Governance, risk management, and compliance

Governance, risk management, and compliance (GRC) is the term covering an organization's approach across these three practices: governance, risk management, and compliance among other disciplines. ^{[1] [2] [3] [4]} They are goals that are structured by an organization to ensure it meets industry and the government regulations. ^[5]

History

GRC was established through high-profile corporate scandals, such as Enron Corporation which led to the need for GRC practices. Enron misrepresented its income and hid the status of the company's debt from the public. "Enron was a company where... it was OK to cheat as long as you were making money for the company" but the victims and the employees who were affected by this lost their future, their health insurance plans, retirement plans and so on. ^[6]

In response to this event, regulations like the U.S. Sarbanes-Oxley Act of 2002 were enhanced to ensure strict internal controls and financial reporting standards. Sarbanes-Oxley Act ensured to improved auditing and disclosure for public corporations, which is today known as one of the "most impactful regulation". ^[7]

Enron's Stock Price dropped after the scandal

The early 2000s marked the beginning of GRC as a cohesive framework. Organizations began to recognize the interconnectedness of governance, risk management, and compliance. This realization led to the development of software that allows for more efficient management of these functions. For example, in 2002, Symbiant, a UK software development company, created the first GRC software that let teams work together online, combining risk registers, evaluations and audit tracking all in one system. ^[8]

The first scholarly research on GRC was published in 2007 ^[9] by the Open Compliance and Ethics Group (OCEG) ^{[10] [11]} by founder Scott Mitchell, where GRC was formally defined as "the integrated collection of capabilities that enable an organization to reliably achieve objectives, address uncertainty and act with integrity" aka Principled Performance^®. ^[12] The research referred to common "keep the company on track" activities conducted in departments such as internal audit, compliance, risk, legal, finance, IT, HR as well as the lines of business, executive suite and the board itself.

Today, GRC is seen as very important for organizations to succeed in running business. Companies use GRC to make better decisions, manage risks, follow rules, and protect their reputation.

Overview ^[13]

Governance, risk, and compliance (GRC) are three related facets that aim to assure an organization reliably achieves objectives, addresses uncertainty and acts with integrity. ^[14] Governance is the combination of processes established and executed by the directors (or the board of directors) that are reflected in the organization's structure and how it is managed and led toward achieving goals. Risk management is predicting and managing risks that could hinder the organization from reliably achieving its objectives under uncertainty. Compliance refers to adhering with the mandated boundaries (laws and regulations) and voluntary boundaries (company's policies, procedures, etc.). ^{[15] [14]}

Governance, risk and compliance (GRC) is a discipline that aims to synchronize information and activity across governance, and compliance in order to operate more efficiently, enable effective information sharing, more effectively report activities and avoid wasteful overlaps. It also helps to improve an organization to make better decisions and perform better by following the GRC set of practices. Although interpreted differently in various organizations, GRC typically encompasses activities such as corporate governance, enterprise risk management (ERM) and corporate compliance with applicable laws and regulations.

Organizations reach a size where coordinated control over GRC activities is required to operate effectively. Each of these three disciplines creates information of value to the other two, and all three impact the same technologies, people, processes and information.

Substantial duplication of tasks evolves when governance, risk management and compliance are managed independently. Overlapping and duplicated GRC activities negatively impact both operational costs and GRC matrices. For example, each internal service might be audited and assessed by multiple groups on an annual basis, creating enormous cost and disconnected results. A disconnected GRC approach will also prevent an organization from providing real-time GRC executive reports. GRC supposes that this approach, like a badly planned transport system, every individual route will operate, but the network will lack the qualities that allow them to work together effectively. ^[16]

If not integrated, if tackled in a traditional "silo" approach, most organizations must sustain unmanageable numbers of GRC-related requirements due to changes in technology, increasing data storage, market globalization and increased regulation.

