GRC - Governance, Risk and Compliance - is the integrated collection of capabilities that enable an organization to reliably achieve objectives, address uncertainty and act with integrity, according to OCEG (formerly known as “Open Compliance and Ethics Group.” In detailing the history and significance of GRC, OCEG writes:
“The acronym GRC was invented by the OCEG membership as a shorthand reference to the critical capabilities that must work together to achieve Principled Performance — the capabilities that integrate the governance, management and assurance of performance, risk, and compliance activities. This includes the work done by departments like internal audit, compliance, risk, legal, finance, IT, HR as well as the lines of business, executive suite and the board itself.” It continues, “While the acronym was used as early as 2003, the first peer-reviewed academic paper on the topic was published in 2007 by OCEG founder Scott L. Mitchell in the International Journal of Disclosure and Governance. This groundbreaking paper influenced an entire industry of software and services. This was the beginning of open source GRC standards.”
A challenging business climate and other factors compel companies to develop GRC programs.
Typical issues driving governance, risk and compliance often include the following:
Organizations which integrate GRC processes and technology across all or many areas, notes OCEG, report multiple benefits:
Analysts note that GRC has grown in stature as risks have become more numerous, more complex, and more damaging. GRC, with the basic purpose being to instill good business practices, has grown in stature as risks have become more numerous, more complex and more damaging. GRC spans multiple disciplines, including enterprise risk management, compliance, third-party risk management, internal audit, among others.