What is GRC?

GRC is the integrated collection of capabilities that enable an organization to reliably achieve objectives, address uncertainty and act with integrity

GRC as an acronym denotes governance, risk, and compliance — but the full story of GRC is so much more than those three words.

The acronym GRC was invented by the OCEG (originally called the “Open Compliance and Ethics Group”) membership as a shorthand reference to the critical capabilities that must work together to achieve Principled Performance — the capabilities that integrate the governance, management and assurance of performance, risk, and compliance activities.

This includes the work done by departments like internal audit, compliance, risk, legal, finance, IT, HR as well as the lines of business, executive suite and the board itself.

While the acronym was used as early as 2003, the first peer-reviewed academic paper on the topic was published in 2007 by OCEG founder Scott L. Mitchell in the International Journal of Disclosure and Governance. This groundbreaking paper influenced an entire industry of software and services.

This was the beginning of open source GRC standards.