Governance, Risk Management, and Compliance or “GRC” is an increasingly recognized term that reflects a new way in which organizations can adopt an integrated approach to these three areas. However, this term is often positioned as a single business activity, when in fact, it includes multiple overlapping and related activities within an organization, e.g. internal audit, compliance programs like SOX, enterprise risk management (ERM), operational risk, incident management, etc.

Within the GRC realm, it is very important to realize that if Governance is not in place, Risk Management and Compliance become irrelevant and probably cannot be meaningfully achieved. Working on the same logic, if Risk Management is not in place then achieving Compliance becomes irrelevant and probably cannot be meaningfully achieved. This is the reason the acronym is designed as GRC and not other combinations. Governance, Risk, and Compliance are highly related but distinct activities that solve different problems for different sets of constituents of an organization.

A specific definition of GRC can be challenging. According to Michael Rasmussen, an industry GRC analyst, the challenge in defining GRC is that individually each term has “many different meanings within organizations. There is corporate governance, IT governance, financial risk, strategic risk, operational risk, IT risk, corporate compliance, Sarbanes-Oxley (SOX) compliance, employment/labor compliance, privacy compliance . . . you get the picture.”[document no longer available]

According to Nicolas Racz of GRC-Resource.com, “GRC reflects an integrated approach on the issues of governance, risk and compliance ensuring that an organization acts in accordance with its self-imposed rules, its risk appetite and external regulations. GRC further implies horizontal and vertical integration and the use of synergies across strategy, process and technology levels.”^[1] Thus GRC should not be seen as an umbrella term for the separated topics of governance, risk management and compliance, but as a concept leveraging synergies in order to increase efficiency and reduce complexity.

Initial interest in GRC systems was driven by the Sarbanes-Oxley Act, but GRC system requirements have changed and now are seen as a means to achieve Enterprise Risk Management. Specifically, this represents a movement from managing risk as a transaction or compliance activity to adding business value by improving operational decision making and strategic planning.

Wikipedia (as of 01. September 2009): Governance, Risk Management and Compliance.