Finserv Glossary


Table of Contents

What is GRC (Governance, Risk and Compliance)?

naehas glossary GRCGRC – Governance, Risk and Compliance – is the integrated collection of capabilities that enable an organization to reliably achieve objectives, address uncertainty and act with integrity, according to OCEG (formerly known as “Open Compliance and Ethics Group.”

In detailing the history and significance of GRC, OCEG writes:

“The acronym GRC was invented by the OCEG membership as a shorthand reference to the critical capabilities that must work together to achieve Principled Performance — the capabilities that integrate the governance, management and assurance of performance, risk, and compliance activities. This includes the work done by departments like internal audit, compliance, risk, legal, finance, IT, HR as well as the lines of business, executive suite and the board itself.” It continues, “While the acronym was used as early as 2003, the first peer-reviewed academic paper on the topic was published in 2007 by OCEG founder Scott L. Mitchell in the International Journal of Disclosure and Governance. This groundbreaking paper influenced an entire industry of software and services. This was the beginning of open source GRC standards.”

A challenging business climate and other factors compel companies to develop GRC programs.

naehas glossary GRC 1Typical issues driving governance, risk and compliance often include the following:

  • Stakeholders demanding both high performance and high levels of transparency
  • Fast moving and uncertain technology trends impact what customers need and want
  • Regulations and enforcement changing and increasing 
  • Third-party relationships and risk exponentially growing
  • Costs of addressing risks and requirements increasing
  • Impacts of unidentified and/or unaddressed threats and opportunities growing

Organizations which integrate GRC processes and technology across all or many areas, notes OCEG, report multiple benefits:

  • Reduced costs
  • Reduced redundant or duplicative activities
  • Reduced impact on operations
  • Achieved greater information quality
  • Achieved greater ability to gather information quickly and efficiently
  • Achieved greater ability to repeat processes in a consistent manner

Analysts note that GRC has grown in stature as risks have become more numerous, more complex, and more damaging. GRC, with the basic purpose being to instill good business practices, has grown in stature as risks have become more numerous, more complex and more damaging. GRC spans multiple disciplines, including enterprise risk management, compliance, third-party risk management, internal audit, among others.