Alyned Thinking

Why new thinking is needed and how we are putting our expertise to work.

What is GRC?

In today’s business world depending on the industry, you will come into contact more and more with the term GRC or “Governance Risk Compliance”. In certain circles this has come to be almost a kind of new management philosophy, that fills the whole working day of entire departments.

We will launch an article series on this blog examining the various facets of IT security, Risk Management practices and the governance thereof and how they are currently applied within various organisations. During this examination, we hope that the esteemed reader will be able to recognise cases, pitfalls, and successes from their own areas of influence and take some value out of this content, to apply to their future endeavors in this topic.

However, let’s first start with an explanation of what GRC exactly is and attempt a general definition to frame the later discussion. According to Gartner's Paul Proctor:

Governance
A set of processes which define and maintain policies and assign decision rights, as well as communicating them throughout the organisation.  
Risk management
A set of processes which ensure that core business processes and activities are kept within an acceptable range, otherwise there will be an undesired uncertainty for key business objectives.  
Compliance
A set of processes to achieve adherence to policies and decisions by defining corresponding controls. Policies can be developed from internal directives, procedures, and requirements, or external laws, regulations, standards, and contracts.  
GRC
A program that combines the above elements for assessing, monitoring, and reporting of risks and controls in support of decision making, business performance, and adherence to regulations, policies, and other mandates and agreements.

It is worth noting here that the term GRC has been used in the past years also for various other topic areas that do not quite fit to the basic general definition. For example, a number of software vendors have jumped onto the marketing bandwagon and added “GRC” to their products in order to leverage the management awareness for these topics. Recently, this has created the impression that GRC could stand for both everything and nothing at the same time and has become basically meaningless. This blog aims to rectify this situation and bring back sensible context and approaches to the GRC arena.

Key Takeaways

  • GRC has been plagued by inconsistent interpretation of the terminology and meaning
  • Software vendors and service providers have tried to capitalize on this confusion by tagging their products and services as GRC
  • At its core, GRC is a collection of interlocking processes to agree on policies aligned to an organisation's external environment and risks situation, to measure adherence to policies, and to translate as-­is risk state into actionable business risk outcomes. 
Stefan Sulistyo
Author: Stefan Sulistyo
Co-Founder & Chief Customer Officer
google plus
About the author
Co-Founder & CCO of Alyne, 10+ year InfoSec & GRC veteran, first of his name, waiting for the singularity.