The IIA Standards define governance as "the combination of processes and structures implemented by the board to inform, direct, manage, and monitor the activities of the organization toward achievement of its objectives." (The Institute of Internal Auditors, International Standards for the Professional Practice of Internal Auditing)
The Open Compliance & Ethics Group (OCEG) defines governance as "the culture, values, mission, structure and layers of policies, processes and measures by which organizations are directed and controlled."
OCEG defines Governance, Risk & Compliance (GRC) as “a capability that enables an organization to reliably achieve objectives while addressing uncertainty and acting with integrity.” Reliability implies intentional and sustainable achievement of objectives.
"Both governance risk and compliance (GRC) and enterprise risk management (ERM) are aimed at ensuring all risks facing an organization are identified, analyzed, and quantified. However, there are critical differences. ERM provides a methodology for managing the entire range of risks, and is the measurement and qualification of risk, as well as the establishment of individual risk ownership. GRC provides a larger, over arching framework and philosophy for communicating around governance and compliance risks by leveraging technology for reporting mechanisms such as dashboards. This technology centralizes and organizes things such as policies, procedures, documentation requirements, and risk assessments. In essence, GRC encompasses ERM." (Treasury and Risk, June 2007)