A Conceptual Model for Integrated Governance, Risk and Compliance

  • Pedro Vicente
  • Miguel Mira da Silva
Part of the Lecture Notes in Computer Science book series (LNCS, volume 6741)


As integrated Governance, Risk and Compliance (GRC) becomes one of the most important business requirements in organizations, the market is incongruously struggling to satisfy organizations’ needs. The absence of scientific references regarding GRC is leading to a dispersion of concepts involving this topic. Without boundaries and correct domain definition, poor implementation of GRC solutions can lead to low performances and high vulnerabilities for organizations. This paper proposes a set of high level concepts covering the GRC domain. Through literature review and framework research we propose key functions of governance, risk and compliance and their associations, resulting in a reference conceptual model for integrated GRC. The model was evaluated by comparing the GRC capability model from OCEG with a quality model evaluation framework. We concluded that the proposed model is valid and complete.


governance risk compliance conceptual model integrated 


  1. 1.
    PricewaterhouseCoopers: 8th annual global CEO survey (2004),
  2. 2.
    Racz, N., Weippl, E., Seufert, A.: A Frame of Reference for Research of Integrated Governance, Risk and Compliance (GRC). In: De Decker, B., Schaumüller-Bichl, I. (eds.) CMS 2010. LNCS, vol. 6109, pp. 106–117. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  3. 3.
    Hagerty, J., Kraus, B.: GRC in 2010: $29.8B in Spending Sparked by Risk, Visibility, and Efficiency (2009)Google Scholar
  4. 4.
    Racz, N., Weippl, E., Seufert, A.: Governance, Risk & Compliance (GRC) Software An Exploratory Study of Software Vendor and Market Research Perspectives. In: Proceedings of the 44th Hawaii International Conference on System Sciences (2011)Google Scholar
  5. 5.
    Gill, S., Purushottam, U.: Integrated GRC - Is your Organization Ready to Move? In: Governance, Risk and Compliance. SETLabs Briefings, PP. 37–46 (2008)Google Scholar
  6. 6.
    Moody, D.L., Shanks, G.G.: Improving the Quality of Data Models: Empirical Validation of a Quality Management Framework. Inf. Syst. 28, 619–650 (2003)CrossRefzbMATHGoogle Scholar
  7. 7.
    Frank, U.: Conceptual Modelling as the Core of the Information Systems Discipline: Perspectives and Epistemological Challenges. In: Proceedings of the Fifth America’s Conference on Information Systems (AMCIS 1999), Milwaukee, Association for Information Systems, pp. 695–698 (1999)Google Scholar
  8. 8.
    Recker, J.C.: Conceptual Model Evaluation. Towards more Paradigmatic Rigor. In: Halpin, T., Siau, K., Krogstie, J. (eds.) Proceedings of the Workshop on Evaluating Modeling Methods for Systems Analysis and Design (EMMSAD 2005), Held in Conjunctiun with the 17th Conference on Advanced Information Systems (CAiSE 2005), Porto, Portugal, EU, FEUP (2005)Google Scholar
  9. 9.
    Jeusfeld, M.A., Jarke, M., Nissen, H.W., Staudt, M.: ConceptBase: Managing Conceptual Models about Information Systems. In: Bernus, P., Mertins, K., Schmidt, G. (eds.) Handbook on Architectures of Information Systems. International Handbooks Information System, pp. 273–294. Springer, Heidelberg (2006)Google Scholar
  10. 10.
    Schermann, M., Böhmann, T., Krcmar, H.: Explicating Design Theories with Conceptual Models: Towards a Theoretical Role of Reference Models. In: Becker, J., Krcmar, H., Niehaves, B. (eds.) Wissenschaftstheorie und Gestaltungsorientierte Wirtschaftsinformatik, pp. 175–194. Physica-Verlag, HD (2009)CrossRefGoogle Scholar
  11. 11.
    Schon, D.A.: The reflective practitioner: how professionals think in action. Basic Books, New York (1983)Google Scholar
  12. 12.
    Simon, H.A.: The Sciences of the Artificial - 3rd Edition, 3rd edn. The MIT Press, Cambridge (1996)Google Scholar
  13. 13.
    Shanks, G., Tansley, E., Weber, R.: Using Ontology to Validate Conceptual Models. Commun. ACM 46, 85–89 (2003)CrossRefGoogle Scholar
  14. 14.
    Järvelin, K., Wilson, T.D.: On Conceptual Models for Information Seeking and Retrieval Research. Information Research 9 (2003)Google Scholar
  15. 15.
    OCEG: GRC Capability Model (2009),
  16. 16.
    March, S.T., Smith, G.F.: Design and natural science research on information technology. Decis. Support Syst. 15, 251–266 (1995)CrossRefGoogle Scholar
  17. 17.
    Hevner, A.R., March, S.T., Park, J., Ram, S.: Design Science in Information Systems Research. MIS Quarterly 28, 75–106 (2004)Google Scholar
  18. 18.
    Vaishnavi, V.K., Kuechler, W.: Design Science Research Methods and Patterns: Innovating Information and Communication Technology, 1st edn. Auerbach Publications, Boca Raton (2008)Google Scholar
  19. 19.
    Moody, D.L., Sindre, G., Brasethvik, T., Sølvberg, A.: Evaluating the Quality of Information Models: Empirical Testing of a Conceptual Model Quality Framework. In: Proceedings of the 25th International Conference on Software Engineering. ICSE 2003, pp. 295–305. IEEE Computer Society, Los Alamitos (2003)Google Scholar
  20. 20.
    Calvanese, D., de Giacomo, G., Lenzerini, M., Nardi, D., Rosati, R.: Information Integration: Conceptual Modeling and Reasoning Support. In: IFCIS International Conference on Cooperative Information Systems, P. 280 (1998)Google Scholar
  21. 21.
    Mitchell, S.L.: GRC360: A Framework to help Organisations drive Principled Performance. International Journal of Disclosure and Governance 4, 279–296 (2007)CrossRefGoogle Scholar
  22. 22.
    Tarantino, A.: Governance, Risk and Compliance Handbook: Technology, Finance, Environmental and International Guidance and Best Practices. John Wiley & Sons, Hoboken (2008)CrossRefGoogle Scholar
  23. 23.
    Rasmussen, M.: Defining a Policy Management Lifecycle. (2010),
  24. 24.
    Chatterjee, A., Milam, D.: Gaining Competitive Advantage from Compliance and Risk Management. In: Pantaleo, D., Pal, N. (eds.) From Strategy to Execution, pp. 167–183. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  25. 25.
    Brache, A.P.: How Organizations Work: Taking a Holistic Approach to Enterprise Health. Wiley, Chichester (2001)Google Scholar
  26. 26.
    Rasmussen, M.: Achieve GRC Value: Efficient Business Process and Application Monitoring (2010),

Copyright information

© Springer-Verlag Berlin Heidelberg 2011

Authors and Affiliations

  • Pedro Vicente
    • 1
  • Miguel Mira da Silva
    • 1
  1. 1.Instituto Superior TécnicoUniversidade Técnica de LisboaLisboaPortugal

Personalised recommendations