11/14/22, 10:50 AM What is Governance, Risk and Compliance (GRC)?

What is governance, risk and compliance (GRC)?

Governance, risk and compliance (GRC) refers to an organization's strategy for handling the
interdependencies between the following three components:

corporate governance policies

enterprise risk management programs
regulatory and company compliance

GRC emerged as a discipline in the early 21st century when companies recognized that coordinating the
people, processes and technologies they used to manage governance, risk and compliance could benefit
them in two ways. A synthesized approach would help ensure their organizations acted ethically. It would
also help them achieve their goals by reducing the inefficiencies, miscommunications and other perils of a
siloed approach to governance, risk and compliance.

Any size organization can use GRC. Developing a GRC discipline is especially important for large
organizations that have extensive governance, risk management and compliance requirements and where
programs to meet these requirements often overlap.

Core GRC principles

The three components of GRC are defined as follows:

1. Governance refers to the ethical management of an organization by its leaders in accordance with

approved business plans and strategies.
2. Risk management refers to an organization's process for identifying, categorizing, assessing
and enacting strategies to minimize risks that would hinder its operations and to control risks that
enhance operations.
3. Compliance refers to the level of adherence an organization has to the standards, regulations and best
practices mandated by the business and by relevant governing bodies and laws.

These three activities traditionally functioned more or less separately. In a GRC approach, each of the three
component programs continues to interact with and support existing business functions, but the intersection
of the three is where the benefits become apparent.

THIS ARTICLE IS PART OF

What is risk management and why is it important?

Which also includes:

governance, risk management and compliance (GRC)

risk avoidance

https://www.techtarget.com/searchsecurity/definition/governance-risk-management-and-compliance-GRC 1/6
11/14/22, 10:50 AM What is Governance, Risk and Compliance (GRC)?

risk map (risk heat map)

Why is GRC important today?

As businesses grow increasingly complex, they need a way to effectively identify and manage key activities
in the organization. Also needed is the ability to integrate traditional distinct management activities into a
cohesive discipline that increases the effectiveness of people, business processes, technology, facilities and
other important business elements.

GRC achieves this by breaking down the traditional barriers between business units and requiring them to
work in a collaborative fashion to achieve the company's strategic goals. GRC is one of the components of a
well-managed organization in the 2020s.

Components of an integrated approach to governance, risk and compliance

GRC strengths and limitations

If properly implemented, GRC policies, practices and software offer the following benefits:
https://www.techtarget.com/searchsecurity/definition/governance-risk-management-and-compliance-GRC 2/6
11/14/22, 10:50 AM What is Governance, Risk and Compliance (GRC)?

reduced costs;
improved leadership effectiveness across all aspects of governance;
increased visibility into risks, threats and vulnerabilities;
ongoing compliance with required standards and regulations;
protection against unfavorable internal audits, financial penalties and litigation; and
reduction in risk across the entire organization, including business risks, financial risks, operational
risks and security risks.

If improperly implemented or if senior management support for GRC is minimal, potential issues may
emerge. Problems include high costs related to reduced risk visibility, reduced performance due to weak risk
visibility, and fragmentation across the organization's departments and workforce.

GRC software and tools

GRC software combines applications that manage the core functions of GRC into a single integrated
package. It enables an organization to pursue a systematic, organized approach to managing GRC-related
strategy and implementation. Instead of using siloed applications, administrators can use a single framework
to monitor and enforce rules and procedures. Successful installations enable organizations to manage risk,
reduce costs incurred by multiple installations and minimize complexity for managers.

Effective GRC software includes risk examination and risk assessment tools that identify linkages to
business processes, internal controls and operations. GRC software will identify the processes and tools that
control those risks and integrate the single, multipoint and enterprise-wide software the business currently
uses.

GRC software also provides a structured approach for compliance with legal and regulatory requirements,
such as those specified in the Sarbanes-Oxley Act, General Data Protection Regulation, or occupational
health and safety regulations.

Other features offered in GRC platforms include operational risk management; information technology (IT)
risk management; policy; audit management; third-party risk management; issue tracking and document
management.

GRC software considerations

GRC software products are available from a number of vendors. Products accommodate virtually any type or
size of organization, including organizations with many lines of business.

GRC software can be confusing for businesses, however, because the market is replete with many types of
products, including the following:

integrated GRC products, which aim to provide an enterprise-wide approach to GRC, as noted above;
GRC products that target only certain areas, such as finance, IT or risk; and

https://www.techtarget.com/searchsecurity/definition/governance-risk-management-and-compliance-GRC 3/6
11/14/22, 10:50 AM What is Governance, Risk and Compliance (GRC)?

"point solution" products that may target one component of GRC but not all three.

GRC tools are increasingly cloud-based, but on-site systems are available, as are freeware options. GRC
vendors are incorporating automation and artificial intelligence technologies, including machine learning and
natural language processing, to help organizations keep abreast of new and evolving risks and to make GRC
tools more user-friendly.

