Ask a room full of IT professionals to define Governance, Risk Management, and Compliance (GRC), and you’re likely to get a lot of blank stares. The fact is it’s not easy to define GRC, in part, because each of the three terms seems to require its own definition. This reality was driven home by French Caldwell, a Gartner VP/Fellow and leading authority on the subject, when he included the following in a 2010 blog post:
- Governance — the process by which policies are set and decision making is executed.
- Risk Management — the process for ensuring that important business processes and behaviors remain within the tolerances associated with those policies and decisions, going beyond which creates an unacceptable potential for loss.
- Compliance — the process of adherence to policies and decisions. Policies can be derived from internal directives, procedures and requirements, or external laws, regulations, standards and agreements.
A Source of GRC Confusion
The three definitions are abstract, to say the least, and do little to help the uninitiated understand the various types of technologies that may fit into each category. Because the GRC class is complex, diverse, and not widely understood, B2B software vendors from a variety of market sectors may, from time to time, define their own platforms/solutions as being GRC technologies, which often causes true GRC vendors to roll their eyes and mutter.
I’ve posted several blog entries about how HotDocs has been used to solve governance, risk management (risk mitigation), and/or compliance problems, relating specifically to the generation of transactional documents and forms. Given the fact that HotDocs is definitely not a “GRC” platform, the true GRC folks might look to me as part of the greater problem—the muddling of an already difficult to understand classification.
External GRC Validation
So why am I pointing this out now? Because Jim Sinur, another Gartner VP and a leading authority on business process automation, recently published a blog, himself, about a large government agency that had solved a huge GRC problem using HotDocs. The post is an astounding account of an agency that reduced the time it took to generate a contract from 3 months to 3 hours, while, at the same time, virtually eliminating legal circumstances arising out of human error in contracts.
Is document generation a subset of the GRC class? I’ll stop short of answering yes to that question. But can document generation be used to govern the process of generating documents, while reducing the risk of human error, and assuring compliance to internal policies and external laws? Absolutely!