Governance, Risk and Compliance

最近常看到一些文章提到三個英文字母 G.R.C.,這三個英文字代表的意思為:




這三個英文字的來源可以追朔到很久很久以前… 安隆案、以及後續一連串的弊案爆發… 然後,為了確保公司財務資訊揭露的透明度、以及確保股東們的權益不被少數有心人士侵犯,美國證管會而陸續頒布一堆法令規章,其中最猛的就是:Sarbanes-Oxley Act …,要求各家企業乖乖聽話,提高管理階層所要承擔的責任… 等等。至今,法規遵循的效應持續發燒,像滾雪球一般越滾越大 (也不知道現在是滾到多大了),然後,前一陣子滾出了這三個字 Governance, Risk and Compliance (GRC)。

有關 Governance, Risk and Compliance 的定義:

According to Michael Rasmussen, an industry analyst at Forrester Research, the challenge in defining GRC is that individually each term has “many different meanings within organizations. There is corporate governance, IT governance, financial risk, strategic risk, operational risk, IT risk, corporate compliance, Sarbanes-Oxley (SOX) compliance, employment/labor compliance, privacy compliance . . . you get the picture.”

找 Governance, Risk and Compliance 的定義找了好久,這個是小弟個人認為還不錯的定義,就是告訴大家 GRC 很難定義 (哈)。基本上 Governance, Risk and Compliance 可以分成三個獨立的主題來探討,也可以將將他們整合探討。而且,每個主題又有許多細項目值得深入研究… 咩! (好像有講跟沒講一樣 @@,問 Google 吧!)

再來,貼個有趣的影片讓大家參考一下:Mash Compliance TV – What is the Role of Information Technology in Governance, Risk and Compliance?

grc video
Governance, Risk and Compliance

In this clip, Lee Dittmar (Deloitte Consulting) describe What is the Role of Information Technology in Governance, Risk and Compliance?

Key Takeaways:

  • In a Deloitte research report, 61% of 385 companies were not meeting their information objectives for financial reporting three years after Sarbanes-Oxley.
  • Focus on the information element of information technology.
  • Unnecessary complexity in the IT architecture (i.e., more than one solution that does the same thing) is a pervasive problem.
  • What’s best for the individual business unit often makes it more difficult for the controller and CFO to provide the most reliable financial information.
  • Understand when architectural decisions have an impact at the enterprise level.

[資料來源] SOX Television: Sarbanes-Oxley Research and Resources

這個網站提供許多關於 Sarbanes-Oxley Act 專家訪談的剪輯,內容豐富,還可以順便練練英文聽力唷。^^