GRC Fundamentals - Overview

GRC — Governance, Risk, and Compliance — is not three separate disciplines bolted together; it is an integrated collection of capabilities that enable an organisation to reliably achieve objectives while addressing uncertainty and acting with integrity [cite:448][cite:464]. The acronym was coined and formalised by the Open Compliance and Ethics Group (OCEG), which defines GRC as the capabilities that "integrate the governance, management, and assurance of performance, risk and compliance activities" to achieve Principled Performance [cite:448][cite:467]. Principled Performance means reliably achieving objectives (performance), addressing uncertainty (risk), and acting with integrity (compliance and ethics) — simultaneously, not sequentially [cite:464][cite:458]. When these functions operate in silos — governance disconnected from risk, risk disconnected from compliance, compliance disconnected from strategy — organisations suffer from duplicated effort, conflicting priorities, blind spots, escalating costs, and an inability to measure risk-adjusted performance [cite:448][cite:439]. OCEG's research found that organisations treating GRC as an integrated system experience lower compliance costs, faster response to regulatory change, better risk visibility, and stronger alignment between strategy and operations [cite:439][cite:436]. The GRC discipline is supported by two foundational models: the OCEG GRC Capability Model 3.5 (Red Book), which provides the capability architecture, and the IIA Three Lines Model, which provides the organisational structure for roles and responsibilities across management, risk/compliance functions, and independent assurance [cite:441][cite:464].

GRC Fundamentals - What It Is

The Three Pillars as a System

GRC integrates three interdependent disciplines into a unified operating model [cite:436][cite:448]:

Pillar	Definition	Function Within GRC
Governance	The combination of processes and structures implemented by the board to inform, direct, manage, and monitor the activities of the organisation [cite:441]	Sets direction, defines risk appetite, establishes accountability, oversees performance
Risk Management	The coordinated activities to direct and control an organisation with regard to uncertainty [cite:438]	Identifies, assesses, treats, and monitors risks that could affect the achievement of objectives
Compliance	The adherence to mandatory requirements (laws, regulations) and voluntary commitments (standards, policies, ethical codes) [cite:448]	Ensures the organisation meets its obligations and acts with integrity

The critical insight is that these pillars are not independent workstreams — they share common information, controls, processes, and technology, and must be coordinated to avoid gaps, redundancies, and conflicts [cite:439][cite:448].

OCEG GRC Capability Model 3.5 (Red Book)

The OCEG Red Book is the definitive open-source model for integrated GRC. Developed through collaboration with 300+ experts studying 500+ organisations, Version 3.5 is the current release [cite:464][cite:470]. The model is organised around four cyclical components [cite:464][cite:461]:

LEARN — Understand the organisation's context, culture, and key stakeholders to inform objectives, strategy, and actions. This includes external environment scanning (regulatory, market, threat landscape), internal context assessment (capabilities, culture, resources), and stakeholder analysis [cite:464][cite:458]
ALIGN — Align strategy with objectives, and actions with strategy, using effective decision-making that addresses values, opportunities, threats, and requirements. The output is an integrated plan of action with defined risk appetite, compliance requirements, control objectives, and performance indicators [cite:464][cite:458]
PERFORM — Execute actions that promote and reward desirable outcomes, prevent and remediate undesirable outcomes, and detect events as soon as possible. This encompasses three types of controls [cite:439][cite:442]:
- Proactive — Prevent problems before they occur (policies, training, access controls, approvals)
- Detective — Identify problems when they occur (monitoring, testing, alerts, exception reports)
- Responsive — Address problems after they are detected (remediation, corrective action, escalation, incident response)
REVIEW — Evaluate the design and operating effectiveness of strategy and actions, and the ongoing appropriateness of objectives. This includes internal audit, management review, performance measurement, and continuous improvement [cite:464][cite:461]

These four components form a continuous cycle — review findings feed back into learning, which refines alignment, which improves performance [cite:464][cite:458].

