Governance, Risk Management and Compliance

What is the difference between Governance, Risk Management, and Compliance?

They have become an accepted terms that describe similar related actions and procedures by an organisation.

The three terms are closely related, and are increasingly integrated and aligned by business wherever it is practically possible so as to avoid conflicts, wastefulness and gaps.

Organisations typically interpret the three terms differently. Differences in interpretation also occur across divergent international jurisdictions.

Generally, the terms typically relate to activities such as corporate governance, enterprise risk management and corporate compliance with applicable laws and regulations.

The application of good governance, effective risk management and compliance with laws and regulations are contributing toward a new way in which businesses are adopting an integrated approach to management.

To illustrate the difference between governance, risk management and compliance the terms have been broken down into their core purposes.


  1. The overall management approach through which senior executives ethically direct and control an organisation.
  2. Integrates management information reporting with management control structures.
  3. Governance ensures that important information reaches the proper organisational level and it is complete, correct and timely thus allowing for management decision-making.
  4. Instills control mechanisms to make sure that strategies, directions and instructions from management are carried out systematically and effectively.

Risk management

  1. Processes through which management identifies, analyses and where necessary responds to risks that may derail the organisation’s business goals.
  2. Response to risks depends on their perceived gravity and involves controlling, avoiding, accepting or transferring the risk to a third-party.
  3. Organisations manage their exposure to a range of risks (e.g. technology risk, financial risk, information security risk etc.).
  4. Currently it is arguable that legal and regulatory compliance risks are the most important for organisations.


  1. Conforming to stated requirements.
  2. Compliance is achieved through processes that identify certain requirements in laws, regulations, contracts, strategies and policies.
  3. Assessments determine the extent of compliance and take account of the potential costs of non-compliance verses the projected cost incurred to achieve compliance.
  4. Prioritize, fund and start any corrective actions deemed necessary.

Governance, risk management and compliance are not recent inventions but in the United States the promulgation of the Sarbanes-Oxley Act was the catalyst for interest. Listed companies became obligated to comply with the provisions of this Act once it was introduced and to design and carry out suitable governance controls to comply.

Governance, risk management and compliance have however since shifted significantly towards adding business value by improving operational decision-making and strategic planning.


  1. I guess finding useful, reliable inrfomtaion on the internet isn’t hopeless after all.

  2. Thank you to explain the difference between the three terms.
    It pops into my mind the question is whether or not the application of GRC system obviates the needs for risk management system?

Leave a Reply