GRC topics

Basic concepts

• Governance describes the overall management approach through which senior executives direct and control the entire organization, using a combination of management information and hierarchical management control structures. Governance activities ensure that critical management information reaching the executive team is sufficiently complete, accurate and timely to enable appropriate management decision making, and provide the control mechanisms to ensure that strategies, directions and instructions from management are carried out systematically and effectively. ^[17] The goal "is to balance the interests of the many corporate stakeholders, including top management, employees, suppliers, and investors". ^[11]
• Risk management is the set of processes through which management identifies, analyzes, and, where necessary, responds appropriately to risks that might adversely affect realization of the organization's business objectives. The response to risks typically depends on their perceived gravity, and involves controlling, avoiding, accepting or transferring them to a third party, whereas organizations routinely manage a wide range of risks (e.g. technological risks, commercial/financial risks, information security risks etc.).
• Compliance means conforming with stated requirements. At an organizational level, it is achieved through management processes which identify the applicable requirements (defined for example in laws, regulations, contracts, strategies and policies), assess the state of compliance, assess the risks and potential costs of non-compliance against the projected expenses to achieve compliance, and hence prioritize, fund and initiate any corrective actions deemed necessary. Compliance administration refers to the administrative exercise of keeping all the compliance documents up to date, maintaining the currency of the risk controls and producing the compliance reports. Obligational awareness refers to the ability of the organization to make itself aware of all of its mandatory and voluntary obligations, namely relevant laws, regulatory requirements, industry codes and organizational standards, as well as standards of good governance, generally accepted best practices, ethics and community expectations. These obligations may be financial, strategic or operational where operational includes such diverse areas as property safety, product safety, food safety, workplace health and safety, asset maintenance, etc.

Implementing GRC ^[18]

GRC often requires reviewing an organization's current processes and systems. Each part of an organization usually has its own way to handle risks and compliances. However, if the organization uses one specific approach to implement on GRC, it helps everyone work towards the same goal. Here are 5 steps to implement GRC.

1. Take time to understand your current processes: Before you start implementing GRC, it is important to review how are things being done inside the organization. Perform an internal audit to check your risk and compliance procedures. Different fields within the company might perform their activities in their own way which is why it is important to find similarities and shared methods.
2. Top Management should be committed: The GRC approach should be clear to the top authorities of the organization, to make sure they are on the same page. This helps them make better decisions since it gives them access to better reports, analytics, and evidence. When top management supports a common strategy, it becomes easier for the rest of the organization to follow.
3. Use GRC tools: Tools like GRC software makes it easy to track the organization's audits, assessments, and progress in one place. With centralized data, it gets easier for organizations to check trends, see patterns, and access the reports anytime. It also helps connect to different teams and avoid causing any confusion between departments.
4. Improve business performance: One of the main aims of GRC is to make your organization perform well by improving on the current performances. Better risk management allows the organization and compliance processes to make decisions on the improvements of its services and goods.
5. Set clear goals and communicate well: An organization must regularly go over its objectives. Use surveys, meetings and interviews to gather feedback on new changes. Good communication helps an organization's employees stay on track and engaged.

Benefits of GRC ^{[19] [13]}

1. Improves Decision-Making and Alignment

Having GRC all in one system gives leaders a clear understanding of what's needed to achieve the organization's goals and to know the risks and compliance factors that may impact them. ^[19] This alignment ensures that decisions are supported by the organization's goals and regulatory obligations.

2. Enhances Risk Management

Risk management is an ongoing process that constantly needs to be reviewed to ensure that the company is following all the regulations. This allows the company to perform well while ensuring it can "identify, assess, manage, and monitor risks comprehensively" to detect any risks that the company may face in the future. ^[19]

3. Increases Team-work Efficiency

If your team has limited time or resources, GRC can help by automating many manual tasks. This lets your staff focus on what is important, keeping the organization safe and following the rules while cutting out unnecessary work so that time can be used more wisely.

