Understanding the GRC past is straightforward, and many of us might have already googled its history, which makes us dive deep into the subject. Let's examine the history of the GRC now. It is well-known that governance, risk and compliance have existed for centuries. However, it took some time for the acronym to be defined. It was in the middle of the 2000s, approximately 20 years ago.

The question then becomes, how did organisations manage without GRC? Without a doubt, they had a hard time — most of the work was done manually rather than through automation. It is an example of how we organised our lives back in the day before social media, telephones, other electronic gadgets, etc.   

According to several stories I read, I understand that there were just a few significant participants in the market when governance, risk and compliance platforms began to "take off" in the middle of the 2000s. Whether it was risk management, controls, or policies, they mainly concentrated on IT. Additionally, SOX and its wide range of financial reporting requirements quickly evolved into platform offerings due to the Enron and WorldCom crises.    

As the market began to grow, several technologies were created to work on the GRC, and most of these technologies automated the GRC process. When we talk about the GRC, it's not about the technology but the process. ServiceNow, which serves as the heart of the InMorphis organisation, is one of the technologies that assisted in automating the GRC process.  

Learn more about it through this blog - Pitfalls in GRC Implementation.  

Father of GRC

We must keep the GRC's creator in mind whenever we discuss it. Michael Rasmussen, a pioneer in education, research, analysis, and advisory services, is behind this GRC. He keeps an eye on the issues and developments affecting corporate governance, enterprise risk management, and compliance roles in the workplace (GRC).    

Michael is regarded as the "Father of governance, risk and compliance " since, when working at Forrester in February 2002, he was the first to identify and model the GRC market. His goal was to establish a GRC process that is clear, efficient, consistent, and sustainable for the organisation.  

Read More about grc audit management

Technology History for GRC 

As we all know, Pundit Michael Rasmussen coined the term governance, risk and compliance almost 20 years ago. Since then, GRC has focused on a variety of topics such as risks, controls, and other aspects of an organization's operations.  

GRC 1.0 focused primarily on Sarbanes Oxley (SOX), which improves the accuracy and reliability of corporate disclosures under the securities laws, and for other purposes. As technology grew, many organisations started aligning themselves with the GRC 4.0 from the GRC 1.0.

Read more about GRC & its Paybacks with ServiceNow

Let's understand how this Evolution of the GRC from GRC 1.0 to GRC 5.0 happened from 2002 to till date     

  • 2002-2007(SOX Captivity) – This was the period where GRC was shaped, and GRC 1.0 was leading. It was defined as the integrated view of the objectives' risk, controls, and policies. However, for a few years, the focus was towards the Sarbanes Oxley (SOX) and internal controls over financial reporting.
  • 2007-2012(Enterprise GRC) – This was the period where GRC 2.0 was leading; by this time, technology was grooming and growing too. As the technology advanced, the enterprise view of risk, control and policies was developed. So that multiple departments can work off a common information and technology architecture to manage the risk, control, policies, audit, compliance and assessments.
  • 2012-2017(GRC Architecture) – This phase of the GRC mainly falls in GRC 3.0. With this GRC evolution, the GRC system was integrated with other business systems and a GRC architecture was built to integrate GRC initiatives.   
  • 2017-2021(Agile GRC) – This should be our current stage of the GRC, where most organisations are in line with it. Agile GRC was born with the need to design a configurable GRC technology solution which could be customised to the requirements of an organisation.   
  • 2021 to the current day (Cognitive GRC) – This phase of the GRC is mainly GRC 5.0. This version is not only to facilitate compliance, but it will produce actionable insights most quickly.

Bring Organizational Change with GRC by reading this blog


Governance, risk and compliance 5.0 mainly use artificial intelligence / cognitive technology, including natural language processing and predictive analysis.   

Read More: Skills Required for ServiceNow Developer


In conclusion, the evolution of GRC from GRC 1.0 to GRC 5.0 has been a journey towards more efficient, consistent, and sustainable governance, risk, and compliance processes for organizations.

Technology development has played a significant role in automating GRC processes, enabling organizations to align risk management, controls, and policies with common information and technology architecture. With the latest phase of Cognitive GRC, AI and cognitive technology are now facilitating compliance and producing actionable insights quickly. Organizations must keep up with the latest GRC trends to stay ahead in the market and compliant.

Learn more about the role of inMoprhis' GRC solutions in bringing about organizational change.

Thanks for reading,  


Prasanna Kumar