GRC, which stands for Governance, Risk, and Compliance, is a management framework proposed by industry organisations at the international level. The term was first formally used in 2007 by Forrester Research in the United States. In the same year, OCEG (the Open Compliance and Ethics Group) published the GRC Capability Model Red Book, defining and examining governance, risk, and compliance as an integrated whole.
In China, the State-owned Assets Supervision and Administration Commission (SASAC) employs a different terminology: compliance management, internal control, risk management, corporate governance, audit supervision, legal dispute management, performance evaluation, and penetrative supervision. Within the context of Chinese central enterprises, the GRC framework encompasses eight components:
| Component | Issue Addressed |
|---|---|
| Compliance Management | Legality and regulatory adherence |
| Internal Control | Correct and reliable process execution |
| Corporate Governance | Decision-making authority and responsibility |
| Risk Management | Identification and mitigation of uncertainties |
| Audit Supervision | Independent verification and evaluation |
| Legal Dispute Management | Management of litigation and arbitration |
| Performance Evaluation | Assessment of business performance |
| Penetrative Supervision | Multi-level, full-chain operational oversight |
In practice, however, the greatest challenge does not lie in the underperformance of any single component but in the lack of connectivity between components, resulting in siloed operations. GRC addresses precisely this issue. It is not intended to replace any individual component, but to provide a top-level perspective, enabling all eight components to operate in coordination under unified logic, data, and systems.
In short, GRC does not introduce a new task; rather, it establishes a shared “chessboard” for existing activities, allowing the components to work collaboratively and optimise as a whole.
By Linda Yang, Senior Consultant