Governance, Risk & Compliance (GRC)
The integrated approach to managing governance, enterprise risk, and regulatory compliance — typically retrospective in focus and document-heavy in practice.
GRC (Governance, Risk & Compliance) is an established discipline that integrates three functions:
- Governance: how the organisation is directed and controlled - Risk: how threats and opportunities are identified and managed - Compliance: how regulatory and legal obligations are met
The GRC market is worth $60-80+ billion annually, served by vendors like ServiceNow, Archer (RSA), LogicGate, and Diligent. These tools typically focus on: - Risk registers and heat maps - Control mapping and testing - Compliance evidence collection - Policy management and attestation - Audit workflow management
The limitation of traditional GRC is that it is retrospective. GRC tools help organisations understand what risks exist, what controls are in place, and whether compliance was achieved — but they operate after the fact. They tell you what went wrong; they don't prevent it.
Corporate governance infrastructure is a fundamentally different approach: prospective enforcement at the moment of action.
How Constellation handles this
Constellation is not GRC software. GRC maps risks to controls retrospectively. Constellation enforces governance prospectively at the moment of action. They address different problems at different points in time.
Frequently Asked Questions
Is Constellation a GRC tool?
No. GRC tools manage risk and compliance retrospectively — they help you understand and document what happened. Constellation is governance infrastructure that enforces constraints prospectively — at the moment of action. They're complementary: GRC for risk documentation, Constellation for live governance.