IIA Three Lines Model

The Institute of Internal Auditors (IIA) Three Lines Model defines the organisational structure for GRC roles [cite:441][cite:438]:

Line	Role	GRC Function
First Line	Operational management	Owns and manages risks while pursuing business objectives; implements controls; executes compliance activities [cite:438][cite:441]
Second Line	Risk, compliance, security, and similar functions	Provides expertise, support, monitoring, and challenge on risk-related matters; develops frameworks and policies; monitors first-line execution [cite:438][cite:441]
Third Line	Internal audit	Provides independent, objective assurance to the board on how well governance, risk management, and controls are working [cite:441][cite:438]
Governing Body	Board / oversight body	Establishes risk appetite, delegates authority, oversees all three lines, ensures accountability [cite:441]

The updated Three Lines Model (2020) removed "of defense" from the title and shifted emphasis from "defense" to value creation and value protection — recognising that GRC contributes to achieving objectives, not just preventing bad outcomes [cite:438][cite:441]. It also no longer prescribes which specific functions belong in the second line, allowing organisations to structure roles flexibly based on their context [cite:438].

Principled Performance

Principled Performance is the unifying objective of GRC [cite:448][cite:464]:

Reliable achievement of objectives — The organisation consistently meets its strategic, operational, financial, and compliance goals
Addressing uncertainty — Risks are identified, assessed, and managed within defined appetite; opportunities are captured
Acting with integrity — The organisation complies with laws and regulations, honours commitments, and operates ethically

This is not an abstract aspiration — OCEG provides measurable practices, actions, and controls decomposed from the four components (Learn, Align, Perform, Review) to operationalise Principled Performance [cite:464][cite:442].

GRC Fundamentals - Who It Applies To

GRC applies to every organisation regardless of size, industry, or jurisdiction — any entity that has objectives, faces uncertainty, and operates under obligations needs integrated governance, risk, and compliance capabilities [cite:448][cite:436].

By Organisational Type

Large enterprises — Require formal GRC architecture with dedicated functions, technology platforms, and cross-functional coordination. Financial services, healthcare, energy, and defence face the most complex GRC requirements [cite:460][cite:463]
Small and medium enterprises (SMEs) — Need scaled GRC capabilities appropriate to their size and complexity. The IIA Three Lines Model's flexibility allows SMEs to combine roles (e.g., compliance and risk in one function) while maintaining the principle of independent assurance [cite:438]
Government agencies — Subject to legislative mandates, public accountability, and audit requirements that demand formal GRC structures [cite:448]
Non-profits — Governance obligations (fiduciary duty, donor compliance, grant requirements) and risk management needs require GRC capabilities proportionate to operations [cite:448]

By Industry

Industry	Primary GRC Drivers
Financial services	Basel III/IV, AML/BSA, SOX, CFPB, OCC CMS, SEC, FINRA, GDPR [cite:460][cite:463]
Healthcare	HIPAA, HITECH, FDA, OIG compliance guidance, state privacy laws [cite:460]
Technology	GDPR, CCPA, ISO 27001, SOC 2, EU AI Act, NIST CSF/AI RMF [cite:460]
Energy	NERC CIP, EPA, FERC, SOX, safety regulations [cite:460]
Defence/Government	CMMC, DFARS, FedRAMP, FISMA, NIST 800-171, FAR/DFAR [cite:460]
Manufacturing	ISO 9001, ISO 14001, ISO 45001, supply chain compliance, trade controls [cite:460]

By Role

Role	GRC Responsibility
Board / Governing body	Set risk appetite; oversee GRC programme; hold management accountable; approve policies [cite:441][cite:436]
CEO / C-suite	Integrate GRC into strategic planning and operations; allocate resources; set tone at the top [cite:436][cite:438]
Chief Risk Officer (CRO)	Lead enterprise risk management; maintain risk register; report to board [cite:438]
Chief Compliance Officer (CCO)	Lead compliance programme; manage regulatory obligations; maintain compliance management system [cite:448]
CISO	Manage information security risks; implement security controls; report security posture [cite:438]
General Counsel	Legal risk management; regulatory interpretation; enforcement response [cite:448]
Internal Audit	Independent assurance over GRC effectiveness; report to audit committee [cite:441]
Operational management	First-line risk ownership; control execution; compliance implementation [cite:438][cite:441]

GRC Fundamentals - What It Requires - Governance Architecture

Governance provides the structure, authority, and accountability framework within which risk and compliance operate [cite:441][cite:436].

