Difference between revisions of "Governance, Risk And Compliance (GRC)"

Governance, risk management and compliance (GRC) is a management discipline that takes an integrated firm-wide approach to meeting internal guidelines set for each activity. Corporate Governance, Enterprise Risk Management (ERM), and Corporate Compliance have been integral to managing companies for a long time. But increasing amounts of regulation, increasing demands for transparency and the exponential growth of third-party relationships have made a siloed approach to these activities costly, risky and untenable. As an integrated approach, GRC is a relatively new management discipline. It can mean different things to different businesses, but integrating GRC processes typically aims to improve information gathering and quality, in order to operate more efficiently, and share information more effectively across the organization to avoid duplication of effort.^[1]

While many experts and GRC vendors disagree on a standard definition for Governance, Risk and Compliance, the Open Compliance and Ethics Group (OCEG) has published one of the most comprehensive GRC definitions. In its GRC Capability Model, Red Book, 2.0, the OCEG defines GRC as a "system of people, processes, and technology that enables an organization to:

• Understand and prioritize stakeholder expectations.
• Set business objectives that are congruent with values and risks.
• Achieve objectives while optimizing risk profile and protecting value.
• Operate within legal, contractual, internal, social, and ethical boundaries.
• Provide relevant, reliable, and timely information to appropriate stakeholders.
• Enable the measurement of the performance and effectiveness of the system."^[2]