GRC, Compliance, and CSR are all highly-relevant and valuable topics for companies today. Often, these terms are not always clear and the distinction between them may not be easy to understand.

How Are GRC and Compliance Related?

GRC stands for “Governance, Risk Management, and Compliance“, a generic term encompassing various leadership functions within a company.

  • Governance speaks to internal corporate leadership measures, which focus strongly on aligning and achieving corporate goals.
  • Risk management pinpoints and analyzes risks that might jeopardize corporate goals.
  • Compliance addresses external regulations and laws that serve as obligatory guidelines for companies. However, companies supplement these external guidelines with additional internal policies and ethics standards.


Governance, Risk Management, and Compliance may be distinct areas of practice, however, they are never isolated from one another – ideally, they work in concert together.

Why has GRC become increasingly important?

GRC has long been a part of corporate consciousness. And yet, the term has gained importance due to economic scandals in the recent past. A stark increase in regulations — for example, the new Market Abuse Regulation (MAR) — has introduced strict guidelines for the European capital markets. Many GRC initiatives are largely an answer to the modern effects of globalization. Our financial markets and institutions have become increasingly intertwined, requiring a transparency of information and data flows. A more stringent regulatory environment has also resulted in stronger sanctions and penalties imposed by regulators, which has clearly highlighted the importance of risk management and governance initiatives. By adhering to national and international compliance requirements, companies can minimize their risk exposure as they work toward achieving their corporate goals.

How are CSR and Compliance different?

Compliance discussions often touch on the term “Corporate Social Responsibility” (CSR). CSR is a form of self-regulation where corporate measures and guidelines are designed to help companies create positive social impacts – on their environment, stakeholders, and consumers (among others). However, these are voluntary measures. Corporations therefore may see CSR as internally-facing, while Compliance ensures adherence to external regulations. CSR is more intrinsically motivated: a company sees itself as a part of a larger societal framework and correspondingly assumes responsibility towards that society. An effective approach to CSR may also enhances a company’s reputation, which is always good business.


CSR and Compliance are often discussed in the same breath – effective Compliance measures are often credited with spillover positive effects on society. One example of Compliance policies that create clear societal benefits are regulations requiring the operation of whistleblowing systems. This helps the prevention of corruption and manipulation. Of course, a key difference between Compliance and CSR is their scope of regulation — companies are legally obligated to follow regulations. Full regulatory compliance results in risk minimization, a prime goal of companies. By contrast, CSR is less regulated and often less quantifiable, requiring companies to voluntarily contribute and work towards the well-being of society.

Finally, we can’t discuss CSR without touching on ESG, which stands for ”Environmental, Social, and Governance“. ESG is a financial markets metric used by investors to measure how companies perform their corporate activities, socially and environmentally. In terms of long-term strategy, CSR and ESG have many building blocks that may have overlap, such as seeing corporate effects on consumers, supply chains, environments, and operations. As a testament to recent traction in the ESG movement, companies listed on the Hong Kong exchange must now disclose certain ESG metrics to comply with regulations. ESG metrics can be seen as one of many measures of a company’s valuation (and affect their cost of capital) and can also help teams assess and manage potential industry risks.

Related blog posts

Back to home