Core Governance Requirements

Board oversight — The governing body establishes organisational objectives, defines risk appetite and tolerance, delegates authority to management, and oversees the effectiveness of the GRC system [cite:441][cite:468]
Organisational structure — Clear reporting lines, defined roles and responsibilities, separation of duties, and authority matrices that ensure no single function operates without oversight [cite:441]
Strategic alignment — GRC objectives must be integrated with business strategy — compliance and risk activities must support (not obstruct) the organisation's mission and objectives [cite:464][cite:436]
Ethical culture — The governing body nurtures a culture promoting ethical behaviour and accountability. Culture is not just "tone at the top" but "mood in the middle" and "buzz at the bottom" [cite:441][cite:464]
Information and reporting — Governing body receives timely, accurate, and relevant information on planned, actual, and expected outcomes linked to objectives and risk [cite:441]

Governance Frameworks

Framework	Focus
OCEG Red Book	Integrated GRC governance as part of the Learn/Align/Perform/Review cycle [cite:464]
IIA Three Lines Model	Organisational roles and reporting structure for governance, management, and assurance [cite:441]
ISO 37000:2021	Governance of organisations — principles and key practices for governing bodies [cite:308]
COSO 2013	Internal control — five components including control environment (governance foundation) [cite:269]
King IV (South Africa)	Integrated governance covering strategy, performance, risk, compliance, and stakeholder relationships [cite:436]

Policy Governance

Governance is operationalised through policies. A "policy on policies" (policy governance framework) defines how the organisation creates, approves, distributes, monitors, and revises its policy library [cite:378][cite:376]. See the companion oracle on Policy Management for the full lifecycle discipline [cite:376].

GRC Fundamentals - What It Requires - Risk Management

Risk management is the discipline of identifying, assessing, treating, and monitoring uncertainty that could affect the organisation's objectives — both downside threats and upside opportunities [cite:438][cite:439].

Risk Management Process (ISO 31000:2018)

Scope, context, and criteria — Define the risk management framework's scope, understand external and internal context, and establish risk criteria (appetite, tolerance, thresholds) [cite:436]
Risk identification — Systematically identify sources of risk, events, causes, and potential consequences across all organisational activities [cite:436]
Risk analysis — Determine the likelihood and impact of identified risks; assess inherent risk (before controls) and residual risk (after controls) [cite:436]
Risk evaluation — Compare risk analysis results against risk criteria to determine which risks require treatment and prioritise actions [cite:436]
Risk treatment — Select and implement risk treatment options: avoid, mitigate (reduce likelihood/impact), transfer (insurance, outsourcing), or accept [cite:436]
Monitoring and review — Continuously monitor risk indicators, control effectiveness, and changes in context; update assessments accordingly [cite:439]
Communication and consultation — Ensure stakeholders are informed and engaged throughout the process [cite:436]

Enterprise Risk Management (ERM)

COSO ERM 2017 expands risk management from a compliance function to a strategic discipline integrated with strategy-setting and performance management [cite:436]. ERM requires:

Risk appetite definition by the governing body
Integration of risk considerations into strategic planning
Entity-level and business-unit-level risk assessment
Risk-adjusted performance measurement
Risk culture embedded across the organisation [cite:436]

Risk Register

The risk register is the central repository of identified risks, their assessments, treatments, owners, and monitoring status. It serves as the primary data source for risk reporting to management and the governing body [cite:436][cite:439].

GRC Fundamentals - What It Requires - Compliance Management

Compliance management ensures the organisation meets its mandatory and voluntary obligations — laws, regulations, standards, contractual commitments, and ethical codes [cite:448][cite:325].

