“GRC” is now a certified corporate buzzword (or buzz-acronym), according to Todd Hohn, CSP, and vice present of strategic resources for PureSafety.

“These activities — governance, risk management, and compliance — impact organizational success in many areas, including workforce safety and health. The popularity of the acronym reflects the increased attention to, and integration of, these activities, inspired in part by the Sarbanes-Oxley Act of 2002,” writes Hohn in a PureSafety newsletter.

Sarbanes-Oxley applies only to publicly traded companies, but principles like transparency, accountability, and rigorous internal controls have been widely adopted as corporate best practices, Hohn says.

Hohn argues that GRC leaves one key element out of the equation: culture.

Changing and conforming to policies and procedures will go for naught without a strong organizational culture, states Hohn. “No matter what the goal is — safety, quality, profitability — results ultimately depend on an organization’s people consistently acting in ways that serve that goal. Not because a policy or procedure tells them to — but because they understand what’s at stake and are motivated to do what’s right,” writes Hohn.

He details “the full progression” to CRGC:

  • Compliance — the first goal of any EHS program is to meet mandated regulatory standards.
  • Risk Management — after meeting the minimal external standards, the goal of Risk Management is to better identify risk and control exposures to loss specific to your workplace.
  • Governance — in most cases, compliance and risk management primarily involve frontline managers and employees. The goal of Governance is to provide information, insight and visibility to senior management to drive top-level decisions that further improve EHS programs and business performance.
  • Culture — As important as compliance, risk management and governance are to establishing a good EHS program, Culture is what ties them together, keeps processes working, and drives continuous improvement.