Defining GRC Roles

Governance, Risk, and Compliance functions do not just operate as separate functions with specific goals. Each function can also represent a separate employee role. In fact, in larger organizations, there are generally full departments dedicated to each role.

Governance professionals, for instance, are responsible for two major tasks:

• They act as a bridge between security and the organization
• They ensure the effectiveness of existing security controls

Risk professionals are responsible for:

• Identifying security risks to the organization
• Working with stakeholders to treat the risk

Compliance professionals are responsible for:

• Ensuring that the organization is complying with security compliance obligations
• Working with stakeholders to remediate compliance failure

While each of these roles has a part to play in developing a healthy cybersecurity practice, they do not typically operationalize security controls. Since the roles provide oversight and direction related to security, the principle of segregation of duties dictates that GRC professionals are normally hands-off. The principle of segregation of duties says that employees with responsibility for maintaining controls should not also be in a position to provide oversight for the same controls.