Inside Carnival Corp: A GRC Case Study

As chief audit executive of the largest cruise vacation company in the world, Carnival Corporation & plc's Richard Brilliant takes an all-hands-on-deck view of governance, risk, and compliance (GRC) management.
"GRC is everything," says Brilliant, who also believes that "everyone's job can be described as managing risk."

The process by which GRC has developed at Carnival Corporation should serve as a model for other companies seeking to implement or strengthen GRC programs of their own for three reasons.

First, Carnival defines GRC clearly and practically; the company uses GRC as a platform that supports the execution of internal audit's operational improvement work, Sarbanes-Oxley compliance, other regulatory compliance assessments, and, most recently, enterprise risk management.

Second, the process by which the company built its GRC platform -- starting with executive support for an internal audit function whose objectives include facilitating operational improvements using a process approach in a highly decentralized collection of businesses (or brands, in Carnival parlance) among several other components -- demonstrates the building blocks of effective GRC capabilities.

Finally, Carnival Corporation's GRC development is ongoing. For example, Brilliant sees benefits if employee policies and procedures were to be updated to clearly lay out the risk(s) each position in the company is responsible for monitoring and mitigating. "And we don't want to stop there," he adds. "Why not set up facilitated sessions in which management and employees can get together on a regular basis and talk about risk? We're even considering mechanisms through which employees might communicate directly to our risk committees. We want to be creative."