Examples of GRC products include IBM OpenPages with Watson; Galvanize's HighBond platform;
ServiceNow Governance, Risk, and Compliance; Navex Global's Lockpath platform; and LogicManager.

Implementing GRC
GRC software implementation typically involves complex installations that include vendor negotiation and
coordination of data between the vendor's technical team and multiple departments in the organization,
including business, IT, security, compliance and auditing.

Major challenges include integrating data and other relevant information from internal departments and
external organizations into useful GRC information and ensuring all GRC system users are properly trained
to obtain maximum benefit from the software.

Changes in the corporate culture may be needed to accommodate the collaborative nature of the new GRC
system. Periodic testing of GRC software is essential to ensure it is being properly used by internal
departments. Like other critical systems, GRC software must be added to technology disaster recovery (DR)
plans to ensure it remains operational in a disruptive event.

Benefits of GRC software

Once in place, GRC dashboards and data analytics tools can help administrators identify an
organization's risk exposure, measure progress toward quarterly goals or quickly pull together an information
audit. Good governance -- defined as effective, ethical management of a company at the executive level -- is
treated as an objectively measurable commodity. Data retention and risk management are converted to
similarly measurable metrics. Compliance with standards and regulations can be further assured as GRC
software examines existing activities against standards and regulations and identifies areas for improvement.

GRC software, therefore, can satisfy the needs of multiple stakeholders, including the following:

business executives who need to identify and manage risk;

finance managers assigned to meet regulatory compliance requirements;
legal counsel grappling with discovery and records retention; and
IT directors managing software installations related to GRC projects across an organization.

GRC maturity model

When embarking on a GRC program, it is typically beneficial to establish a benchmark from which to plan
and execute the program. A maturity model is one possible approach, as it defines the stages through which
https://www.techtarget.com/searchsecurity/definition/governance-risk-management-and-compliance-GRC 4/6
11/14/22, 10:50 AM What is Governance, Risk and Compliance (GRC)?

an organization can progress to achieve a suitable level of GRC excellence.

The following figure presents a basic GRC maturity model. It can be expanded and modified into greater
detail as needed and serve as part of the GRC program planning process.

Stage 1 describes an organization with no integration of GRC: The three disciplines of GRC coexist but do
not collaborate on governance, risk and compliance. As the stages progress, the importance of GRC
integration is recognized and approved by senior management; manual processes commence; software
takes the process to a higher level of cross-organization integration and automation; and, finally, the
organization's culture -- and, by extension, its way of doing business -- has adopted to a fully integrated GRC
approach.

The dos and don'ts of GRC practices

Managing governance, risk and compliance is one of the organization's most important and complex
activities. As your organization establishes a GRC program, keep these dos and don'ts in mind.

Dos
1. Be prepared to justify the integration of GRC activities using a business case approach.
2. Secure senior management support and funding for a GRC program.
3. Carefully examine the possible approaches to a GRC program, and develop a project plan.
4. If software is part of the plan, perform due diligence when selecting a software product.

https://www.techtarget.com/searchsecurity/definition/governance-risk-management-and-compliance-GRC 5/6
11/14/22, 10:50 AM What is Governance, Risk and Compliance (GRC)?

5. Prepare and deliver awareness and training activities to sell employees and management on the value of
integrated GRC activities.
6. Recognize that not all employees will embrace a GRC program; ensure those who stand to benefit the
most are on board.
7. Partner with IT to develop an effective system rollout plan.
8. Provide opportunities for employees to test the system before it is put into production.
9. Take care to note employee comments during the test period and share them with the technology vendor.
10. Provide regular briefings to senior management and employees on the program status.
11. Implement the rollout; check for issues, and resolve them quickly.
12. Establish a system maintenance and updating process.
13. Ensure the new system is included in technology DR plans.
14. Establish a program to track program performance and share results with employees and management.

Don't do the following when planning a GRC program

1. Don't assume an integrated GRC program will benefit the company; it may not.
2. Don't assume senior management will quickly embrace a GRC program.
3. Don't assume employees will embrace a GRC program, especially if it means changing the ways they
have performed their work over the years.
4. Don't forget to examine the different approaches to a GRC program; consider a maturity model.
5. Don't conduct a minimalist examination and analysis of business processes when determining if an
integrated GRC approach will work; understand the business as much as possible.
6. Don't hesitate to contact other organizations to see if their GRC approach worked; this is especially
important if GRC software is being considered.
7. Don't fail to collaborate with IT throughout the project.
8. Don't assume employees and management will attend awareness and training sessions; this is where
management support can help.
9. Don't ignore the importance of having a project plan for a GRC system implementation.
10. Don't get upset if management decides to defer or cancel the program.

https://www.techtarget.com/searchsecurity/definition/governance-risk-management-and-compliance-GRC 6/6