Is governance, risk, and compliance (GRC) complex or complicated? The answer is both; however, it should not be. We will get to complex versus complicated later, but it is worth clarifying what we mean by GRC first.

GRC has become a main topic of interest, or perhaps concern, and certainly a massively growing area of spending. The term is often made synonymous with technology, but in reality GRC relates first and foremost to operational matters. Given that the very definition is not uniform, we will start by establishing what each of the letters in this acronym represents:¹

• Governance. The establishment of policies and continuous monitoring of their proper implementation by the members of the governing body of an organization.
• Risk management. The identification, analysis, assessment, and control of risks, and the avoidance, minimization, or elimination of unacceptable risks.
• Compliance. Certification or confirmation that the doer of an action, or the manufacturer/supplier of a product, meets the requirements of accepted practices, legislation, prescribed rules and regulations, specified standards, or the terms of a contract.

While the common thread is to minimize threats to an organization and its stakeholders, our view is that governance is the umbrella process. It ensures that risk management, compliance, and other relevant checks are under control.

So, when this chapter refers ...