GRC Compliance: Where “Compliance” Fits Inside GRC
Introduction
“GRC compliance” is an inherently redundant term since compliance is one of the three GRC elements. However, it has become widely used to define the particular activities of compliance that take place in GRC programs. Below, you will find out how compliance works in GRC and how it can be managed.
Compliance’s Role Within GRC
Of the three elements of GRC, compliance is the element concerned with ensuring that the organization adheres to all the applicable laws, regulations, industry best practices, and its own policies.
Governance
Governance makes the policies and provides for accountability.
Risk Management
Risk management determines and manages the potential problems.
Compliance
Compliance ensures that the organization is actually doing its part to fulfill the obligations, whether these are externally (legally and regulationally) imposed or internally (as its policies) set.
These three continuously influence one another, a compliance gap usually means unmanaged risks, and the policies usually are established by the governance process.

What Compliance Work Actually Involves
Identifying Applicable Requirements
Determining precisely what set of laws and regulatory frameworks governs the organization, since this depends on the industry, location, size of the firm, and even the particular activities undertaken (e.g., handling health data, conducting transactions, international operations).
Implementing Controls
Implementing certain procedures, technical controls, and policies with the intention of meeting those requirements, access controls, data handling policies, training employees and other such means.
Monitoring and Testing
Making sure that the controls are effective by putting in place a process of checking whether the policies actually reflect reality or not. This could be anything from regular manual checks to real-time automated checks.
Documentation and Evidence Collection
Having documentation that proves you did something right is important because compliance can be proven not just by doing things correctly but by being able to demonstrate that you did.
Remediation
Identifying deficiencies or shortcomings from monitoring and audit activities, and resolving these through to completion rather than leaving them outstanding.

Common Compliance Frameworks and Requirements
Compliance work could include any of the following:
- Privacy laws such as GDPR (Europe) or CCPA (California)
- Compliance to security standards such as SOC 2 or ISO 27001, which is frequently required from organizations prior to entering into any contract
- Laws specific to the industry such as HIPAA (healthcare) or PCI DSS (credit card information)
- Conformity with internal policies of the organization itself
Why Compliance Has Become More Central to Business Operations
Traditionally, compliance was seen strictly as a defense mechanism; as an expense center that had to be engaged in order to prevent legal penalties. This paradigm has changed significantly in the past few years especially for tech companies since compliance certifications (such as SOC 2, ISO 27001) became necessary to even begin discussing a sale with an enterprise customer. Lack of a certificate will actually kill a sale.
Manual vs. Automated Compliance Management
For smaller companies, compliance may be managed in-house through spreadsheet and review techniques. As the number of regulations and controls increases, however, it becomes increasingly challenging to do this in an effective way. That is one reason why so many companies invest in compliance management or GRC software solutions which can automate the evidence gathering process directly from the cloud infrastructure.

Compliance Ownership Within an Organization
Depending on organization size, compliance responsibilities may lie with various organizational units within an organization. In small businesses, compliance responsibilities can be distributed among the various roles in the company (Legal, IT, Operations). Compliance personnel can also be hired or appointed in larger firms and those that face many regulatory requirements.
Common Mistakes in Managing GRC Compliance
- Seeing compliance as an “one-off effort” aimed at achieving a particular certification rather than an ongoing process.
- Producing compliance documentation based on policy that does not match reality, thus creating a discrepancy which comes up in an audit.
- Over-relying on manual checks that take place periodically without putting enough emphasis on monitoring.
- Not mapping requirements across several frameworks, thus making compliance efforts duplicative.
Bottom Line
Compliance is the stage where the effectiveness of governance and the risk mitigating practices is measured and verified. Due to the increasing demand for certification in order to comply with regulatory requirements and to meet client’s demands, compliance has moved beyond being a defense-oriented process to something that impacts revenues, hence, becoming vital for any company irrespective of its size.