SOC 2, GRC, and ESG: From Acronyms to Action

GRC is short for “Governance, Risk (or risk management) and Compliance. ESG is short for “Environmental, Social, and Governance.” Compliance with SOC 2 can be a significant step toward success in both arenas.

SOC 2 and GRC: Better Together

The OCEG defines GRC as “the integrated collection of capabilities that enable an organization to achieve objectives reliably, address uncertainty, and act with integrity.” The OCEG has developed the GRC Capability Model to achieve these goals, also known as The Red Book. That document is an “open-source standard that integrates the various sub-disciplines of governance, risk, audit, compliance, ethics/culture and IT into a unified approach,” according to the organization.

GRC Capability ModelGRC Capability Model

As illustrated in the image above, the GRC Capability Model embraces four activities intended to be performed recursively. First, practitioners learn about the company, its environment, and its culture. They then align their strategy with those lessons, perform tasks intended to improve GRC, review the results of those tasks, and learn from that review.

The Model is designed to be used with other frameworks, such as those from the International Organization for Standardization (ISO) and the National Institute of Standards and Technology (NIST). The SOC framework and the GRC Capability Model share characteristics that make SOC 2 compliance a substantial step toward better GRC for your company.

  • Both focus on defining common components, elements, and requirements.
  • Both focus on standardizing practices for policies and processes.
  • Both emphasize the value of detained assessment of current environments and resources.
  • Both offer guidance for selecting and implementing relevant technologies.

SOC 2 and ESG: Beyond Financial Concerns

ESG describes factors used by investors and others to evaluate company performance beyond balance sheets and other financial statements. Specifically, investors look closely at how companies manage their environmental impacts, social issues such as diversity and advocacy for social good, and governance. ESG evaluations strive to measure a company’s sustainability and ethics and determine how well a company serves all of its stakeholders, including its communities, its workers, the environment, and not just its shareholders.

While there is no OCEG-like body focused on ESG issues, multiple companies offer ESG assessment and rating services. There are also multiple frameworks for reporting on ESG characteristics, from sources ranging from the United Nations to the European Union.

SOC 2 compliance, focusing on availability, confidentiality, privacy, security, and other areas and its comprehensive reporting requirements, can be a valuable part of your company’s ESG compliance and reporting efforts. For example, strong SOC 2 controls around hiring and HR concerns can help strengthen your company’s diversity, equity, and inclusion (DE&I) policies and processes. And the SOC 2 controls focused on availability include requirements for environmental protections that can enhance your company’s overall posture regarding the environment.

SOC 2: A Foundation for Your GRC and ESG Efforts

SOC 2 compliance offers multiple benefits to your business, from improved operations to compatibility with partner companies’ security and privacy requirements. SOC 2 compliance can also help your company achieve its GRC and ESG goals, wherever you may be in either of those journeys. If your candidate or chosen auditors don’t mention GRC or ESG to you, bring these topics up with them as you choose an auditor and prepare for your SOC 2 readiness assessment and audit.