4. Prevents legal Issues

The organization will not face any penalties, fines or problems that may arise from not following government regulations and rules. The organization will stay up to date if there are any new regulations created which helps to avoid any future consequences.

5. Strengthens Trust With Stakeholders

Following the regulations of GRC and staying up to date also increases stakeholder's trust to the organization, allowing the reputation of the company to stay trustworthy and responsible. This helps to build confidence with clients, partners, and stakeholders, making the organization to grow and achieve more opportunities.

6. Allows To Grow Without Disruptions

Managing GRC separately is hard to keep up with especially when an organization is growing rapidly or rules change. A GRC system helps an organization grow smoothly without facing any problems by keeping compliance and risk management organized and easier to handle.

7. Prevents Corruption ^[20]

Corruption occurs mainly because of one's personal or group gain and it is not easy to detect it since no single person can catch it all because it keeps changing. GRC plays a crucial role to help fight corruption by integrating governance, risk management, and compliance all across company. It combines rules, monitoring, transparency, accountability, and the use of technology to detect any unethical behaviors in the early stages and address them.

Real World Example ^[21]

An excellent example of strong GRC is Walmart. Walmart has strict rules that suppliers must follow in order to succeed GRC. Some rules are: product safety, ethical labor practices, environmental standards, and quality checks. Walmart uses these rules to avoid risks and future problems. Problems may to unsafe products, legal issues, or suppliers using unfair labor. By setting clear policies (governance), making sure to check for problems (risk management), and making sure that all employees in the company follows the rules (compliance), Walmart is successfully able to run its supply chain safely and smoothly without any issues. ^[22]

What Walmart gains from using GRC?

Reduce Supply Chain Risk: Walmart's "Responsible Sourcing" program (which ensures no problems occurs) requires "risk-based auditing and audit assessments to monitor supply chain health." ^[23] This helps to safely run the company and to make sure that the company doesn't face any future problems. Not only that, Walmart reserves the right to terminate its contract with supplier's business or facility that fail to pass audits. ^[23] This shows that Walmart's GRC-style compliance helps to reduce any risks.

Improved trust & reputation: Strong governance, transparent standards and ethical sourcing tells that its employees, consumers, and business partners are committed to Walmart's strong integrity and compliance. This helps to built long-lasting relationships with it's stakeholder's trust.

Better Control across suppliers: Since Walmart has many suppliers all over the world. By using the set of rules with all everyone, Walmart makes it easier to manage all of its suppliers successfully. Not having different rules for its suppliers in every country, this helps to keep everything organized and consistent.

GRC market segmentation

A GRC program can be instituted to focus on any individual area within the enterprise, or a fully integrated GRC is able to work across all areas of the enterprise, using a single framework.

A fully integrated GRC uses a single core set of control material, mapped to all of the primary governance factors being monitored. The use of a single framework also has the benefit of reducing the possibility of duplicated remedial actions.

When reviewed as individual GRC areas, the most common individual headings are considered to be Financial GRC, Operational GRC, WHS GRC, IT GRC, and Legal GRC.

• Financial GRC relates to the activities that are intended to ensure the correct operation of all financial processes, as well as compliance with any finance-related mandates. ^[24]
• Operational GRC relates to all operational activities such as property safety, product safety, food safety, workplace health and safety, IT compliance asset maintenance, etc. ^[25]
• WHS GRC, a subset of Operational GRC, relates to all workplace health and safety activities
• IT GRC, a subset of Operational GRC, relates to the activities intended to ensure that the IT (Information Technology) organization supports the current and future needs of the business, and complies with all IT-related mandates. ^[24]
• Legal GRC focuses on tying together all three components via an organization's legal department and chief compliance officer. This however can be misleading as ISO 37301 refers to mandatory and voluntary obligations and a focus on legal GRC can introduce bias. ^[24]

GRC data warehousing and business intelligence

GRC vendors with an integrated data framework are now able to offer custom built GRC data warehouse and business intelligence solutions. This allows high value data from any number of existing GRC applications to be collated and analyzed.

