Governance, risk, and compliance (GRC) is the term covering an organization's approach across these three practices: governance, risk management, and compliance among other disciplines. They are goals that are structured by an organization to ensure it meets industry and the government regulations.
Corporate financial scandals in the 1970s in the United States led to the creation of the organization, the Committee of Sponsoring Organizations of the Treadway Commission ("COSO"), by major US accounting associations; COSO issued reports calling for better controls over financial accounting, and standards to achieve those controls.
Call for more strict internal controls and financial reporting standards for companies was driven by high-profile corporate scandals in the 1990s in the UK, leading to the Turnbull Report in the UK, and similar scandals in the United States in the early 2000s, like the Enron scandal, which led to the passage of the SarbanesâÂÂOxley Act in the US. COSO updated their standards accordingly.
As companies began efforts to comply with these regulations, the interconnectedness of governance, risk management, and compliance became clear. The term was introduced in the early 2000s by analyst Michael Rasmussen during his time at Forrester Research, where he used it to describe the convergence of governance, risk management, and compliance functions. This created a market for training and software to bring these function together; for example, in 2002, Symbiant, a UK software development company, created the first GRC software that let teams work together online, combining risk registers, evaluations and audit tracking all in one system. The term "Governance, risk, and compliance" or "GRC" was published by Michael Rasmussen, founder of GRC 20/20 Research, and Scott Mitchell, founder of the Open Compliance and Ethics Group (OCEG), in an academic paper in 2007.
Early development of the GRC market was influenced by regulatory changes such as the SarbanesâÂÂOxley Act in the United States, which drove demand for tools and frameworks to manage internal controls and compliance requirements. This period saw the emergence of software platforms designed to integrate risk, control, and compliance activities, with vendors including OpenPages, Archer, and MetricStream among early participants in the space.
Initial GRC implementations were often compliance-centric, focused on meeting regulatory obligations. Over time, the concept evolved to emphasize a more strategic and integrated approach, aligning governance, risk management, and compliance activities with organizational objectives and performance.
Governance, risk, and compliance (GRC) are three related facets that aim to assure an organization reliably achieves objectives, addresses uncertainty and acts with integrity. Corporate governance is the combination of processes established and executed by the directors (or the board of directors) that shape the organization's structure and assigns roles, enterprise risk management is predicting and managing risks that could hinder an organization from reliably achieving its objectives under uncertainty, and compliance refers to adhering with the mandated boundaries (laws and regulations) and voluntary boundaries (company's policies, procedures, etc.).
Governance, risk and compliance (GRC) is a discipline that aims to synchronize information and activity across governance, and compliance in order to operate more efficiently, enable effective information sharing, more effectively report activities and avoid wasteful overlaps. If not integrated and instead tackled in a traditional "silo" approach, most organizations must sustain unmanageable numbers of GRC-related requirements due to changes in technology, increasing data storage, market globalization and increased regulation.
Specific fields have developed GRC approaches; there is financial GRC (aka FinGRC), Legal GRC, and *Operational GRC
As companies have begun to adopt artificial intelligence to help run their businesses, the risks intrinsic to AI raise GRC challenges to the companies using AI products. As of 2025, some companies were beginning to adopt AI tools to help them manage GRC.