Governance, risk, and compliance

Governance, risk, and compliance (GRC) is the term covering an organization's approach across these three practices: governance, risk management, and compliance among other disciplines.[1][2][3][4] They are goals that are structured by an organization to ensure it meets industry and the government regulations.[5]

History

Corporate financial scandals in the 1970s in the United States led to the creation of the organization, the Committee of Sponsoring Organizations of the Treadway Commission ("COSO"), by major US accounting associations; COSO issued reports calling for better controls over financial accounting, and standards to achieve those controls.[6]

Call for more strict internal controls and financial reporting standards for companies was driven by high-profile corporate scandals in the 1990s in the UK, leading to the Turnbull Report in the UK,[7][8] and similar scandals in the United States in the early 2000s, like the Enron scandal, which led to the passage of the Sarbanes–Oxley Act in the US.[7] COSO updated their standards accordingly.[6]

As companies began efforts to comply with these regulations, the interconnectedness of governance, risk management, and compliance became clear.[7] This created a market for training and software to bring these function together; for example, in 2002, Symbiant, a UK software development company, created the first GRC software that let teams work together online, combining risk registers, evaluations and audit tracking all in one system.[9] The term "Governance, risk, and compliance" or "GRC" was published by Scott Mitchell, founder of the Open Compliance and Ethics Group (OCEG), in an academic paper in 2007.[10][11]

Overview

Governance, risk, and compliance (GRC) are three related facets that aim to assure an organization reliably achieves objectives, addresses uncertainty and acts with integrity.[1] Corporate governance is the combination of processes established and executed by the directors (or the board of directors) that shape the organization's structure and assigns roles, enterprise risk management is predicting and managing risks that could hinder an organization from reliably achieving its objectives under uncertainty, and compliance refers to adhering with the mandated boundaries (laws and regulations) and voluntary boundaries (company's policies, procedures, etc.).[1]

Governance, risk and compliance (GRC) is a discipline that aims to synchronize information and activity across governance, and compliance in order to operate more efficiently, enable effective information sharing, more effectively report activities and avoid wasteful overlaps. If not integrated and instead tackled in a traditional "silo" approach, most organizations must sustain unmanageable numbers of GRC-related requirements due to changes in technology, increasing data storage, market globalization and increased regulation.[1]

Specific fields have developed GRC approaches; there is financial GRC (aka FinGRC), Legal GRC, and *Operational GRC[12]

As companies have begun to adopt artificial intelligence to help run their businesses, the risks intrinsic to AI raise GRC challenges to the companies using AI products.[13] As of 2025, some companies were beginning to adopt AI tools to help them manage GRC.[14]

See also

  • Conformity assessment
  • Information governance
  • ISO 37301:2021 Compliance Management Systems (Previously ISO 19600)
  • ISO 31000:2018 Risk Management
  • ISO 41001:2018 Facility management — Management systems
  • Records management
  • Regulatory compliance
  • Corporate liability

References

  1. ^ a b c d Anthony Tarantino (2008-02-25), Governance, Risk, and Compliance Handbook, ISBN 978-0-470-09589-8
  2. ^ Denise Vu Broady; Holly A. Roland (2008-04-25), "The ABCs of GRC", SAP GRC For Dummies, ISBN 978-0-470-33317-4
  3. ^ Silveira, Patrícia; Rodríguez, Carlos; Birukou, Aliaksandr; Casati, Fabio; Daniel, Florian; D’Andrea, Vincenzo; Worledge, Claire; Taheri, Zouhair (2012), "Aiding Compliance Governance in Service-Based Business Processes", Handbook of Research on Service-Oriented Systems and Non-Functional Properties (PDF), IGI Global, pp. 524–548, doi:10.4018/978-1-61350-432-1.ch022, ISBN 9781613504321, retrieved 2013-04-06
  4. ^ Scott L. Mitchell (2007-10-01), "GRC360: A framework to help organisations drive principled performance", International Journal of Disclosure and Governance, 4 (4): 279–296, doi:10.1057/palgrave.jdg.2050066, ISSN 1741-3591, S2CID 154869217
  5. ^ "What is GRC? - Governance, Risk, and Compliance Explained - AWS". Amazon Web Services, Inc. Retrieved 2025-10-27.
  6. ^ a b Miller, Geoffrey P. (2014). "Introduction". The Law of Governance, Risk Management and Compliance (1 ed.). Wolters Kluwer. ISBN 1454846577.
  7. ^ a b c Worth, Lauren. "GRC Through the Years: How Governance and Risk Are Evolving". learn.g2.com. Retrieved 2025-10-26.
  8. ^ Elliott, Dominic; Letza, Steve; McGuinness, Martina; Smallman, Clive (July 2000). "Governance, Control and Operational Risk: The Turnbull Effect". Risk Management. 2 (3): 47–59. doi:10.1057/palgrave.rm.8240058.
  9. ^ "A brief history and the subsequent evolution of GRC frameworks". Business Reporter. Retrieved 2025-10-26.
  10. ^ "What Is GRC? | IBM". www.ibm.com. 2021-10-08. Retrieved 2025-10-26.
  11. ^ "What is GRC (Governance, Risk, and Compliance)?". OCEG. Retrieved 30 March 2026.
  12. ^ "Operational GRC: Naming a dangerous, many headed beast". Governance Institute of Australia. Retrieved 2025-12-01.
  13. ^ Rogers, Jillian (2023-01-11). "Artificial Intelligence Risk & Governance". Wharton Human-AI Research. Retrieved 2025-11-30.
  14. ^ Natale, Alfonso; Raufuss, Anke; Nilsson, Björn; Peschel, Irene; Bevan, Oliver; Raggl, Andreas. "Governance, risk, and compliance: A new lens on best practices". McKinsey & Company. Archived from the original on December 13, 2025. Retrieved December 1, 2025.
This article is issued from Wikipedia. The text is available under Creative Commons Attribution-Share Alike 4.0 unless otherwise noted. Additional terms may apply for the media files.