The Executive Board of any large enterprise wants to know that the organization is appropriately protected against potential risk. The ultimate objective of risk management is to define and understand the risk tolerances of the enterprise and manage to those tolerances, optimizing the risk/return of the business. In addition, increased accountability and transparency is being demanded of corporate executives and boards of directors from both customers and regulatory agencies. Renewed enforcement and enhancements of regulatory requirements are becoming more evident and the costs associated with compliance are increasing significantly. This is occurring at the same time that resources are being stretched thin, if not altogether eliminated.It has been estimated that spending on Governance, Risk & Compliance (GRC) exceeded $32 billion in 2008i. Budget priorities are becoming more focused on enterprise and operational risk management. As enterprises continue to spend time, money and resources on GRC, finding effective and economically sound ways to identify and manage the processes and procedures implicit in GRC is an enterprise imperative. Governance, Risk Management, and Compliance or GRC is the umbrella term covering an organization's approach across these three areas. Being closely related concerns, governance, risk and compliance activities are increasingly being integrated and aligned to some extent in order to avoid conflicts, wasteful overlaps and gaps. While interpreted differently in various organizations, GRC typically encompasses activities such as corporate governance, enterprise risk management (ERM) and corporate compliance with applicable laws and regulations

Governance management

Governance describes the overall management approach through which senior executives direct and control the entire organization, using a combination of management information and hierarchical management control structures. Governance activities ensure that critical management information reaching the executive team is sufficiently complete, accurate and timely to enable appropriate management decision making, and provide the control mechanisms to ensure that strategies, directions and instructions from management are carried out systematically and effectively.

Risk Management

Risk management is the set of processes through which management identifies, analyses and where necessary responds appropriately to risks that might adversely affect realization of the organization's business objectives. The response to risks typically depends on their perceived gravity, and involves controlling, avoiding, accepting or transferring them to a third party. Whereas organizations routinely manage a wide range of risks (e.g. technological risks, commercial/financial risks, information security risks etc.), external legal and regulatory compliance risks are arguably the key issue in GRC.

Compliance Management

Compliance means conforming with stated requirements. At an organizational level, it is achieved through management processes which identify the applicable requirements (defined for example in laws, regulations, contracts, strategies and policies), assess the state of compliance, assess the risks and potential costs of non-compliance against the projected expenses to achieve compliance, and hence prioritize, fund and initiate any corrective actions deemed necessary.