Governance, Risk, and Compliance (GRC) are necessary functions within enterprises but businesses tend to structure and run them differently. For example, in some companies, GRC operates as three separate, siloed functions. Other companies have a GRC function that includes GRC specialists if not GRC certified professionals.
Even when GRC operates as a combined organization, cyber security – another risk function – tends to operate separately. One of the reasons for that is because GRC functions are viewed as business functions while cyber security is viewed as more of an IT (technology-oriented) function. However, as any cyber security incident demonstrates, the scope of risk fallout tends to impact more than one function simultaneously.
Governance is often thought of synonymous with data governance, but corporate governance has a higher-level responsibility. Corporate governance balances the interests of various stakeholders and it helps the company realize its strategic objectives through frameworks, rules, practices, processes and performance measurement, among other things.
In a data-centric context, governance helps ensure that only authorized parties have access to the data they wish to use. Data governance rules eclipse compliance because the use of data is also governed by laws and regulations.