The questions buyers, board members, and new GRC hires ask on the way to a working program.
What is the difference between compliance and risk management?+
Risk management is the forward-looking discipline of identifying what could go wrong, scoring how likely and how damaging each risk is, and deciding what to do about it. Compliance is the work of proving that controls meet externally imposed requirements (laws, regulations, contracts, standards) and internal policies. Put simply: risk management asks 'what could harm our objectives and how do we treat it?', while compliance asks 'can we evidence that we meet our obligations?'. They share most of the same controls and source data, which is exactly why an integrated GRC program runs them together rather than as two disconnected functions.
What are GRC tools?+
GRC tools are the software platforms that operate a governance, risk, and compliance program from one place: a risk register, a shared control library, a policy library, an assessment engine, vendor risk, audit workflow, and board reporting. The market splits into integrated GRC platforms (one tenant across all functions, where RiskWatch sits), compliance automation tools, internal audit and SOX platforms, vendor and third-party risk tools, policy management tools, and ERM or quantitative risk platforms. The defining feature of an integrated GRC tool is cross-mapping: one control maps to many frameworks, so a single piece of evidence satisfies every assessment that references it.
What does GRC stand for?+
GRC stands for Governance, Risk, and Compliance. Coined and formalized by the Open Compliance and Ethics Group (OCEG) in 2002, the term describes the integrated discipline of running the three functions as one system rather than as three independent programs. OCEG's working definition is 'the integrated collection of capabilities that enable an organization to reliably achieve objectives, address uncertainty, and act with integrity.'
What is the goal of GRC?+
The goal of GRC is to align governance structures, risk-management practices, and compliance activities so that the organization can reliably hit its objectives, address uncertainty inside a known appetite, and act with integrity. In practical terms it means one register, one control library, one policy library, and one reporting stack feeding the board rather than three uncoordinated programs producing three contradictory narratives.
What is the difference between GRC and IRM?+
IRM (Integrated Risk Management) is the Gartner-coined evolution of GRC. The substance is largely the same; the framing is different. GRC organizes the conversation around three functions (governance, risk, compliance); IRM organizes it around a continuous loop of strategy, performance, and risk. In practice the platforms compete head-to-head and most buyers treat the terms as synonyms. Gartner now publishes both an IRM Magic Quadrant and a Compliance Automation Magic Quadrant.
What is the difference between GRC and ERM?+
ERM (Enterprise Risk Management) is the parent discipline. ISO 31000 and COSO ERM both define it as the program-level practice of managing risk across the whole enterprise (strategic, operational, financial, compliance, and reporting). GRC sits inside ERM as the operational toolkit that implements it. ERM is the philosophy; GRC is the way the work gets done day to day.
Who is responsible for GRC in an organization?+
Accountability runs along the lines-of-defense model. The board and audit committee provide oversight. The first line (business owners) owns the risks and operates the controls. The second line (risk and compliance functions) sets methodology and challenges first-line scoring. The third line (internal audit) provides independent assurance. Day-to-day program management usually sits with a Chief Risk Officer, a Chief Compliance Officer, or a Head of GRC reporting to one of them.
What is OCEG?+
The Open Compliance and Ethics Group is a non-profit think tank founded in 2002 that defined the GRC capability model. OCEG maintains the GRC Capability Model (also called the Red Book), publishes practitioner certifications (GRCP and GRCA), and is the closest thing the discipline has to a standards body. The GRC term itself originated in OCEG's founding documents.
Do I need GRC software or can I run it on spreadsheets?+
Spreadsheets work until the program adds its second framework, its third assessor, or its fourth business unit. At that point the cost of keeping spreadsheets in sync exceeds the cost of moving to a platform. The break point is usually around 50 to 100 active risks, 3 or more frameworks, or 5 or more named control owners. Until then a well-disciplined spreadsheet is a reasonable starting point; the discipline matters more than the tool.
What is a GRC framework?+
A GRC framework is the published model an organization uses to structure its governance, risk, and compliance work. The most common are ISO 31000 (risk management), COSO ERM (enterprise risk), ISO 37301 (compliance management), COSO Internal Control (governance and control), and the OCEG GRC Capability Model (the integrated view). Most programs use a stack rather than a single framework: COSO for control, ISO 31000 for risk, and the relevant regulatory frameworks (ISO 27001, SOC 2, NIST CSF) for compliance.
How much does a GRC program cost?+
It varies widely. A small SaaS running a single framework on a compliance automation tool can run $20,000 to $50,000 a year fully loaded (platform plus one part-time owner). A mid-market firm running 4 to 6 frameworks on an integrated GRC platform is typically $100,000 to $300,000 a year. A large enterprise running 10 or more frameworks on a tier-one platform with a dedicated GRC team is $500,000 to several million annually. Platform cost is rarely the dominant line; people and audit fees are.
What is the difference between a GRC program and a security program?+
A security program owns the controls that protect information assets. A GRC program owns the framework, methodology, and reporting that documents, assesses, and aggregates the work of the security program (and the privacy, legal, finance, and operations programs) into an executive view. Security operates the controls; GRC tells the story of whether those controls are sufficient relative to the organization's risk appetite. The two functions live next door and share most of the same source data.
How long does it take to set up a GRC program?+
The first usable register and reporting cadence should land within 60 to 90 days. A foundational program covering one risk taxonomy, one control library, two or three frameworks, and a quarterly reporting cadence typically reaches steady state inside 6 to 9 months. Maturity (continuous monitoring, KRIs wired to data sources, quantitative risk on the top 20, cross-mapped controls across 5 or more frameworks) usually takes 18 to 24 months. The discipline grows by accretion, not by re-platforming.
What is the GRC Capability Model?+
The OCEG GRC Capability Model is the published reference architecture for an integrated GRC program. It defines four components (Learn, Align, Perform, Review) and the practices inside each. It is the framework most often referenced when someone says they are running 'OCEG-aligned GRC.' The model is free to download from OCEG and underpins the GRC Professional (GRCP) certification.