The aggregation of GRC data using this approach adds significant benefit in the early identification of risk and business process (and business control) improvement.

Further benefits to this approach include (i) it allows existing, specialist and high value applications to continue without impact (ii) organizations can manage an easier transition into an integrated GRC approach because the initial change is only adding to the reporting layer and (iii) it provides a real-time ability to compare and contrast data value across systems that previously had no common data scheme.'

GRC tangent solutions include Regulatory Technology (RegTech). Providers like Regology and Cube provide regulatory content and intelligence that seamlessly integrates with GRC platform.

GRC research

Each of the core disciplines – Governance, Risk Management and Compliance – consists of the four basic components: strategy, processes, technology and people. The organization's risk appetite, its internal policies and external regulations constitute the rules of GRC. The disciplines, their components and rules are now to be merged in an integrated, holistic and organization-wide (the three main characteristics of GRC) manner – aligned with the (business) operations that are managed and supported through GRC. In applying this approach, organizations long to achieve the objectives: ethically correct behavior, and improved efficiency and effectiveness of any of the elements involved. ^[26]

Future Of GRC

As business and technology is changing fast, so does how organizations handle GRC as well. Below are the major trends that are shaping the future of GRC

AI-Driven Risk Detection & Compliance Automation ^[27] : Artificial intelligence (AI) is one of most famous advanced technology. It can be used to detect any suspicious activity using real-time data. It also can help an organization to review documents and report any errors which saves the company's time. It can also forecast ant potential risks that might occur in the future. Not only that, the combination of "human expertise and smart technologies in GRC will enable companies to tackle the increasingly demanding regulatory and risk environment." ^[28]

GRC + ESG ^[29] : GRC isn't about just following the rules anymore to avoid fees. Businesses must also now take accountable of environmental, social, and governance (ESG) issues including sustainability. This also helps allows businesses "to not only meet regulatory expectation but also drive sustainable growth, enhance stakeholder's trust, and strengthen their market positioning." ^[29]

See also

• Conformity assessment
• Information governance
• ISO 37301:2021 Compliance Management Systems (Previously ISO 19600)
• ISO 31000:2018 Risk Management
• ISO 41001:2018 Facility management — Management systems
• Legal governance, risk management, and compliance
• Records management
• Regulatory compliance
• Corporate liability

