GRC: Just Another Acronym?

Governance, Risk Management and Compliance (GRC) is a methodology that provides organizations with an integrated approach to cyber security maintenance. It is most efficient when executed in its entirety as a three-pronged but single initiative though they are often considered separately.

  • Governance is the process ensuring effective and efficient use of Information Technology (IT) to enable an organization to achieve its fundamental goals.
  • Risk Management is the process of identifying, assessing and managing risk as a way to help achieve an organization’s objectives and based on its tolerance for threats -- in short, clearly establishing the company's risk acceptance or risk avoidance.
  • Compliance involves adhering to accepted practices, rules and regulations within a business at an industry or governmental level --or both.

One should take a holistic approach to GRC, as with any control or protocol it establishes to mitigate a risk. That is, the cost to implement the control should be less than the cost of actual exposure to the risk being mitigated. This approach is expanded by GRC when an individual or business considers costs associated with non-compliance -- namely, fines or penalties.

The culmination of Governance, Risk Management and Compliance occurs when IT policies help convert the desired behaviors of team members into a formal, successful cyber security plan.

HBK Risk Advisory Services can help you design and develop your own GRC program to protect your business. Contact Bill Heaven at 330-758-8613; or via email at As always, HBK is here to answer your questions and discuss your concerns.

Please indicate the industry that your company operates in: *

About the Author(s)
Bill is a Senior Manager in HBK’s Risk Advisory Services and works out of the firm’s corporate office in Youngstown, Ohio. He specializes in cyber security, IT security, external IT audit, internal IT audit, IT consulting, software Development, IT governance, PCI-DSS, supply chain, system implementations and e-Commerce and has worked for a wide range of industries, including the Public Accounting field. Bill is a certified public accountant, a certified information system auditor, and a certified supply chain professional.
Hill, Barth & King LLC has prepared this material for informational purposes only. Any tax advice contained in this communication (including any attachments) is not intended or written to be used, and cannot be used, for the purpose of (i) avoiding penalties under the Internal Revenue Code or under any state or local tax law or (ii) promoting, marketing or recommending to another party any transaction or matter addressed herein. Please do not hesitate to contact us if you have any questions regarding the matter.