A Frame of Reference for Research of Integrated Governance, Risk and Compliance (GRC)

  • Nicolas Racz
  • Edgar Weippl
  • Andreas Seufert
Part of the Lecture Notes in Computer Science book series (LNCS, volume 6109)


Governance, Risk and Compliance (GRC) is an emerging topic in the business and information technology world. However to this day the concept behind the acronym has neither been adequately researched, nor is there a common understanding among professionals. The research at hand provides a frame of reference for research of integrated GRC that was derived from the first scientifically grounded definition of the term. By means of a literature review the authors merge observations, an analysis of existing definitions and results from prior surveys in the derivation of a single-phrase definition. The definition is evaluated and improved through a survey among GRC professionals. Finally a frame of reference for GRC research is constructed.


governance risk compliance GRC integrated definition 


  1. 1.
    PricewaterhouseCoopers: 8th annual global CEO survey,
  2. 2.
    Leibs, S.: One for three. CFO Magazine (September 2007),
  3. 3.
    Dittmar, L.: Demystifying GRC. Business Trends Quarterly 2(4), 16–18 (2007)Google Scholar
  4. 4.
    Kahn Consulting: GRC, E-Discovery, and RIM: state of the industry,
  5. 5.
    Rasmussen, M.: 2008 GRC drivers, trends & market directions,
  6. 6.
    Ahlemann, F., Gastl, H.: Process Model for an Empirically Grounded Reference Model Construction. In: Fettke, P., Loos, P. (eds.) Reference Modelling for Business Systems Analysis, pp. 77–97. Idea Group, Hershey (2007)Google Scholar
  7. 7.
    Broady, D.V., Roland, H.A.: SAP GRC for dummies. Wiley, Indianapolis (2008)Google Scholar
  8. 8.
    Fettke, P.: State-of-the-Art des State-of-the-Art. Eine Untersuchung der Forschungsmethode ‘Review’ innerhalb der Wirtschaftsinformatik. Wirtschaftsinformatik 48/4, 257–266 (2006)Google Scholar
  9. 9.
    Schlagheck, B.: Object-oriented reference models for process and project controlling. In: Foundation-construction-fields of application. Deutscher Univ.-Verlag, Wiesbaden (2000)Google Scholar
  10. 10.
    Mitchell, S.L.: GRC360: A framework to help organisations drive principled performance. International Journal of Disclosure and Governance 4(4), 279–296 (2007)CrossRefGoogle Scholar
  11. 11.
    Tapscott, D.: Trust and competitive advantage: an integrated approach to governance, risk & compliance (2006),
  12. 12.
    Kelly, J.: Risk management surpasses compliance as top GRC priority,
  13. 13.
    Banham, R.: Is ERM GRC? Or vice versa? Treasury & Risk 2(6), 48–50 (2007)Google Scholar
  14. 14.
    Mitchell, S.L.: GRC – more than three letters,
  15. 15.
    Hoffmann, M.: Governance, Risk und Compliance (GRC) – ein integrierter Ansatz. IM 24(1), 74–81 (2007)Google Scholar
  16. 16.
    Switzer, C.S.: Integration innovation. Business Trends Quarterly 2(4), 26–32 (2007)Google Scholar
  17. 17.
    Curran, B.: Defragmenting GRC. Pharmaceutical Technology 4(16), 20–23 (2007)Google Scholar
  18. 18.
    KPMG: Governance, risk, and compliance. Driving value through controls monitoring,
  19. 19.
    Economist Intelligence Unit: Managing risk through financial processes. Embedding governance, risk and compliance,
  20. 20.
    Wechsler, P.: The GRC harmony. Treasury & Risk 2(6), 13 (2008)Google Scholar
  21. 21.
    Corporate Integrity: What is GRC?,
  22. 22.
  23. 23.
    OCEG: GRC capability model. Red Book 2.0 (2009),
  24. 24.
    Vemuri, A.: Strategic themes in risk and compliance. FINsights 2, 2–5 (2008)Google Scholar
  25. 25.
    Frigo, M.L., Anderson, R.J.: A strategic framework for governance, risk, and compliance. Strategic Finance 90(8), 20–61 (2009)Google Scholar
  26. 26.
    Approva Corporation: 2007 Approva GRC survey (2007),
  27. 27.
    Teubner, A., Feller, T.: Informationstechnologie, Governance und Compliance. Wirtschaftsinformatik 50(5), 400–407 (2008)CrossRefGoogle Scholar
  28. 28.
    IT Policy Compliance Group: 2008 Annual Report. IT Governance, Risk, and Compliance (2008),
  29. 29.
    Rath, M., Sponholz, R.: IT-Compliance: Erfolgreiches Management regulatorischer Anforderungen. Schmidt, Berlin (2009)Google Scholar
  30. 30.
    Hevner, A.R., March, S.T., Park, J., Ram, S.: Design science in information systems research. MIS Quarterly 28(1), 75–105 (2004)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2010

Authors and Affiliations

  • Nicolas Racz
    • 1
  • Edgar Weippl
    • 1
  • Andreas Seufert
    • 2
  1. 1.Institute for Software Technology and Interactive SystemsTU ViennaViennaAustria
  2. 2.Institut für Business IntelligenceSteinbeis Hochschule BerlinBerlinGermany

Personalised recommendations