References

1. Anthony Tarantino (2008-02-25), Governance, Risk, and Compliance Handbook, ISBN   978-0-470-09589-8
2. Denise Vu Broady; Holly A. Roland (2008-04-25), "The ABCs of GRC", SAP GRC For Dummies, ISBN   978-0-470-33317-4
3. Silveira, Patrícia; Rodríguez, Carlos; Birukou, Aliaksandr; Casati, Fabio; Daniel, Florian; D’Andrea, Vincenzo; Worledge, Claire; Taheri, Zouhair (2012), "Aiding Compliance Governance in Service-Based Business Processes", Handbook of Research on Service-Oriented Systems and Non-Functional Properties (PDF), IGI Global, pp. 524–548, doi:10.4018/978-1-61350-432-1.ch022, ISBN   9781613504321 , retrieved 2013-04-06
4. Scott L. Mitchell (2007-10-01), "GRC360: A framework to help organisations drive principled performance", International Journal of Disclosure and Governance, 4 (4): 279–296, doi:10.1057/palgrave.jdg.2050066, ISSN   1741-3591, S2CID   154869217
5. "What is GRC? - Governance, Risk, and Compliance Explained - AWS". Amazon Web Services, Inc. Retrieved 2025-10-27.
6. "Enron". Federal Bureau of Investigation. Retrieved 2025-10-26.
7. Worth, Lauren. "GRC Through the Years: How Governance and Risk Are Evolving". learn.g2.com. Retrieved 2025-10-26.
8. "A brief history and the subsequent evolution of GRC frameworks". Business Reporter. Retrieved 2025-10-26.
9. Scott L. Mitchell (2007-10-01), "GRC360: A framework to help organisations drive principled performance", International Journal of Disclosure and Governance, 4 (4): 279–296, doi:10.1057/palgrave.jdg.2050066, ISSN   1741-3591, S2CID   154869217
10. "OCEG is the ultimate source for GRC certifications and resources". OCEG. Retrieved 2025-01-19.
11. "What Is GRC? | IBM". www.ibm.com. 2021-10-08. Retrieved 2025-10-26.
12. "What is Principled Performance®". OCEG. Retrieved 2025-01-19.
13. "https://rutgers.primo.exlibrisgroup.com/discovery/fulldisplay?&context=PC&vid=01RUT_INST:01RUT&search_scope=MyInst_and_CI_2&tab=Everything_except_research&docid=cdi_unpaywall_primary_10_70259_engjer_2025_932022". rutgers.primo.exlibrisgroup.com. Retrieved 2025-12-01.{{cite web}}: External link in |title= (help)
14. OCEG (2004), "GRC Capability Model"Scott L. Mitchell, OCEG (2004-01-01), GRC Capability Model (Free Open Source)
15. Kurt F. Reding, Paul J. Sobel, Urton L. Anderson, Michael J. Head, Sridhar Ramamoorti, Mark Salamasick, Cris Riddle (2013), "Internal Auditing: Assurance & Advisory Services"
16. Terminus Systems (2018), "GRC" Unlisted, Terminus Systems (2018-01-01), GRC {Free Open Source}
17. Lamm, Jacob; Blount, Sumner; Boston, Steve; Camm, Marc; Cirabisi, Robert; Cooper, Nancy E; Datskovsky, Galina; Fox, Christopher; Handal, Kenneth V; McCracken, William E; Meyer, John; Scheil, Helge; Srulowitz, Alan; Zanella, Rob (2009-12-28), Under Control: Governance Across the Enterprise, ISBN   978-1430215929
18. "Governance, risk and compliance (GRC): Definitions and resources". www.diligent.com. Retrieved 2025-10-27.
19. "Top 6 Benefits of GRC". Vanta. Retrieved 2025-10-26.
20. "Will the integrated GRC implementation be effective against corruption?". Journal of Financial Crime. 30 (1): 24–34. 2022-03-24. doi:10.1108/JFC-12-2021-0275. ISSN   1359-0790.
21. "Supplier Expectations Compliance Areas". Supplier Expectations Compliance Areas. Retrieved 2025-11-30.
22. "Governance, Risk, and Compliance (GRC) Audits: Strengthening the Backbone of Organizational Integrity". www.linkedin.com. Retrieved 2025-11-30.
23. "Responsible Sourcing". Responsible Sourcing. Retrieved 2025-11-30.
24. https://www.macrothink.org/journal/index.php/jmr/article/viewFile/12172/10646
25. "Operational GRC: Naming a dangerous, many headed beast". Governance Institute of Australia. Retrieved 2025-12-01.
26. Racz, Nicolas; Weippl, Edgar; Seufert, Andreas (2010), Bart De Decker; Ingrid Schaumüller-Bichl (eds.), A frame of reference for research of integrated GRC, vol. Communications and Multimedia Security, 11th IFIP TC 6/TC 11 International Conference, CMS 2010 Proceedings, Berlin: Springer, pp. 106–117, ISBN   978-3-642-13240-7
27. Rogers, Jillian (2023-01-11). "Artificial Intelligence Risk & Governance". Wharton Human-AI Research. Retrieved 2025-11-30.
28. Company, Mckinsey (May 9, 2025). "Governance, risk, and compliance: A new lens on best practices".{{cite web}}: |last= has generic name (help); Check |archive-url= value (help)
29. https://www.boc-group.com/wp-content/uploads/2025/01/Resources_Whitepaper_GRCTrends2025_ENG-1.pdf ^{[ bare URL PDF ]}