What is Governance, Risk and Compliance (GRC)?

There are a few ways term “Governance, Risk and Compliance (GRC)” can be used in cybersecurity:

GRC often refers to a specialized function within a cybersecurity department that focuses on governance, risk management and compliance needs. In this case, Governance, Risk, & Compliance (GRC) is an integrated approach organizations use to align cybersecurity and data privacy requirements with business objectives.
GRC can also refer to software, either hosted on premises or a SaaS solution that is specifically designed to support the needs of a GRC team to manage policies, standards, controls and other GRC-related matters.

A cohesive GRC program fosters integrated controls, minimizes overlap, enhances reporting and strengthens decision-making. Theoretically, GRC should control how cybersecurity and data protection operations exist, since the GRC function should be able to create a risk-based, prioritized implementation plan for necessary cybersecurity and data protection controls.

Which comes first? Governance, Risk or Compliance? This has been a hotly-debated topic since GRC was first coined over two (2) decades ago. However, there is a logical order to GRC processes that must be understood to avoid siloes and an improperly scoped security program. First, it is necessary to level-set on the terminology of what GRC functions do:

Governance. Structures the organization’s controls to align with business goals and applicable statutory, regulatory, contractual and other obligations. Develops necessary policies and standards to ensure the proper implementation of controls.
Risk Management. Identifies, quantifies and manages risk to information and technology assets, based on the organization’s operating model.
Compliance. Oversight of control implementation to ensure the organization’s applicable statutory, regulatory, contractual and other obligations are adequately met. Conducts control validation testing and audits/assessments.

Compliance > Governance > Risk Management. When establishing GRC practices, what is described below is the precedence of how (1) Compliance influences (2) Governance, which influences (3) Risk management.

The genesis of GRC is to first identify applicable statutory, regulatory and contractual obligations that the organization must adhere to, as well as internal business requirements (e.g., Board of Director directives). This is a compliance function that identifies statutory, regulatory and contractual obligations. It is a due diligence exercise to identify what the organization is reasonably required to comply with from a cybersecurity & data privacy perspective. This process involves interfacing with various Lines of Business (LOB) to understand how the organization operates, including geographic considerations. Generally, Compliance needs to work with the legal department, contracts management, physical security and other teams to gain a comprehensive understanding of the organizational compliance needs.

Based on these controls, Governance has two (2) key functions:

Develop policies and standards to meet those compliance obligations (defined by applicable control objectives); and
Assign ownership of those controls to the applicable stakeholders involved in the affected business processes. This process often requires a documented Responsibility, Accountability, Supportive, Consulted and Informed (RASCI) chart to ensure the organizational model supports effective implementation and oversight of the assigned controls.

From a trickle-down perspective, while Risk Management logically follows both Compliance and Governance functions in establishing a GRC program, Risk Management is crucial for the organization to maintain situational awareness and remain both

secure and compliant. Risk Management serves as the primary "canary in the coal mine" to identify instances of noncompliance that lead to the improper management of risks and exposure of the organization to threats; since ongoing risk assessments generally occur more frequently than internal/external audits that Compliance may oversee.

Governance Risk & Compliance (GRC) Content

Secure Controls Framework (SCF)

NIST 800-171 & CMMC - Where Do I Start?

Editable Policies & Standards Templates

Editable Procedures Templates

Cybersecurity Supply Chain Risk Management

NIST 800-171 Compliance

Risk Management

Data Protection (Privacy) & Secure Engineering

Vulnerability & Patch Management

Incident Response

PCI DSS Compliance

NIST 800-171 & CMMC Compliance

Premium GRC Content (GRC Importable)

Cybersecurity Policies, Standards & Procedures

Cybersecurity Supply Chain Risk Management

Privacy & Data Protection (GDPR, CCPA & more)

Risk Management Bundles

Subscriptions

Common Compliance Requirements

Alignment With Secure Practices

Free Guides

Cost Savings

US Federal Data Security Laws & Regulations

US State Data Security Laws & Regulations

International Data Security Laws & Regulations

SCF Licensed Content Provider (LCP)

SCF Certifications

Individual Certifications

Controlled Unclassified Information (CUI)

Why Choose ComplianceForge?

Industries Served & Client References

Multiple Company Discount

Product Comparison: DSP vs CDPP

What is Governance, Risk and Compliance (GRC)?

What is Governance, Risk and Compliance (GRC)?