Compliance Management System (CMS)

See the companion oracle on Compliance Management Systems for the full treatment [cite:325][cite:320]. Key requirements within the GRC context:

Compliance obligations register — Systematic identification and cataloguing of all applicable requirements (ISO 37301 Clause 4.5) [cite:325]
Compliance risk assessment — Assessment of the likelihood and impact of failing to meet each obligation [cite:325]
Compliance programme — Policies, procedures, training, and controls addressing each obligation [cite:329]
Monitoring and testing — Ongoing monitoring of compliance indicators; periodic testing of compliance controls [cite:342][cite:350]
Audit and assurance — Independent verification that the compliance programme is effective [cite:342]
Reporting and remediation — Communication of findings, root cause analysis, corrective action, and management reporting [cite:325]

Regulatory Change Management

The compliance function must systematically monitor, assess, and respond to changes in the regulatory environment [cite:405][cite:408]. This capability integrates with the LEARN component of the OCEG model — external context scanning that identifies changes requiring organisational response [cite:464].

GRC Fundamentals - What It Requires - Information, Technology, and Data

Effective GRC requires reliable information, appropriate technology, and data governance to support decision-making, monitoring, and reporting [cite:460][cite:439].

GRC Technology Platforms

The GRC platform market reached approximately $49–51B in 2024 and is projected to grow at 10–12% CAGR through the end of the decade [cite:463][cite:466]. Modern GRC platforms provide:

Policy management — Centralised policy creation, approval, distribution, versioning, and attestation [cite:460]
Risk management — Risk registers, risk assessment workflows, heat maps, treatment tracking, and reporting [cite:460]
Compliance management — Obligations registers, compliance monitoring, evidence collection, and audit management [cite:460]
Audit management — Audit planning, workpaper management, finding tracking, and reporting [cite:460]
Incident and issue management — Capture, investigate, track, and remediate incidents and compliance issues [cite:460]
Third-party risk management — Vendor assessment, due diligence, monitoring, and contract compliance [cite:460]
Reporting and dashboards — Real-time KRI/KCI dashboards, board reporting, regulatory reporting [cite:460]

Leading platforms include IBM OpenPages, SAP Process Control, ServiceNow GRC, Archer (Archer IRM), MetricStream, Diligent, OneTrust, LogicGate, Hyperproof, and AuditBoard [cite:460][cite:463].

Cloud vs. On-Premises

Cloud-based GRC solutions held approximately 67% market share in 2025 and are growing at 14% CAGR, driven by scalability, automatic updates, and support for distributed workforces [cite:466]. On-premises solutions remain prevalent in highly regulated environments (defence, government, banking) where data residency and sovereignty requirements constrain deployment options [cite:466].

AI and Automation in GRC

AI is transforming GRC through [cite:460][cite:463]:

Automated evidence collection — Continuous collection of compliance evidence from integrated systems
Predictive risk analytics — ML models identifying emerging risks from patterns in operational data
Regulatory change monitoring — NLP-powered scanning of regulatory sources with automated impact assessment
Continuous control monitoring — Real-time testing of controls with automated exception detection
Natural language compliance checking — LLM-powered review of policies, contracts, and documentation against regulatory requirements

The DOJ's 2024 ECCP update requires companies to assess risks associated with AI used in compliance operations — the technology must itself be governed [cite:341][cite:345].

GRC Fundamentals - What It Requires - Ethics and Culture

Ethics and culture are the foundation on which the entire GRC system rests — without a culture of integrity, policies become paper, controls become checkboxes, and compliance becomes performative [cite:464][cite:441].

Requirements

Code of conduct — A clear statement of the organisation's ethical expectations, applicable to all personnel, officers, directors, and relevant third parties [cite:464]
Whistleblower / speak-up programmes — Channels for reporting misconduct, protected from retaliation, with documented investigation and resolution processes [cite:341][cite:448]
Training and awareness — Regular, role-appropriate ethics training; communication of ethical expectations; reinforcement through leadership behaviour [cite:464]
Incentive alignment — Compensation, promotion, and recognition structures that reward ethical behaviour and compliance, and penalise misconduct. The DOJ's 2024 ECCP update specifically evaluates compensation clawback programmes [cite:341][cite:343]
Culture assessment — Periodic measurement of organisational culture through surveys, interviews, and behavioural indicators [cite:464]

The DOJ Lens

The DOJ evaluates culture and ethics as part of its three-question framework [cite:341][cite:345]:

Does the company have a "culture of compliance" where employees feel empowered to raise concerns?
Is there evidence that senior leaders model ethical behaviour?
Are there examples of employees being disciplined for misconduct, regardless of seniority or revenue generation?
Does the organisation actively promote its whistleblower programme and protect reporters?

