Besides investors, the other important external groups are institutions inside
and outside of government that set rules that must be followed. This group
includes all of the following types of organizations:
�Legislative bodies that make laws that must be complied with.
�Government agencies responsible for carrying out laws, such as OSHA,
the EPA, U.S. Customs, and many others.
�Financial regulators that set standards for financial reporting, such as
the Securities Exchange Commission, Financial Accounting Standards
Board, Federal Reserve, Bank for International Settlements, and others.
�Non-governmental Organizations (NGOs) charged with setting policies
that govern how business is done, such as the United Nations.
�Trade organizations such as the World Trade Organization, World
Intellectual Property Organization, NAFTA, CAFTA, and others.
�Auditing firms that certify the correctness of procedures and policies
used for financial reports.
This list of stakeholders is constantly changing as new issues arise and new
laws and regulations are created to address them.
Understanding GRC by the Letters ..............................................................
So far in this chapter, we’ve treated GRC like a large black box: a mysterious
container full of improved processes and software for automation. Now it is
time to open that box and look inside at all the moving parts. The challenge
in moving to a more detailed discussion of GRC is that the meaning of the
terms and the actions required are different depending on the nature of
the business. GRC activities at a stock brokerage firm will be quite different
from those at a chain of grocery stores, for example, although the goals at
the highest level are the same.
This section breaks down GRC into its component parts by looking at the
meaning of each of the three words that make up the acronym: governance,
risk, and compliance. The challenge here is that these words are general
terms as well as terms of art applied to GRC, so we start our discussion by
separating the informal meanings of the terms from the precise way these
words are used with respect to GRC.
22 Part I: Governance, Risk, and Compliance Demystified
