GRC stands for Governance, Risk Management and Compliance. The acronym is used two different ways and mixing them up causes confusion.
The first use describes a function within a cybersecurity or legal department - the team responsible for policy management, risk assessment, audit preparation and compliance oversight. In this sense, GRC is a job category and a set of processes.
The second use describes software. GRC platforms automate policy lifecycle management, track risk acceptance decisions, schedule assessments, manage exceptions and generate compliance dashboards. Cyturus, SimpleRisk, ServiceNow GRC, OneTrust and Archer are examples. You can run a “GRC function” without GRC software (e.g., spreadsheets) but the software category uses the same acronym.
When someone says "we need GRC," it's worth confirming which one they mean. Buying GRC software before you have defined GRC processes is a common and expensive mistake. The tool surfaces gaps in process design that should have been resolved before procurement.
For cybersecurity specifically, the term is sometimes qualified as "Cybersecurity GRC" to distinguish it from other domains that use the same framework - operational risk, financial compliance, internal audit, legal. The cybersecurity GRC function typically reports to the CISO or a senior security leader.
