GRC stands for governance, risk, and compliance. Let’s take a closer look at each component below.

Governance

Governance is the rules, business processes, and policies that steer an organization to achieve its purpose, mission, vision, and values while ensuring accountability, transparency, and ethical behavior. It begins with leadership and helps guide operations and administration, ethics, enterprise risk management, compliance, and more.

Governance ensures all stakeholders’ interests are balanced and gives leaders a framework to help them make decisions that align with the organization’s objectives and help them manage cyber risk.

Key activities include:

• Setting the mission, vision, and values of the organization
• Identifying and setting boundaries including laws, regulations, contracts, and ethics
• Allocating decision-making authority
• Fostering a culture of accountability and integrity
• Establishing a data governance strategy

Risk

Risk refers to the more day-to-day, technical processes that are in place to mitigate and monitor risk.

Key activities include:

• Establishing key risk indicators (KRIs)
• Conducting risk assessments and internal audits
• Mitigating, remediating, and/or making other risk-based decisions
• Managing risk with third-party vendors and suppliers

Compliance

Compliance is the steps a company takes to meet standards and regulations to run safely and legally. This includes the due diligence required for cybersecurity frameworks such as SOC 2® and ISO 27001, data privacy legislation like GDPR and HIPAA, and industry requirements such as PCI DSS.