GRC Fundamentals - What It Requires - Assurance and Audit

Assurance is the third line of the IIA Three Lines Model — the independent, objective evaluation of whether the GRC system is working [cite:441][cite:438].

Internal Audit Role

Internal audit provides assurance to the governing body that [cite:441]:

Governance processes are effective
Risk management is adequate and operating as designed
Internal controls achieve their objectives
Compliance processes are functioning
Information provided to the governing body is reliable

Internal audit must maintain independence from the first and second lines — it reports functionally to the audit committee (governing body) and administratively to the CEO or equivalent [cite:441][cite:438].

Assurance Mapping

Assurance mapping (also called combined assurance) aligns the three lines across the organisation's risk universe to ensure [cite:441][cite:438]:

No significant risk lacks assurance coverage
There is no unnecessary duplication between first-line monitoring, second-line oversight, and third-line audit
Gaps in assurance are identified and addressed
The governing body has a comprehensive view of the assurance landscape

External Assurance

External assurance providers include [cite:448]:

External financial auditors (SOX, financial reporting)
Certification auditors (ISO 27001, ISO 37301, ISO 9001)
Regulatory examiners (OCC, CFPB, FDIC, SEC)
Specialist assessors (SOC 2, PCI DSS QSA, HITRUST)

GRC Fundamentals - GRC Maturity Model

GRC maturity models assess how well an organisation integrates and operationalises its governance, risk, and compliance capabilities [cite:459][cite:462].

Five Maturity Levels

Level	Name	Characteristics
1	Ad Hoc / Initial	GRC processes are informal, reactive, and undocumented. Functions operate in silos. No defined risk appetite. Compliance is reactive to findings and incidents [cite:459][cite:462]
2	Developing / Repeatable	Organisation recognises the need for structured GRC. Some policies and procedures exist but are inconsistent. GRC activities are more proactive but still siloed [cite:459][cite:462]
3	Defined / Standardised	Formal GRC policies and procedures are in place and communicated. Risk management framework guides decision-making. Cross-functional teams collaborate on GRC. Regular audits and automated tools support operations [cite:459][cite:462]
4	Managed / Quantitative	GRC processes are integrated and aligned with business objectives. Real-time monitoring of risk indicators. Data and analytics support decision-making. Continuous improvement is embedded. GRC metrics are integrated into business performance metrics [cite:459][cite:462]
5	Optimised / Innovative	GRC processes are fully integrated and strategically aligned. Predictive analytics provide forward-looking insights. Agile response to regulatory and risk changes. Organisation-wide culture of compliance and risk management. GRC drives business strategy and competitive advantage [cite:459][cite:462]

Assessment Criteria

GRC maturity assessment evaluates across multiple dimensions [cite:459][cite:462]:

Integration — How well governance, risk, and compliance activities are coordinated
Culture — The extent to which GRC is embedded in organisational culture
Information and technology — The use of technology to support GRC activities
Performance management — How effectively the organisation measures and manages GRC performance
Stakeholder engagement — The degree to which stakeholders are informed and involved
Continuous improvement — The presence of feedback loops and improvement mechanisms

GRC Fundamentals - Governance Implications

GRC is, by definition, a governance discipline — it exists to enable the governing body to direct, evaluate, and monitor the organisation's achievement of objectives, management of uncertainty, and maintenance of integrity [cite:441][cite:464].

