GRC is the typical jargon when we talk about the cybersecurity posture in an organization.
Risks, no matter in terms of cyber, technology, operational, financial or political domains always exist and they are all co-related. There is no zero risk business operation except how to reduce the likelihood effectively and optimally.
Then, the compliance part plays. This refers following the organization written policy to run the business reasonably in the risk reduction manner.
Finally, the governance is the capability in the organization to adminster and enforce that all the business activities will follow the written policy, or else the policy is just a document in the bookshelf.
The entire GRC framework is dynamce. Written policies will need refresh
- To adopt new way of doing business (e.g. use of social media for point of presence or customer relation in the cyber space)
- Facilitate changing business environment (say, work from home due to pandemic situation, provide guest Wi-Fi for visitors)
- And most importantly, address the emerging cyber threat landscape.