Your security team is well aware of the cyber risk faced by your organization. The CISO and other upper management is tasked with making sure your IT organization is aligned with business goals. Various roles throughout your IT organization are responsible for maintaining compliance with laws and regulations governing data and information security. Your third-party relationship manager is responsible for risks associated with your extended enterprise.
Unless your organization has an IT GRC strategy, all of your risk and compliance capabilities will exist in different silos. That can make it difficult for your business to quickly deal with risk and uncertainty within its information technology organization.
What is GRC?
GRC stands for Governance, Risk and Compliance, although some organizations may use the acronym to stand for “Governance, Risk and Control.”
It is a strategy for managing an organization’s overall governance, enterprise risk management and compliance with regulations. The capabilities of GRC are often spread over different departments: internal audit, compliance, risk, legal, finance, IT, HR as well as the lines of business, executive suite and the board. However it broadly covers these three areas:
- Governance: Ensuring that organizational activities support the organization’s business goals.
- Risk: The identification, classification and addressing of any risk associated with organizational activities.
- Compliance: Ensuring that an organization is meeting compliance with all legal and regulatory requirements.
IT GRC extends that governance, risk management, and compliance to technology and cybersecurity. By including IT in the organization’s GRC strategy, cyber risk is no longer siloed away from financial risk or any of the other risks faced by a company. Similarly, GRC centralizes all compliance needs, including data privacy compliance.
GRC also provides a framework for aligning IT with the overall objectives of an organization, lets an enterprise to quickly make sound decisions about cyber risk, and prevents siloing when it comes to risk.
Essentially, an IT GRC strategy is important because it pulls together all of a company’s IT risk, compliance and governance functions into one strategy.
Where did the term “GRC” come from?
The term GRC originated in the early aughts, although its origins are a little murky. The OCEG (originally called the “Open Compliance and Ethics Group”) writes that its membership came up with the GRC acronym as a shorthand way of referring to the important capabilities that allow an organization to manage its overall governance, enterprise risk management, and compliance with regulations. Michael Rasmussen, the “father of GRC,” is also credited with coming up with the acronym when he was an analyst for Forrester in 2002.
Whatever its exact provenance, GRC was a reaction to a need for better controls and internal governance in large organizations in the early 2000s, and driven by the compliance requirements of the Sarbanes Oxley Act of 2002, and debacles like the Enron and WorldCom scandals, which showed the world just how much internal controls at large enterprises needed to be improved.
GRC evolved as a way to help organizations meet compliance, manage risk and provide internal governance.
It’s important to note that GRC is a strategy, rather than a platform, digital solution or any other set of tools. An organization builds a framework so that the organization can take a structured approach to managing risk, meeting compliance and maintaining governance over every area of IT.
Such frameworks usually provide a clear outline of the leadership and operation of an enterprise’s IT infrastructure, aligning it with the organization’s strategic business’s goals. They also include metrics, by which leaders can assess the effectiveness of the GRC framework.
How can security ratings help?
Although GRC is more than software, digital tools are often used to keep GRC operations organized and processes streamlined. Large organizations are complex and may often have to meet many compliance requirements, often taking into account quickly-changing regulations.
Similarly, risk changes quickly as well, and IT leaders may need to make decisions about risk quickly — having a digital tool that allows IT and cybersecurity leaders to see all risks in real time is important to good decision making.
SecurityScorecard Ratings, for example, allow you to present your organization’s business leaders with the most important cybersecurity KPIs for your extended enterprise. Our security ratings use an A-F scale across 10 groups of risk factors and automatically generate a recommended action plan when any issues are discovered. The easy-to-understand ratings scale enables you to provide your C-Suite with the necessary documentation to prove governance over your risk management program to meet increasingly stringent cybersecurity compliance requirements.

