The business activities known as governance, risk and compliance (GRC) are tightly linked. Governance, risk management and compliance management are separate but closely related activities that take place in any organization. Governance is essential to the management of a corporation. Without it there can be no reliable way to guide the actions of individuals to align them to corporate objectives and requirements. Risk, for its part, comes in many forms, including internal failure, unfavorable external events and catastrophes. Managing risk involves anticipating negative events, understanding their costs, determining whether the potential benefits outweigh risks, and applying controls either to prevent risk events or mitigate their impact. And because all companies exist in some legal and regulatory jurisdiction, compliance with existing laws and regulations is essential.

This benchmark research program identified, explores and quantifies the ways in which finance, line-of-business operations and IT departments in companies each approaches and executes its governance, risk and compliance management efforts. It determined the value to companies of most effective GRC processes, and assessed the maturity of existing GRC efforts, especially in their use of information technology.