What is GRC?
GRC stands for Governance, Risk and Compliance.
The Open Compliance and Ethics Group (OCEG) has published one of the most comprehensive GRC definitions. In its GRC Capability Model, Red Book, 2.0, the OCEG defines GRC as a system of people, processes, and technology that enables an organization to:
- Understand and prioritize stakeholder expectations.
- Set business objectives that are congruent with values and risks.
- Achieve objectives while optimizing risk profile and protecting value.
- Operate within legal, contractual, internal, social, and ethical boundaries.
- Provide relevant, reliable, and timely information to appropriate stakeholders.
- Enable the measurement of the performance and effectiveness of the system.
Specifically, the three pillars of GRC are:
Governance – The effective, ethical management of a company by its executives and managerial levels.
Risk – The ability to effectively and cost-efficiently mitigate risks that can hinder an organization's operations or ability to remain competitive in its market.
Compliance – A company's conformance with regulatory requirements for business operations, data retention and other business practices.