Ontic BOM Mapping

model — AI/ML models used in GRC operations (risk scoring, compliance screening, anomaly detection, predictive analytics) are themselves GRC-governed artefacts. Model governance (validation, bias testing, change management, performance monitoring) must follow GRC disciplines. The DOJ's 2024 ECCP explicitly requires AI risk governance [cite:341][cite:345]
oracle — Regulatory databases, risk intelligence feeds, compliance obligations registers, sanctions lists, and authoritative reference data are the information foundation of GRC. Their accuracy, completeness, currency, and integrity directly determine GRC effectiveness [cite:464][cite:325]
ontology — The GRC taxonomy (risk categories, control types, compliance domains, evidence classifications, maturity levels, reporting categories) enables cross-framework mapping, consistent reporting, and automated compliance checking. OCEG's GRC Glossary in the Red Book standardises GRC terminology [cite:470][cite:464]
system_prompt — For AI systems operating within GRC workflows, prompt configurations that implement governance rules (screening criteria, escalation thresholds, decision boundaries) are GRC artefacts subject to versioning, approval, testing, and audit trails [cite:341][cite:345]
gate — GRC creates decision gates throughout the organisation: risk assessment before product launch, compliance review before contract execution, audit clearance before system deployment, board approval before strategy change. These gates implement the ALIGN component's requirement that actions align with strategy, values, and requirements [cite:464]
security — Information security is both a GRC domain (governed by CISO under second-line functions) and a GRC enabler (protecting GRC data, evidence, and systems). ISO 27001 provides the ISMS framework; NIST CSF provides the risk-based cybersecurity framework. Both operate within the broader GRC architecture [cite:438][cite:460]
signed_client — Regulatory filings, audit reports, board minutes, policy attestations, and compliance certifications require authenticated, non-repudiable signatures. Digital signature infrastructure supports GRC audit trail integrity and accountability [cite:441]

E/A/D Axis Integration

E/A/D Axis	GRC Component	Hallmarks	Evidence
Ethical (E)	OCEG Principled Performance, Ethics & Culture, IIA Three Lines ethical standards, GOVERN component	Integrity is the objective — not just compliance; culture assessment, stakeholder engagement, DEIA integration, ethical decision-making frameworks embedded in operations	Culture survey results, ethics programme metrics, stakeholder engagement records, DEIA programme documentation, tone-at-the-top communications [cite:464][cite:441]
Accountable (A)	Governance Architecture, Risk Management, Compliance Management, ALIGN/PERFORM components	Integrated governance structure with defined roles (Three Lines Model), risk-based decision-making, obligation mapping, performance measurement against objectives	Governance charters, risk registers, obligation registers, Three Lines documentation, performance dashboards, compliance programme documentation [cite:464][cite:470]
Defensible (D)	Assurance & Audit, Maturity Model, REVIEW component, integrated reporting	Independent assurance over governance effectiveness, maturity assessment creating improvement trajectory, integrated reporting demonstrating control environment health	Internal audit reports, maturity assessment results, integrated assurance maps, board reporting packages, external audit opinions, regulatory examination responses [cite:448][cite:464]

GRC Fundamentals - Enforcement Penalties

GRC is not directly enforced — it is the capability framework that enables compliance with enforceable laws, regulations, and standards. GRC failures manifest as regulatory enforcement actions, legal liability, and financial and reputational damage across the specific frameworks that apply to the organisation [cite:448][cite:439].

Consequences of GRC Failure

Dimension	Consequence
Regulatory enforcement	Fines, consent orders, cease-and-desist orders, licence revocation, activity restrictions [cite:460]
Criminal prosecution	DOJ criminal enforcement against corporations and individuals; effectiveness of compliance programme (ECCP) directly influences charging decisions and penalties [cite:341][cite:345]
Financial loss	Restitution, disgorgement, litigation settlements, insurance premium increases [cite:460]
Operational disruption	Mandated remediation programmes, imposed monitors, activity restrictions [cite:341]
Reputational damage	Loss of customer/investor confidence, stock price decline, talent attrition [cite:448]
Certification loss	Suspension or revocation of ISO certifications, SOC reports, PCI compliance [cite:460]

The Cost of Siloed GRC

OCEG's research quantifies the "trillion-dollar problem" caused by unprincipled conduct — the aggregate cost of fraud, waste, abuse, misconduct, regulatory penalties, and operational failures attributable to inadequate GRC integration [cite:464][cite:470]. Organisations with mature, integrated GRC programmes experience measurably lower compliance costs, faster regulatory response, fewer incidents, and better risk-adjusted performance [cite:448][cite:462].

GRC Fundamentals - Intersection With Other Frameworks

GRC is the meta-framework — it is the integrating architecture within which specific governance, risk, and compliance frameworks operate [cite:448][cite:464].

