What is governance, risk, and compliance?

Amanda Khatri

Amanda Khatri

Editorial Manager

Governance, risk, and compliance (GRC) are traditionally separate functions of management. When combined strategically, GRC can significantly improve the way a business aligns IT with operational targets, manages risk, and meets regulatory compliance requirements. 

Why is GRC important? 

“GRC is overarching. It sets the tone and the strategy; it defines the policies and procedures and what the expectations are,” said Lisa McKee, director of governance, risk, compliance, and privacy at American Security and Privacy.  

McKee compares GRC to the driving universe, where lanes, boundaries, and limits are in place to enable drivers to get from A to B as fast as possible, minimising the risks and ensuring smooth navigation along the way.  

As technology advances, operational risks such as cyber and data privacy breaches escalate in complexity for regulated firms. 

The triad stands out as a cornerstone that fosters integrity, ensures regulatory adherence, and mitigates operational risks.  

GRC is an operational strategy and coordinated model that integrates governance, risk management, and compliance into the processes of every department within an organisation. 

Heavily regulated industries such as financial services, energy, and healthcare benefit the most from a dedicated, advanced GRC framework due to the sheer volume and complexity of regulations they face. These industries carry severe threats that could have the potential to shut down a business if GRC measures are not properly addressed. 

What does GRC stand for? 

The term ‘GRC’ was first coined in 2002 by the Open Compliance and Ethics Group, with the first peer-reviewed academic paper on the topic in 2007 by OCEG founder Scott Mitchell.  

It emerged as a practice when businesses realised the benefits of coordinating people, technology, and processes over the traditionally individual (and siloed) approach to each aspect. 

By combining the trio into a singular, disciplined function, businesses could facilitate the smooth sharing of information across different departments and stakeholders effectively. This synthesised method enables organisations to act ethically and improve decision-making and overall business performance. 

Ultimately, effective GRC allows for clear lines of communication, removes uncertainty, and reduces risks by improving operational efficiencies that help organisations meet their goals.  


Governance refers to the alignment of an organisation’s system of rules, practices, and standards with business goals. This includes managing IT operations and aligning these to business goals, establishing risk and compliance parameters. 

“Governance is who does what, how, and based on what data”, said Tilcia Toledo, senior managing director with FTI Consulting. “Governance is about who is in the room, what are they allowed to do or not do, what’s the data they rely on, and what’s the cadence of their actions.” 

Toledo, and other experts, believe governance is all about ensuring that the board management and workers understand and follow the rules. 


Risk management

Risk management is the process of identifying and rectifying potential roadblocks and decreasing their financial impact. 

“Risk is about where the organisation wants to play and where it does not want to play. It is about those boundaries it does not want to cross at this time”, Toledo added, noting that enterprise risk is constantly evolving. 


Compliance is ensuring the business is operating legally and ethically across every level of the organisation and that all employees are meeting the necessary regulatory requirements.  

Why is GRC important today? 

Today’s business landscape is threatened by cyberattacks and data breaches, heightening the need for a strong GRC strategy that can help firms make data-driven decisions for an improved cyber stance. 

There are many reasons why GRC is important, including: 

  • The volume and velocity of regulatory changes put increased pressure on organisations to quickly identify and address compliance process gaps. 
  • Companies are faced with more uncertainties in interconnected modern times.  
  • Risk management costs are very high.  
  • Third-party relationships are complex and increase risk.  
  • If an organisation’s GRC strategy isn’t robust enough, it can lead to reputational damage, non-compliance, increased costs, and could even cause a company to fail.  

To survive in an uncertain, modern business environment, businesses need to prepare for risks related to costs, third parties, data management and privacy.  

“GRC is important in the modern business landscape for multiple reasons. With the increase of data privacy and protection laws, globalisation, and interconnectedness, the regulatory environment has become more complex”, said Chris Stanley, content developer for the CGRC exam at the training and certification organisation ISC2.  

“This level of complexity requires a robust GRC framework to assist an organisation with avoiding reputational damage and legal penalties,” he said. 

A well thought out GRC strategy can provide benefits such as optimal IT investments, a decrease in risks of cyber breaches, elimination of silos and improved unification among divisions and departments.  

 “Stakeholders trust organisations to protect privacy and data, and those stakeholders are increasingly holding organisations, including individuals at an organisation, accountable. A strong GRC framework supports corporate responsibility and in turn, increases investor confidence and financial stability”, said Stanley.  

GRC roles and responsibilites

According to Stanley, typical GRC roles and responsibilities can be broken down as follows

  • Board of directors: provides oversight and approval of policies and strategic decisions. 
  • CEO: provides leadership and ensures GRC efforts are adequately resourced. 
  • Chief risk officer: provides leadership for risk management efforts, such as the assessment and reporting of risks to the board and executive management. 
  • Chief compliance officer: provides compliance oversight, training, and communication regarding compliance. 
  • CIO/CTO: provides risk management for technology and digital assets, as well as compliance and security for all IT. 
  • CFO: provides compliance and reporting on financial regulations and risk management of an organisation’s financials. 
  • Legal: provides compliance with all legal requirements while managing legal risks. 
  • HR: implements HR-related GRC policies, such as an authorised use policy and employee behaviour policies. 
  • IT: provides data protection and security with policies and controls. 
  • Department heads: implement GRC processes and controls within their respective departments and identify and manage risks specific to their department. 
  • Internal audit: provides independent evaluation and recommendations for improvement. 
  • Employees: adhere to policy and report any risk or compliance issues they observe. 

CUBE comment

Harnessing the power of GRC software can reshare the terrain of regulatory compliance for highly regulated businesses. By utilising GRC-specialised tools, organisations can establish comprehensive policies and controls which can be mapped to specific regulatory requirements, streamlining compliance processes, and reducing risks.


With GRC’s synthesised approach and complete visibility into the risk landscape, businesses can make informed decisions, and operational efficiencies, and effectively assess and manage the effects of risks.  

By approaching the three pillars of GRC as a whole, organisations can achieve transparency, and connected processes and address gaps in compliance and legal processes that could become a roadblock.  

Leveraging CUBE’s Automated Regulatory Intelligence can help your business navigate regulatory challenges with agility and confidence, ultim