Governance, Risk and Compliance (GRC)

The Pathway to Principled Performance

If Principled Performance is the goal, then integrated GRC is the pathway to get there.

Learn about OCEG
Learn about Principled Performance
Learn about GRC
Learn about Who's Involved

What is GRC?

GRC is the integrated collection of capabilities that enable an organization to reliably achieve objectives, address uncertainty and act with integrity

GRC as an acronym denotes governance, risk, and compliance — but the full story of GRC is so much more than those three words.

The acronym GRC was invented by the OCEG (originally called the "Open Compliance and Ethics Group") membership as a shorthand reference to the critical capabilities that must work together to achieve Principled Performance — the capabilities that integrate the governance, management and assurance of performance, risk, and compliance activities.

This includes the work done by departments like internal audit, compliance, risk, legal, finance, IT, HR as well as the lines of business, executive suite and the board itself.

While the acronym was used as early as 2003, the first peer-reviewed academic paper on the topic was published in 2007 by OCEG founder Scott L. Mitchell in the International Journal of Disclosure and Governance. This groundbreaking paper influenced an entire industry of software and services.

This was the beginning of open source GRC standards.

GRC is the integrated collection of capabilities that enable an organization to reliably achieve objectives, address uncertainty and act with integrity

Learn more about GRC

What is Governance Risk and Compliance (GRC)? Nothing New. Totally Revolutionary.

It is important to remember that organizations have been governed, and risk and compliance have been managed, for a long time — in this way, GRC is nothing new.

However, many had not approached these activities in a mature way, nor have these efforts supported each other to enhance the reliability of achieving organizational objectives.

In a forward-thinking organization, GRC is viewed as an integrated collection of all capabilities necessary to support Principled Performance.

GRC doesn't burden the business, it supports and improves it.

In this way, GRC is totally revolutionary.

Image from the GRC Capability Model

GRC Drivers

Organizations must address today’s challenging business climate. Even small businesses, nonprofits, and government agencies are facing issues that only large companies had to face in the past. Think of how many of these factors you have to deal with:

  • Stakeholders demand high performance along with high levels of transparency
  • Regulations and enforcement are ever-changing and unpredictable
  • Exponential growth of third-party relationships and risk is a management challenge
  • The costs of addressing risks and requirements are spinning out of control
  • The harsh (and scary) impact when threats and opportunities are not identified

GRC Done Wrong

Our GRC Maturity Survey finds that disjointed GRC activities cause a number of problems.

To address these drivers, organizations develop departments and programs such as: performance management; risk management; compliance; corporate social responsibility; and so on.

Unfortunately, these departments and programs are often siloed, ineffective and yield troubling drawbacks:

  • High costs
  • Lack of visibility into risks
  • Inability to address third party risks
  • Difficulty measuring risk-adjusted performance
  • Too many negative surprises

When these activities are siloed, it is highly likely that counter-productive objectives are established, sub-optimal strategies are selected, and performance isn't optimized.

GRC Done Right

Integrating GRC capabilities does not mean creating a mega-department of GRC and doing away with decentralized management. Nor does it call for the use of only one GRC software system to manage it all.

Rather, it is about establishing an approach that ensures the right people get the right information at the right times; that the right objectives are established; and that the right actions and controls are put in place to address uncertainty and act with integrity.

When GRC is done right, the benefits accrue. Organizations that integrate GRC processes and technology across all or many silos have:

  • Reduced costs
  • Reduced duplication of activities
  • Reduced impact on operations
  • Achieved greater information quality
  • Achieved greater ability to gather information quickly and efficiently
  • Achieved greater ability to repeat processes in a consistent manner

GRC is the integrated collection of capabilities that enable an organization to reliably achieve objectives, address uncertainty and act with integrity

GRC Kickstarted

With the help of a panel of 100+ experts, OCEG studied 250+ organizations to document best practices in the GRC Capability Model (commonly called the OCEG Red Book)

  • Unified vocabulary across disciplines
  • Defined common components and elements
  • Defined common information requirements
  • Standardized practices for things like policies and training
  • Identified communication for everyone involved; including strategic decision-makers.

GRC Capabilities enable Principled Performance

GRC Capabilities help an organization achieve Principled Performance

Learn about Principled Performance

GRC Helps People Like You

Use the acronym GRACE-IT to remember all of the roles that must work together to achieve Principled Performance

Learn how multiple roles work together
G Governance
& Strategy R Risk
Management A Internal
Audit C Compliance
Management E Ethics
& Culture IT IT &
Security