In a landmark study, workplace misconduct was found to cost U.S. businesses $20 billion in a year.

That stark figure doesn’t include the cost of human error, non-compliance, cyber attacks, and other issues that organizations face. 

GRC addresses all of these aspects and can help set an organization up to hit business goals, manage and reduce risk, and stay compliant with industry standards and regulations. Below we’ll dive into this important concept.

What is GRC?

GRC refers to an organization-wide strategy that combines corporate governance, risk, and compliance functions. 

Individually, each of these functions has its own set of rules, regulations, and responsibilities. This makes it easy for organizations to treat these functions as something that one department or person “owns,” but siloing them in this way can lead to fragmentation, poor integration, and wasted information, among other issues.

Rather than keeping the elements of governance, risk, and compliance siloed, a GRC strategy recognizes the overlap between these three components and fosters collaboration between teams.

By aligning key stakeholders — ideally from governance, risk, compliance, security, audit, finance, legal, IT, and HR departments as well as the executive suite and board — a GRC strategy can help your organization identify, tackle, and reduce the issues above and achieve sustainability and efficiency.

Why is GRC important?

GRC is important because it combines corporate governance, risk, and compliance functions into one single strategy. The benefits of this are significant and include the following.

Increased visibility into the risks an organization faces

Companies today operate in distributed, dynamic, and disruptive environments. That means even small risks can snowball into major problems if they’re not well understood or managed correctly. With a GRC strategy, organizations can better identify individual risks, understand how they may affect performance and objectives, and respond to them. 

Improved operational efficiency

A GRC strategy encourages key stakeholders to approach governance, risk, and compliance activities in a mature way and support each other to continuously achieve organizational objectives. This can help organizations repeat processes in a consistent manner, de-duplicate activities, and reduce costs, all of which will significantly improve operational efficiency.

Collection of high-quality information around risks, opportunities, and goals to help inform company strategies

A GRC program, especially one that leverages GRC software, can enable your organization to collect high-quality information around risks, opportunities, and goals. This can help your organization make data-driven decisions that accelerate its growth. 

Assurance of ongoing compliance with required standards and regulations

A GRC program can help align key stakeholders to implement security controls that protect customer data and meet compliance requirements, even as they evolve over time. 

History of GRC

GRC was first defined, modeled, and labeled by Michael Rasmussen in 2002, when he was working as a vice president and analyst at Forrester Research. He then worked with the Open Compliance and Ethics Group (OCEG) to develop and refine the GRC Capability Model. 

According to the OCEG, the goal of GRC is to help organizations achieve Principled Performance®, which encompasses the following:

  • reliably achieving objectives
  • addressing uncertainty
  • acting with integrity.

Each of these lines up with the three components of GRC: “reliably achieving objectives” is the governance component, “addressing uncertainty” is the risk management component, and “acting with integrity” is the compliance component.  

Achieving all three, or Principled Performance, should enable organizations of all shapes and sizes to operate in the context of volatile, uncertain, complex, and ambiguous conditions, which make up the business environment today.