top of page

Governance, Risk & Compliance

"Governance, Risk Management, and Compliance (GRC) are three pillars that work together for the purpose of assuring that an organization meets its objectives. ... Governance is the combination of processes established and executed by the board of directors that are reflected in the organization's structure and how it is managed and led toward achieving goals. Risk management is predicting and managing risks that could hinder the organization to achieve its objectives. Compliance with the company's policies and procedures, laws and regulations, strong and efficient governance is considered key to an organization's success."


Organizations reach a size where coordinated control over GRC activities is required to operate effectively. Each of these three disciplines creates information of value to the other two, and all three impact the same technologies, people, processes and information.


  • Governance describes the overall management approach through which senior executives direct and control the entire organization, using a combination of management information and hierarchical management control structures. Governance activities ensure that critical management information reaching the executive team is sufficiently complete, accurate and timely to enable appropriate management decision making, and provide the control mechanisms to ensure that strategies, directions and instructions from management are carried out systematically and effectively.


  • Governance of risk management is the attention given to preventing excessive risk management by keeping in mind the organization’s appetite for risk. Sufficient countermeasures are required rather than excessive, unnecessary and pointless measures. The risk of risk management is that the good intentions become wasteful expenditure or impediments to growth, innovation and opportunity.


  • Risk management is the set of processes through which management identifies, analyzes, and, where necessary, responds appropriately to risks that might adversely affect realization of the organization's business objectives. The response to risks typically depends on their perceived gravity, and involves controlling, avoiding, accepting or transferring them to a third party. Whereas organizations routinely manage a wide range of risks (e.g. technological risks, commercial/financial risks, information security risks etc.), external legal and regulatory compliance risks are arguably the key issue in GRC.


  • Compliance means conforming with stated requirements. At an organizational level, it is achieved through management processes which identify the applicable requirements (defined for example in laws, regulations, contracts, strategies and policies), assess the state of compliance, assess the risks and potential costs of non-compliance against the projected expenses to achieve compliance, and hence prioritize, fund and initiate any corrective actions deemed necessary.

Moving From IT Governance to Enterprise Governance of IT


IT Governance is a concept that emerged suddenly and became an important issue in information technology. “Improving IT governance” made Gartner’s Top 10 CIO Management Priorities for the first time in 2003. In 1998, the IT Governance Institute (ITGI) was founded to disseminate the IT governance concept.


After the emergence of the IT governance concept, the notion received much attention. However, due to the focus on “IT” in the naming of the concept, the IT governance discussion remained mainly within IT. In the field, many IT governance implementations are driven by IT, while one would expect that the business would and should take a leading role as well. It is clear that business value from IT investments cannot be realized by IT, but will always be created on the business side. For example, there will be no business value created when IT delivers a new customer relationship management (CRM) application on time, on budget and within functionalities, if afterwards the business does not integrate the new IT system into its operations. Business value will be created only when new and adequate business processes are designed and executed, enabling the sales department of the organization to increase turnover and profit.


This realization that the involvement of business is crucial initiated a shift in the definition toward Enterprise Governance of IT. Enterprise governance of IT is an integral part of corporate governance and addresses the definition and implementation of processes, structures and relational mechanisms in the organizations that enable both business and IT people to execute their responsibilities in support of business/ IT alignment and the creation of business value from IT-enabled investments.1 Enterprise governance of IT clearly goes beyond IT-related responsibilities and expands toward IT-related business processes necessary for business value creation.

Additionally, the International Organization for Standardization (ISO) moved in this direction with the release in 2008 of a worldwide standard defined as “Corporate Governance of IT” (ISO/IEC 38500:2008). In this standard, ISO puts forward six principles for IT governance, addressing both business and IT roles and responsibilities, and expressing preferred behavior to guide IT-related decision making.

COBIT 2019.jpg

For general inquiries, please contact


For training inquires, please contact

M_o_R® is a registered trade mark of AXELOS Limited, used under permission of AXELOS Limited. All rights reserved.

The Swirl logo™ is a trade mark of AXELOS Limited, used under permission of AXELOS Limited. All rights reserved.

bottom of page