to create a database of the various laws and regulations, classified based on the above GRC categories. This would then enable corporate users of the database, for example, to analyze the overlap and duplication of all laws and regulations that require them to engage in risk assessment and risk management activities. After this analysis has been completed, the corporate users will be better prepared to apply risk management IT solutions in a focused manner against the combined and distilled risk assessment requirements of all their applicable mandates.