Governance, risk and compliance (GRC) is a combined area of focus developed to cover an organization's strategy to handle any interdependencies between the three components. GRC aids an organization in achieving its goals through coordinating strategies around corporate governance, enterprise risk management (ERM) and compliance with any regulated requirements. Small or enterprise-sized organizations can implement GRC.
GRC provides an organization with a set of practices to be carried out responsibly. The three components of GRC are broken down as follows:
- Governance refers to the ethical management of an organization by organization leaders.
- Risk refers to minimizing the risks an organization may face which would hinder its operations.
- Compliance refers to the level of conformance to business operations or practices.
Agreeing on a singular definition of GRC has proven to be a difficult task as it was developed around an idea that had little research behind it and has thus evolved in multiple ways. Disadvantages of GRC mainly relate to the potential adverse effects if wrongly implemented such as high cost, reduced risk visibility and reduced performance due to weak risk visibility. However if properly implemented, organizations can see reduced costs, increased visibility into risks and information with little impact on operations.
GRC tools allow an organization to coordinate policies and map them to any regulatory compliance requirements. More specifically, GRC software products available from a number of vendors typically facilitate compliance with legal requirements, such as those specified in the Sarbanes-Oxley Act (SOX) or occupational health and safety regulations.
GRC tools are typically cloud-based and will focus on automating processes. GRC tools will also typically focus on integrating single, multi and enterprise-wide governance solutions, such as integrated, domain-specific or point solutions. Examples of GRC tools include IBM OpenPages or Rsam Enterprise GRC.