You can think of GRC as a three-legged stool, where governance, risk, and compliance are all necessary to manage and guide an organization. Find out more about these three components, as well as additional disciplines that fall under the umbrella of GRC.

What does GRC stand for?

GRC stands for governance, risk, and compliance. Let’s take a closer look at each component below.

Governance

Governance is the rules, business processes, and policies that steer an organization to achieve its purpose, mission, vision, and values while ensuring accountability, transparency, and ethical behavior. It begins with leadership and helps guide operations and administration, ethics, enterprise risk management, compliance, and more.

Governance ensures all stakeholders’ interests are balanced and gives leaders a framework to help them make decisions that align with the organization’s objectives and help them manage cyber risk.

Key activities include:

Setting the mission, vision, and values of the organization
Identifying and setting boundaries including laws, regulations, contracts, and ethics
Allocating decision-making authority
Fostering a culture of accountability and integrity
Establishing a data governance strategy

Risk

Risk refers to the more day-to-day, technical processes that are in place to mitigate and monitor risk.

Key activities include:

Establishing key risk indicators (KRIs)
Conducting risk assessments and internal audits
Mitigating, remediating, and/or making other risk-based decisions
Managing risk with third-party vendors and suppliers

Compliance

Compliance is the steps a company takes to meet standards and regulations to run safely and legally. This includes the due diligence required for cybersecurity frameworks such as SOC 2® and ISO 27001, data privacy legislation like GDPR and HIPAA, and industry requirements such as PCI DSS.

Key activities include:

Identifying all applicable laws, regulations, and standards based on compliance risks
Implementing controls and procedures to effectively comply with laws, regulations, and standards
Keeping up with changes to the laws, regulations, and standards that affect their industry, country, and customers
Setting up a process for continuous monitoring

Other GRC Components

The Open Compliance and Ethics Group (OCEG), which first originated the concept of GRC, created the GRC Capability Model. Commonly called the OCEG Red Book, this model documents GRC best practices based on a study of more than 250 organizations and insights from a panel of more than 100 experts.

The latest version (The GRC Capability Model 3.5) explains that while GRC denotes governance, risk, and compliance, it embodies several more disciplines. Some of these disciplines are paired with each of the three components.

The disciplines below all fall under the umbrella of GRC, according to this model:

Governance + Oversight: This discipline is responsible for guiding the organization to achieve its purpose, mission, vision, and values. It is likely spearheaded by the board and/or an oversight committee.
Strategy + Performance: This discipline is responsible for guiding and provisioning resources to achieve objectives and monitor performance. It is likely spearheaded by the C-suite or executive team.
Risk + Decision-Support: This discipline is responsible for identifying and addressing risks and how they affect an organization’s ability to meet its objectives, and providing ways to support decisions under uncertainty. It is likely spearheaded by risk managers.
Compliance + Ethics: This discipline is responsible for identifying and meeting mandatory and voluntary obligations and their underlying ethical principles and values. This includes complying with laws and regulations as well as leading standards for security and privacy. It is likely spearheaded by compliance managers and ethics officers.
Security + Continuity: This discipline is responsible for identifying and addressing threats to critical physical and digital assets and infrastructure. It is likely spearheaded by information security and privacy officers.
Audit + Assurance: This discipline is responsible for attesting to the organization’s ability to reliably achieve objectives, address uncertainty, and act with integrity. It is likely spearheaded by internal and external auditors.

Why Secureframe

Products

Features

Solutions

Top Frameworks

Partner Program

Audit Partners

Channel Partners

Resources

Featured

Company

The 3 Components of GRC

What does GRC stand for?

Governance

Risk

Compliance

Recommended Reading

Other GRC Components

Use trust to accelerate growth

GRC Overview

What Is GRC and Why Is It Important?

The 3 Components of GRC

GRC vs IRM

Governance

Navigating Cybersecurity Governance

14 Common Types of Cybersecurity Attacks in 2023

Data Governance: Definition, Principles, and Frameworks

How to Build a Smart Data Governance Strategy

Data Governance Metrics and KPIs

Risk

What Is a Risk Management Strategy? + Examples

Risk Assessment: Purpose, Process, and Software + Template

What Is Risk Mitigation? + Strategies

How to Create a Risk Register + Template

How to Write a Business Continuity Plan + Template

How to Create an Incident Response Plan + Template

What is a Change Management Process? + Template

What Is Third-Party Risk Management + Policy

Compliance and Auditing

Security Compliance: How to Keep Your Business Safe & Meet Regulations

15 Essential Regulatory and Security Compliance Frameworks

What Is Continuous Compliance + How To Achieve It

How to Conduct an Effective Internal Compliance Audit

How to Implement a GRC Program

How to Implement a GRC Program + Checklist

Success Metrics for GRC Programs

How to Measure GRC Maturity

GRC Tools and Resources

GRC Automation

What Is GRC Software and How Does It Work?

Top Benefits of Adopting GRC Software

How to Choose a GRC Software Solution