What is GRC? Governance, risk & compliance explained

Governance, risk and compliance — three areas that, taken together, determine how an organisation is run. But what does that mean in practice, and what does it take to make them work as one? That's what we'll explore here.

BG-thin-right-gradient-SVG

What is GRC?

GRC is an umbrella term covering three areas of work which together determine how well an organisation is run and stays on the right side of the law, of risk and of its own objectives. In Swedish, the phrase "styrning, riskhantering och regelefterlevnad" is also used.

GRC is usually broken down into three sub-areas:

  • Governance: how the business is actually run day to day — roles, responsibilities, decision-making and follow-up. Typically owned by the CEO, the board and the senior leadership team.

  • Risk management: identifying, assessing, managing and following up risks that could affect the organisation's objectives. Typically owned by the head of risk, the CRO or a risk committee.

  • Compliance: ensuring adherence to laws, industry rules and internal policies. Typically owned by the compliance officer, the Head of Legal or the internal control function.

That's the textbook division. In practice, though, the areas blur into each other. An NIS2 question is simultaneously a risk question, a compliance question and a governance question. A supplier assessment touches on information security, data protection and internal control all at once.

And it's precisely at those seams that the problems show up. That's why it's more useful to think of GRC as a single, joined-up system for running the business than as three separate functions.

How do governance, risk management and compliance differ?

The simplest way to tell them apart is by the question each one asks.

  • Governance asks: "who makes the decisions, and on what basis?".

  • Risk management asks: "what could go wrong, and how likely is it?".

  • Compliance asks: "are we doing what we're required to do?". In practice the answers are often intertwined — but the questions still need to be asked separately, or they get lost.

Four common challenges in GRC work

Most organisations already do GRC work in some form. The question is how. We see four patterns recurring among the organisations we speak to — regardless of sector and regardless of maturity.

Fragmented work

Risk is handled in one tool, information security in another, internal control in a third. Compliance lives in Excel. Each part works — in isolation. But no one sees the whole picture, and at the seams between them you get both duplicated effort and blind spots. A clear example is the way ICT risks are often handled entirely separately from the rest of risk management, which we cover in our article on how to integrate ICT risks with the organisation's risk management.

Lack of overview

Leadership gets reports, but they come from different systems, at different times, with different definitions of what counts as "red" or "green". Decisions are made without a single picture of the risk landscape, and follow-up becomes reactive rather than directive.

Unclear ownership

Responsibility is spread across several functions — legal, IT, security, the business, quality — and when everyone owns a piece, no one owns the whole. Critical issues fall through the cracks or get picked up too late.

Reactive work

When structure is missing, GRC work turns into a string of firefighting exercises. Time and resources go into fixing problems after the fact rather than preventing them. When a new piece of regulation comes into force — the Cybersecurity Act, NIS2, DORA, CSRD — work starts again from scratch instead of being absorbed into an existing structure. This isn't a problem you can solve with more tools or more people. It's a structural problem. And as long as the structure is missing, complexity grows faster than control.

Risk as the hub: how GRC work hangs together

Risk isn't just another domain alongside compliance and information security — it's the logic that ties them together. Why? Because risk is the only perspective that forces you to prioritise. At worst, compliance can become an endless checklist of requirements to tick off.

Information security can be reduced to a set of technical controls. Internal control can ossify into an annual cycle. But when you start from risk — what could go wrong, how likely is it, and what would the consequences be? — every activity gets tied back to the actual situation the business is in.

For anyone who wants to dig deeper into this perspective, we've written more about what risk maturity looks like in practice — that's often where the difference between an organisation that succeeds and one that gets stuck becomes visible.

In concrete terms, that means:

  • A compliance question only becomes interesting once it's tied to a risk. What is it we're trying to protect ourselves against? Which controls deal with that risk? Compliance then becomes a result of good governance — not a goal in its own right.

  • An information security measure is prioritised on the basis of which information assets are most critical and what threats they face — not on the basis of what happens to be easiest to implement.

  • Internal control becomes a system for verifying that the most significant risks are under control, rather than a separate annual cycle running alongside the business.

When you make risk the hub, you also get a shared yardstick. Risk is the language the CISO, the head of risk, the Head of Legal, the controller and the CEO can all understand together. It's where the conversation about GRC can move from "what do we need to do to avoid a fine?" to "what do we need to do to keep the business running when the weather turns?".

Specialists aren't enough — GRC has to work across the whole organisation

This is the point where most GRC initiatives lose momentum, and it's worth pausing on. We see the same pattern again and again: organisations invest in a capable CISO, a competent head of risk, an experienced Head of Legal. Each one builds a structured picture of their own area. And then the work stops there.

