A brief history and the subsequent evolution of GRC frameworks

Symbiant is the winner of the Business Reporter Best of British Business Award 2023 as a leader in the GRC software solutions sector.

GRC has been growing in familiarity for over a decade – how did it evolve into the framework we use?

GRC stands for governance, risk management and compliance. The acronym has grown in use in the past decade, but how have the terms we know and use evolved?

Businesses have been implementing elements of GRC in some form for much longer than we’ve been calling it that – an argument can be made that elements of GRC have been present for as long as there have been businesses.

Before GRC appeared as we would recognise it today, however, it looked rather different and has taken various forms over the years. While GRC was (and still is) a personalised part of any business and could vary significantly, the tools used were generally similar.

Here, we’ll dive into some of the past forms of GRC and see how it evolved into the acronym we’re familiar with today.

Ensuring risks are managed and mitigated and putting compliance procedures and internal governing policies, such as a code of conduct, have long been concerns for any business. The methods and specifics have adapted and changed along with various laws, crises and scandals that have arisen over the years. But GRC – or something like it – has always been a part of how businesses have operated.

In the 1960s and 1970s, formal risk management as we recognise it today didn’t exist. Yet the UK and the US were in the process of establishing regulatory frameworks that have since evolved into what we now recognise as GRC.

Some of the acts brought in during this period include the Securities and Exchange Act of 1934 and the Foreign Corrupt Practices Act (FCPA) in 1977 in the US, and the 1967 Companies Act in the UK. Arguably, various corporate scandals, such as the Lockheed bribery scandal and the collapse of the Penn Central Railroad, played a role in bringing in these regulations.

The 1980s and 1990s saw further development of corporate governance principles and standards. In the UK, this occurred through the publication of the Cadbury Report in 1992 and the Turnbull Report in 1999. In the US, it involved enacting the Sarbanes-Oxley Act (SOX) in 2002. These aimed to increase corporate transparency, accountability and financial reporting. The Turnbull Report, for example, highlighted the need for more robust internal controls and collaboration through communication on the implemented controls.

GRC was growing in importance for organisations, but the methods were still limited; at this point, most organisations would have been using pen and paper and shifting towards using Excel spreadsheets. However, both of these methods have severe drawbacks, such as a lack of ownership, and the information in spreadsheets was cumbersome and disjointed, which resulted in time-consuming management and reporting.

Things developed further in the early 2000s, when GRC as we know it began to emerge. Organisations had started to give compliance and audit processes more significance. Some had begun to develop software solutions to address the issues various studies had been highlighting, such as the Turnbull Report, which stated that internal controls and collaboration through communication were essential to more effective risk management. These software solutions were generally standalone programs focusing on specific topics such as risk or audit management. The main limitation was the lack of collaboration and accessibility these tools provided. Another major drawback was the lack of cohesion with all aspects of GRC data, so the information was also still disjointed and required many man-hours to produce the correct management reports; regardless, they were still a step up from the previous methods.

In 2002, Symbiant, a UK software development company that was a pioneer in web-based audit and risk applications, combined its Risk Suite with its audit action tracking tool, Symbiant Tracker, to create an online solution that included risk registers, risk workshops, incident reporting, assessments, KRIs, questionnaires and audit action tracking. It was the first collaborative software-as-a-service GRC solution, allowing all areas of a business to become involved in GRC processes. But more importantly, it gave management holistic reports showing high-level information that had previously been hidden.

The 2010s is when the GRC and related software market exploded in popularity following the 2008 financial crisis, which highlighted the importance of risk management and corporate governance. This crisis encouraged regulatory bodies across the globe to introduce stricter regulations, leading organisations to adopt more comprehensive risk, governance and compliance frameworks to meet the new requirements.

Symbiant continued to develop its software to meet client needs, and the regulatory requirements that its clients would need to meet. The original Risk Suite software had undergone several complete rewrites to remain at the forefront of GRC-related software.

With a small, dedicated team, Symbiant actively ensured the development of its software in line with regulations and client specifications.

GRC is still evolving due to various factors, such as growing cyber-threats, data privacy concerns and the increasing globalisation of business operations. GRC is now a strategic imperative, and organisations with effective GRC can provide a competitive advantage and better protect their brand reputation.

To learn more about Symbiant’s modular, fully customisable GRC system, book a demo today at symbiant.co.uk.