GRC, as an acronym, denotes governance, risk, and compliance — but the full story of GRC is so much more than those three words.
The acronym GRC was created by OCEG (originally called the "Open Compliance and Ethics Group") as a shorthand reference to the critical capabilities that must work together to achieve Principled Performance — the capabilities that integrate the governance, management, and assurance of performance, risk, and compliance activities.
This includes work done by departments in governance, strategy, risk, compliance, security, audit, finance, legal, IT, and HR. But it also includes operators in lines of business, the executive suite, and the board itself.
While the acronym was used by OCEG as early as 2003, the first peer-reviewed academic paper on the topic was published in 2007 by OCEG founder Scott Mitchell in the International Journal of Disclosure and Governance.
This groundbreaking paper influenced the related software and services industry and began open-source GRC standards.