Frameworks get written that no one outside the specialist function ever reads. Risk assessments are done in parallel tools that managers in the business never see. Compliance responsibilities are documented in policies that don't affect how the work is actually done.

This isn't a knowledge problem — the specialists know their stuff. It's an adoption problem, and it's something we go into more deeply in our article on governance of information security.

GRC only becomes real value when:

  • Line managers know which risks they're responsible for and can see the status without having to call the CISO.

  • Process owners understand which controls they need to carry out and can sign them off where the work actually happens.

  • Leadership gets a single view of the risk landscape without anyone having to stitch three different reports together by hand.

  • The auditor can follow the chain from risk to control to action to follow-up without having to export data.

     

These aren't details about a tool — they're the difference between GRC work that lives inside the specialist's head and GRC work that genuinely becomes part of how the business is run.

Some of that comes down to tools and workflows; an equally important part is about building knowledge and security awareness on an ongoing basis throughout the organisation, so that the structure the specialist has built actually lands with the people who need to act on it.

Which frameworks are used in GRC?

Most organisations that take a structured approach to GRC lean on established frameworks. Here are some of the most common:

ISO 27001 / ISO 27002 — the international standard for information security management systems. It's built around risk as the starting point and requires documented governance, risk assessment and continuous improvement. It's often the first framework an organisation gets certified against.

NIS2 and the Cybersecurity Act — an EU directive and a Swedish law respectively, both setting cybersecurity and risk management requirements for a broad group of organisations. The Cybersecurity Act takes effect on 15 January 2026.

DORA — an EU regulation on digital operational resilience in the financial sector, focused on ICT risks and third-party management.

GDPR — the foundational data protection regulation, setting requirements for how personal data is handled, documented and protected.

Alongside these, frameworks such as the NIST Cybersecurity Framework (cybersecurity) and ISO 31000 (risk management principles) often appear as complements, depending on the sector and the need.

How do you get started with GRC? Four steps that actually work

A structure that holds up isn't an impressive org chart in a PowerPoint deck. It's a way of working that can be scaled up without losing control.

1. Understand — map out what needs to be governed

You can't govern what you can't see. The first step, then, is to build a shared picture of which processes and assets are critical to the business, which regulations and internal policies apply to them, and which roles and responsibilities are attached to them.

This shouldn't be a one-off exercise. It should be a living foundation that gets updated as the business changes. It's the bedrock everything else sits on.

2. Assess — put risk at the centre

Once that foundation is in place, the next step is to assess the risks tied to it. What could go wrong? How likely is it? What would the consequence be? Which controls do we already have in place? Read our article on how to work with risk assessment — and if you'd like help visualising the prioritisation, the risk matrix is a tried-and-tested tool that does the job. This is the heart of a risk-driven way of working. A well-thought-out risk assessment gives you two things: a basis for prioritisation (where should we put our resources?) and a shared language (what do we actually mean when we say something is "high priority"?).

3. Act — deal with risks where they sit

Structured governance means that actions land with the right person, at the right time, with the right mandate. This is where most organisations lose momentum: a risk gets identified, an action plan gets drawn up — and then it quietly drifts off into the sand.

For anyone wanting to see how this plays out in a specific context, we've summarised seven success factors in working with ICT risks, where the same principles come up. For the compliance side, where actions often take the form of controls, we've also written about five steps to more effective internal control.

A sustainable structure makes it easy to assign ownership, set deadlines and see status. Not in parallel systems, but in the same workflow where the risk was assessed.

4. Follow up — make it a living process

The final step is to close the loop. Completed actions need to be followed up, controls need to be tested, status needs to be reported. Not once a year, but on an ongoing basis. When it comes to scenarios such as business disruption, business continuity planning is a clear example of where structure and preparation make a difference when things get serious.

When the four steps are joined up — understand, assess, act, follow up — GRC becomes a continuous cycle rather than a series of projects. And that's when the structure holds up even when new regulations come along or the business grows.

What is a GRC system, and what does it do?

A GRC system is software that ties governance, risk management and compliance work together into a single structure. The difference from point tools (such as a risk-tracking Excel sheet, a separate policy database or an incident management system) is that information can flow between the domains — a risk is linked to a control, the control is linked to a policy, the policy is linked back to the regulation that requires it.

In practice, that usually means five core capabilities:

  • A risk register with ownership. Every risk documented, prioritised and assigned.

  • Controls linked to risks. A traceable connection from risk to control to action — not separate lists.

  • Policies and governing documents. Version-controlled and linked to the regulations and controls they meet.

  • Dashboards and reporting. A single view for leadership, the board and the auditor — without manual stitching together.

  • Distributed ownership. Line managers, process owners and system owners can work in the system too, not just specialists.

