You can think of GRC as a three-legged stool, where governance, risk, and compliance are all necessary to manage and guide an organization. Find out more about these three components, as well as additional disciplines that fall under the umbrella of GRC.
What does GRC stand for?
GRC stands for governance, risk, and compliance. Let’s take a closer look at each component below.
Governance
Governance is the rules, business processes, and policies that steer an organization to achieve its purpose, mission, vision, and values while ensuring accountability, transparency, and ethical behavior. It begins with leadership and helps guide operations and administration, ethics, enterprise risk management, compliance, and more.
Governance ensures all stakeholders’ interests are balanced and gives leaders a framework to help them make decisions that align with the organization’s objectives and help them manage cyber risk.
Key activities include:
- Setting the mission, vision, and values of the organization
- Identifying and setting boundaries including laws, regulations, contracts, and ethics
- Allocating decision-making authority
- Fostering a culture of accountability and integrity
- Establishing a data governance strategy
Risk
Risk refers to the more day-to-day, technical processes that are in place to mitigate and monitor risk.
Key activities include:
- Establishing key risk indicators (KRIs)
- Conducting risk assessments and internal audits
- Mitigating, remediating, and/or making other risk-based decisions
- Managing risk with third-party vendors and suppliers
Compliance
Compliance is the steps a company takes to meet standards and regulations to run safely and legally. This includes the due diligence required for cybersecurity frameworks such as SOC 2® and ISO 27001, data privacy legislation like GDPR and HIPAA, and industry requirements such as PCI DSS.
Key activities include:
- Identifying all applicable laws, regulations, and standards based on compliance risks
- Implementing controls and procedures to effectively comply with laws, regulations, and standards
- Keeping up with changes to the laws, regulations, and standards that affect their industry, country, and customers
- Setting up a process for continuous monitoring
Recommended Reading
6 Benefits of Continuous Monitoring for Cybersecurity
Read MoreOther GRC Components
The Open Compliance and Ethics Group (OCEG), which first originated the concept of GRC, created the GRC Capability Model. Commonly called the OCEG Red Book, this model documents GRC best practices based on a study of more than 250 organizations and insights from a panel of more than 100 experts.
The latest version (The GRC Capability Model 3.5) explains that while GRC denotes governance, risk, and compliance, it embodies several more disciplines. Some of these disciplines are paired with each of the three components.
The disciplines below all fall under the umbrella of GRC, according to this model:
- Governance + Oversight: This discipline is responsible for guiding the organization to achieve its purpose, mission, vision, and values. It is likely spearheaded by the board and/or an oversight committee.
- Strategy + Performance: This discipline is responsible for guiding and provisioning resources to achieve objectives and monitor performance. It is likely spearheaded by the C-suite or executive team.
- Risk + Decision-Support: This discipline is responsible for identifying and addressing risks and how they affect an organization’s ability to meet its objectives, and providing ways to support decisions under uncertainty. It is likely spearheaded by risk managers.
- Compliance + Ethics: This discipline is responsible for identifying and meeting mandatory and voluntary obligations and their underlying ethical principles and values. This includes complying with laws and regulations as well as leading standards for security and privacy. It is likely spearheaded by compliance managers and ethics officers.
- Security + Continuity: This discipline is responsible for identifying and addressing threats to critical physical and digital assets and infrastructure. It is likely spearheaded by information security and privacy officers.
- Audit + Assurance: This discipline is responsible for attesting to the organization’s ability to reliably achieve objectives, address uncertainty, and act with integrity. It is likely spearheaded by internal and external auditors.