The term GRC (Governance Risk and Compliance) is a hugely overloaded term.. By overloaded in this case, I mean that it has multiple definitions. Think of a method in code that has several meanings some dependant on their location in the process stack. Lets take the terms (GRC) apart so you can see further what I am driving at.

Governance of IT most often means aligning the needs of the business to the capabilities of the IT resources. What if we could automate governance, what would it look like? I would argue that it looks like a change management system, but it also could be a policy management system, and a performance scorecard. Risk, often looked at as management of the risk to the enterprise created by the IT infrastructure of the business. To IT shouldn’t we really only be concerned about the risk to the business resulting from IT’s ability to manage business data? Does that mean Disaster Recovery and Business Continuity? Well yes but it also means data loss prevention, incident management, and vulnerability management. Compliance, usually IT security compliance, means data protection using IT governance, and IT risk management tools and techniques. It could also mean software licensing compliance, security setting management, security alert logging, and intrusion detection.

My purpose with this discussion is to remind those new to GRC and in particular those looking for GRC software, that GRC has many meanings and means many things to different organizations. First focus on the GRC needs of the organization. Prioritize and price those needs, compare existing software and tools, and then go looking for software to close the organizations GRC gaps. Very rarely will a GRC gap analysis result in a single software package purchase. Likewise, GRC is heavily people and process driven so don’t expect software to close much more than about 20% of the GRC gaps in your organization.