     

The market today splits roughly into three categories. Automation-focused tools that primarily automate technical controls for SaaS companies. Heavy enterprise systems built for large global groups with multi-layered regulatory needs. And in between: governance platforms built for mid-sized and larger organisations in the public sector, healthcare, finance and industry — where what's needed is structured governance the whole organisation can take part in, rather than the automation of a narrow set of compliance frameworks.

How do you know it's time to get a GRC system?

There isn't an exact level of maturity at which the need appears, but there are a few signs that come up repeatedly:

  • The Excel sheets have outgrown their britches — several people edit the same file, and version control has been lost without a trace.

  • You have at least two GRC-related roles (head of risk, CISO, compliance, internal control) who currently don't work in the same system.

  • A new piece of regulation has meant that ad hoc work no longer cuts it — often NIS2, DORA or CSRD.

  • Leadership or the board has asked for consolidated reporting that no one can currently produce without manual effort.

  • You've had an incident or an audit where the question "who owns this?" was harder to answer than it should have been.

     

If two or more of the points above apply, you're probably ready to start. The most common entry point is risk management or information security — and then the work expands into other areas as the structure beds in.

From specialist work in silos to governance across the whole organisation

The biggest difference between organisations that experience GRC as a burden and those that experience it as a lever doesn't lie in how much work they put into it. It lies in who actually does the work.

In the first group, GRC is a specialist concern. Risk is handled by the risk function, security by the CISO, compliance by legal. Each one produces their own documents. But leadership doesn't get a single view, line managers don't know about their controls, and the whole picture never sits in one place.

In the second group, GRC is a way of working that the entire business takes part in. The specialists set the structure, but the work happens where it belongs — with process owners, line managers and system owners. Ownership is distributed, and that's exactly why it lasts. That's the way of working that the Stratsys GRC platform is built for. Not for the specialists alone, but for the whole organisation.

Discover the Stratsys GRC solution

Frequently asked questions about GRC

What is the difference between governance, risk management and compliance?

Governance is about how the business is run — roles, responsibilities, decision-making and follow-up. Risk management is about identifying, assessing and managing risks that could affect the objectives. Compliance is about adherence to laws, regulations and internal policies. In practice, the three overlap: a compliance question is often also a risk, and a risk is handled through governance. That's why we recommend working with them as a single joined-up system, with risk as the logic that ties them together.

Who is responsible for GRC in an organisation?

The short answer is: several people. The head of risk owns the risk management process, the CISO is responsible for information security, the Head of Legal or compliance officer covers regulatory compliance, and the head of internal control owns internal control. The long answer is that GRC only works once responsibility is distributed out into the organisation — line managers own their risks, process owners own their controls, and leadership has a single view. That's the difference between GRC work that lives with the specialists and GRC work that actually steers the business.

What is a GRC tool or a GRC platform?

A GRC tool is a system that supports work on governance, risk management and compliance. A GRC platform goes a step further — it ties several domains (risk, information security, data protection, internal control, third-party risk) together in a single structure so that information can flow between them. The difference isn't technical, it's organisational: a tool solves a narrowly defined problem, a platform supports a way of working across the entire organisation.

When do you need a GRC system?

Most organisations end up in the same place: Excel no longer cuts it, risks are managed in parallel across several tools, leadership gets reports that don't add up, and new regulations such as NIS2 or DORA mean the work can no longer be ad hoc. That's when a GRC system becomes relevant. The most common entry point is risk management or information security — and from there, the work expands into other areas as the structure beds in.

How do you get started with GRC work?

We recommend four steps: understand (map processes, regulations and roles), assess (identify and prioritise risks), act (assign ownership and carry out actions) and follow up (measure, report, adjust). The most important thing is not to try to do everything at once. Start with the area where the need is clearest — often risk or information security — and build out from there. A common pitfall is trying to put a complete GRC structure in place as a consulting project, which rarely survives its first year.

How does GRC connect to NIS2, DORA and other regulations?

NIS2 (cybersecurity), DORA (digital operational resilience in the financial sector), CSRD (sustainability reporting) and GDPR (data protection) are all regulations that require documented governance, risk assessment and follow-up. They aren't separate problems — they're different routes into the same underlying need for structured governance. An organisation with a working GRC structure can meet new regulations within its existing way of working rather than starting a new project every time. That's the whole point of working in a structured way.

What is meant by GRC maturity?

GRC maturity describes how structured and proactive an organisation's GRC work is. Low maturity means silos, reactive work and unclear ownership. High maturity means integrated governance, risk-driven prioritisation and continuous follow-up.

What does poor GRC cost?

The direct costs are the most visible: regulatory fines, incident costs and lost business. The indirect costs — time spent on reactive firefighting, delayed decisions, duplicated effort between teams — are often larger but harder to measure.

Studioevent: Resilience Insights - Riskhantering och styrning i en osäker värld.