GRC (Governance, Risk, and Compliance) is the integrated collection of capabilities that enable an organization to reliably achieve objectives, address uncertainty, and act with integrity — to achieve Principled Performance.
GRC stands for Governance, Risk, and Compliance and is a concept that was originated by the Open Compliance and Ethics Group (OCEG) in 2002.
GRC is the integrated collection of capabilities that enable an organization to achieve Principled Performance - the ability to reliably achieve objectives, address uncertainty, and act with integrity.
GRC, as an acronym, denotes governance, risk, and compliance — but the full story of GRC is so much more than those three words.
The acronym GRC was created by OCEG (originally called the "Open Compliance and Ethics Group") as a shorthand reference to the critical capabilities that must work together to achieve Principled Performance — the capabilities that integrate the governance, management, and assurance of performance, risk, and compliance activities.
This includes work done by departments in governance, strategy, risk, compliance, security, audit, finance, legal, IT, and HR. But it also includes operators in lines of business, the executive suite, and the board itself.
While the acronym was used by OCEG as early as 2002, the first peer-reviewed academic paper on the topic was published in 2007 by OCEG founder Scott Mitchell in the International Journal of Disclosure and Governance.
This groundbreaking paper influenced the related software and services industry and began open-source GRC standards.
Over $1 trillion USD is lost annually due to unprincipled misconduct, mistakes, and miscalculations.
In response to this trillion-dollar problem, GRC (Governance, Risk, and Compliance) Professionals trained in Principled Performance, also known as "Protectors," play a crucial role in producing and preserving value, achieving objectives, addressing uncertainty, and acting with integrity.
It is important to remember that organizations have been governed, and risk and compliance have been managed for a long time — in this way, GRC is nothing new.
However, many had not approached these activities in a mature way nor supported each other to enhance the reliability of achieving organizational objectives.
In a forward-thinking organization, GRC is viewed as an integrated collection of all capabilities necessary to support Principled Performance.
GRC doesn't burden the business; it supports and improves it, making it a critical piece of business operations.
Organizations must address today’s challenging business climate. Even small businesses, nonprofits, and government agencies are facing issues that only large companies had to face in the past. Many common factors that businesses face become the true drivers of GRC and its value throughout the business:
Short answer, yes.
The long answer is that yes when businesses are operating under disjointed and disconnected circumstances, GRC activities can cause a number of problems.
To address these drivers, organizations develop departments and programs such as:
Unfortunately, these departments and programs are often siloed, ineffective, and yield troubling drawbacks:
When these activities are siloed, it is highly likely that counter-productive objectives are established, sub-optimal strategies are selected, and performance isn't optimized.
Integrating GRC capabilities does not mean creating a mega-department of GRC and doing away with decentralized management. Nor does it call for using only one GRC software system to manage everything.
Rather, it is about establishing an approach that ensures the right people get the right information at the right times; that the right objectives are established; and that the right actions and controls are put in place to address uncertainty and act with integrity.
When GRC is done right, the benefits accrue. Organizations that integrate GRC processes and technology across all or many silos have:
The GRC Capability Model describes "GRC Done Right" in 4 high-level components and several detailed elements:
With the help of a panel of 100+ experts, OCEG studied 250+ organizations to document best practices in the GRC Capability Model (commonly called the OCEG Red Book). Download the newest version of our Red Book (The GRC Capability Model 3.5), and sign up for an All Access Pass to get exclusive access to training materials, as well as your first GRC Professional (GRCP) Certification.
With a GRCP Certification, you can:
© 2002 - 2025
OCEG
2942 N 24th St Ste 115 PMB 85352, Phoenix, AZ, 85016-7849, USA
Information & Billing
+1 (602) 234-9278
Principled Performance®, Driving Principled Performance®, Putting Principles Into Practice®, OCEG®, GRC360°®, ActiveLearning®, EventDay® and LeanGRC® are registered trademarks of OCEG®.
Protector Skillset™, Protector Mindset™, Protector Code™, Lines of Accountability™, GRC Professional™, GRCP™, GRC Fundamentals™, GRC Auditor™, GRCA™, GRC Audit Fundamentals™, Data Privacy Fundamentals™, Integrated Data Privacy Professional™, IDPP™, Policy Management Fundamentals™, Integrated Policy Management Professional™, IPMP™, Integrated Audit & Assurance Professional™, IAAP™, Integrated Governance & Oversight Professional™, IGOP™, Integrated Strategy & Performance Professional™, ISPP™, Integrated Risk Management Professional™, IRMP™, Integrated Decision Management Professional™, IDMP™, Integrated Compliance & Ethics Professional™, ICEP™, Integrated Business Continuity Professional™, IBCP™, Integrated Information Security Professional™, IISP™ are trademarks of OCEG®.
