Illustration borrowed from

The concept «outsourcing» came from American Glossary ‘outside resourcing’ and it dates back to at least 1981.

Outsourcing is an arrangement in which one company provides services for another company that could also have been provided in-house.

«Governance, Risk Management and Compliance» («GRC» for short) is however, a relatively new term. Some argue that it started after USA’s Sarbanes-Oxley act saw the light in 2002. GRC addresses «the three pillars that work together for the purpose of assuring that an organization meets its objectives.» (cite:

OK, let’s start at the top.

Governance concerns the rules senior management puts in place to run a business in a given context, such as:

  • The standards the business should get certified by (ISO, BS, etc)
  • The organisational model with roles and levels of authority (Hierarchical, Matrix,Network of teams, etc)
  • The business processes and policies

In addition, all organisations must naturally abide applicable local and international legislation.

As we all know, senior management do not have the possibility to outsource the accountability of any aspect of the organisation’s operations. Hiring management consultants for a limited period of time, such as to get support through a business transformation is advisable, but to outsource the governance on a semi-permanent basis does simply not make any sense.

Senior management cannot outsource accountability

Let me elaborate: By outsourcing the governance of a business senior management would have a third party running the business they are in charge of, while the third party would be exempt from the accountability for their actions. Say, if the outsourcing company would break any anti corruption laws, senior management would still be accountable and probably end up in jail (at least in Norway).

It’s not technically impossible to outsource governance, but I would definitely look deeply into the matter before making any final decision.

If you have any experience in outsourcing the governance of a business, please leave a comment.

Risk Management concerns dealing with potential unwanted events. Internally, risk management is mainly about handling the risk of the organisation not following the governance set by senior management. Externally, it is centered around dealing with external elements that have a potential impact for the business.

Both internally and externally, risk management includes:

  1. Assessing the probability and the impact of an unwanted event,
  2. Initiating activities to reduce or remove a risk, and
  3. Planning and executing activities when a risk occurs (risk mitigation)

Effective risk management requires a deep insight of the business; and that knowledge is best kept in-house

Although outsourcing risk management is technically possible, I would argue that effective risk management requires a deep insight of the business; and that knowledge is best kept in-house.


Om Gustavo Zaera Holo

Gustavo jobber med forretningsutvikling, rådgivning og salg i Computas GRC Services. Han har solid teknisk kunnskap med bakgrunn fra programmering, systemadministrasjon, teknisk arkitektur, og prosjektledelse. Gustavo trives i skjæringspunktet mellom teknologi og forretning, hvor mulighetene drevet frem av teknologi kan oversettes til verdiskapning.

Legg igjen en kommentar

Din e-postadresse vil ikke bli publisert. Obligatoriske felt er merket med *