Framework Mapping

Framework	GRC Role	Integration Point
OCEG Red Book 3.5	The definitive GRC capability model; Learn/Align/Perform/Review cycle [cite:464]	Primary GRC architecture
IIA Three Lines Model	Organisational structure for GRC roles and assurance [cite:441]	First/second/third line role assignment
COSO 2013 (Internal Control)	Five-component internal control framework; governance and control activities [cite:269]	Control environment, risk assessment, control activities, I&C, monitoring
COSO ERM 2017	Enterprise risk management integrated with strategy and performance [cite:436]	Risk appetite, strategic risk assessment, risk-adjusted performance
ISO 31000:2018	Risk management principles and process [cite:436]	Risk management methodology within GRC
ISO 37301:2021	Compliance management system (certifiable) [cite:325]	Compliance pillar of GRC
ISO 27001:2022	Information security management system [cite:406]	IT/cyber risk and compliance domain
COBIT 2019	IT governance and management framework [cite:420]	IT governance pillar
ISO 37001:2016	Anti-bribery management system [cite:331]	Ethics and anti-corruption compliance domain
ISO 37000:2021	Governance of organisations [cite:308]	Governance pillar principles
NIST CSF 2.0	Cybersecurity risk management [cite:460]	Cybersecurity risk domain
DOJ ECCP	Evaluation of corporate compliance programmes [cite:341]	Compliance programme effectiveness benchmark
SOX	Financial reporting controls and governance [cite:374]	Financial governance and ICFR domain
Basel III/IV	Banking capital adequacy, risk, and governance [cite:460]	Financial services risk and governance

Integration Architecture

The GRC capability model serves as the integration layer [cite:464][cite:448]:

Shared risk taxonomy — Common risk categories used across all frameworks
Common control framework — Controls mapped to multiple regulatory requirements, tested once and reported to many
Unified policy library — Policies addressing requirements from multiple frameworks simultaneously
Integrated technology platform — GRC tools connecting risk, compliance, audit, and policy management
Consolidated reporting — Board-level dashboards aggregating risk, compliance, and performance data across frameworks

GRC Fundamentals - Recent Updates

OCEG GRC Capability Model 3.5 (2023)

The latest Red Book release focused on three objectives: simplifying, clarifying, and augmenting the model [cite:470][cite:464]:

Simplified content structure for improved accessibility and navigation
Updated GRC Concepts section reflecting the evolving business landscape
New concepts, models, and practices reflecting current GRC ecosystem developments
Digital-first publication leveraging new technologies for efficient implementation
90+ tools and techniques in the Premium Edition's appendix [cite:464]

IIA Three Lines Model (2020)

The IIA's update from "Three Lines of Defence" to "Three Lines Model" [cite:438][cite:441]:

Removed "defence" — emphasising value creation alongside value protection
Flexible role assignment — no longer prescribes specific functions per line
Applicable to organisations of all sizes — including smaller organisations without mature compliance functions
Greater emphasis on governing body accountability and stakeholder engagement

DOJ ECCP Update (September 2024)

Three major additions with direct GRC implications [cite:341][cite:345]:

AI and emerging technology risk governance — Companies must have governance frameworks guiding AI use in commercial operations and compliance programmes
Whistleblower programme enhancement — Active promotion, retaliation protection, Corporate Whistleblower Awards Pilot Program
Compliance function resourcing — Compliance must have access to the same data and technology as business units

GRC Platform Market (2024–2026)

The global GRC platform market is valued at approximately $49–51B (2024) and projected to reach $93–128B by 2031–2033 at 10–12% CAGR [cite:463][cite:466]:

Cloud-based deployments growing at 14% CAGR (67% market share in 2025) [cite:466]
AI-driven risk analytics and continuous monitoring are the primary innovation vectors [cite:460][cite:463]
Financial services, healthcare, and energy lead adoption; SME segment growing rapidly [cite:460]
Vendor consolidation creating integrated platforms replacing point solutions [cite:460][cite:466]
Forrester's Q4 2025 landscape report notes GRC platforms "entering their grad school era" — maturing from compliance tracking tools to strategic risk intelligence platforms [cite:469]

GRC Fundamentals — Governance, Risk, and Compliance as an Integrated System — Oracle Source