How GRC Can Help You Gain Real Control

Every now and then someone asks me what GRC is and what if anything it has to do with business continuity and IT/disaster recovery. Keep reading for the answers to these and other questions about this acronym that turns up as often as the letters in a bowl of alphabet soup.

 Related on BCMMETRICS: Rethinking Risk: A Better Way to Think About Risk in Business Continuity Management



GRC stands for governance, risk management, and compliance and it is an approach to managing organizations that in the opinion of myself and others is a big improvement on the traditional approach.

In the traditional approach, the three activities of governing the organization, managing risk at the organization, and ensuring the organization is compliant with the applicable laws, regulations, and standards take place in different silos.

GRC recognizes that these three areas are actually parts of the same high-level activity, that of helping the organizational get where it wants to go safely and responsibly.

GRC strives to bring these areas together for greater organizational coherence and efficiency.

By doing so, GRC can help leaders gain real control of their organizations.


GRC is formally defined by the think tank that developed the concept (OCEG) as “the integrated collection of capabilities that enable an organization to reliably achieve objectives, address uncertainty and act with integrity.”

Think of the organization as a car driving down the highway. GRC takes in the functions related to making sure the car goes where it’s supposed to, stays in its lane, avoids road hazards, and obeys the traffic laws.

GRC takes in the mature, prudent, grown-up aspects of managing an organization.

If you were to compare the organization to a family, anything that seems like something a responsible parent would take care of is probably part of GRC.

In addition to corporate governance, risk management, and compliance, GRC is commonly seen as including the legal, audit, finance, and HR departments, as well as business continuity and IT/disaster recovery.


There are many benefits for an organization in adopting GRC. Two of the main ones are:

  • It allows for better information-sharing among the three functions of governance, risk management, and compliance, leading to enhanced business intelligence and better decision making in all three areas.
  • It reduces duplication of effort among the three functions, resulting in savings both for those areas and for those they impact.

Let’s take a closer look at the three components that make up GRC.


Governance is the system of rules, practices, and processes by which the organization is controlled. These are established and executed by the board of directors and senior executives and are reflected in the organization’s structure.


Risk management may also be known as enterprise risk management (ERM). It is the activity of identifying and mitigating the internal and external risks that face your business.

A sound ERM program has the following seven components:

  1. Risk inventory. Identifying the 5 to 10 main risks the company faces.
  2. Risk committee. Establishing and staffing a cross-functional team to analyze all risks across departments and externally.
  3. ERM team. Identifying a head of enterprise risk or chief risk officer and identifying the roles needed to support this person.
  4. Common risk language. Identifying the terms that will be used to define the various aspects of the risk management program and taking steps to ensure they are used consistently.
  5. Risk appetite. Quantifying how much risk the organization faces with each inventory item and determining how much risk the leadership is prepared to live with.
  6. Action plans. Deciding what steps the organization will take to mitigate risk, how much it will invest in the way of resources, and who is responsible?
  7. Reporting. Identifying which metrics will be used to assess enterprise risk and deciding how they will be tracked.

There are four strategies to manage risk:

  • Avoid the risk. Eliminate activities that bring on the risk.
  • Reduce the risk. Take steps to reduce the likelihood of a negative event occurring.
  • Share the risk. Take out insurance to help cover the risk.
  • Accept the risk. Simply live with the risk, acknowledging that if the threat occurs the organization will have to bear the consequences.


Compliance is about conforming with the laws, regulations, and standards that apply to the organization.


GRC recognizes that governance, risk management, and compliance are all part of the same, high-level activity of getting the organization to the desired destination efficiently, safely, and responsibly.

BCMMETRICS’ suite of business continuity software tools—BIA OnDemand, Planner, BCM One, Compliance Confidence, and Residual Risk—can help your organization in achieving this valuable aim.


For more information on GRC and other hot topics in BC and IT/disaster recovery, check out these recent posts from BCMMETRICS and MHA Consulting:

Michael Herrera is the Chief Executive Officer (CEO) of MHA. In his role, Michael provides global leadership to the entire set of industry practices and horizontal capabilities within MHA. Under his leadership, MHA has become a leading provider of Business Continuity and Disaster Recovery services to organizations on a global level. He is also the founder of BCMMETRICS, a leading cloud based tool designed to assess business continuity compliance and residual risk. Michael is a well-known and sought after speaker on Business Continuity issues at local and national contingency planner chapter meetings and conferences. Prior to founding MHA, he was a Regional VP for Bank of America, where he was responsible for Business Continuity across the southwest region.

Business continuity consulting for today’s leading companies.

Follow Us

© 2024 · MHA Consulting. All Rights Reserved.

Learn from the Best

Get insights from almost 30 years of BCM experience straight to your inbox.

We won’t spam or give your email away.

  • Who We Are
  • What We Do
  • Blog