This article explores the historical development and convergence of three foundational concepts in organisational security: risk assessment, risk management, governance, risk, and compliance (GRC). Tracing their origins in engineering, finance, and corporate governance, it charts their institutionalisation across the UK and their modern evolution into digital, real-time resilience frameworks that underpin enterprise cybersecurity and compliance today.
Contents
History
Risk is a foundational concept in organisational decision-making, but the terms risk assessment, risk management, and GRC have only relatively recently become formalised pillars of governance and cybersecurity. This article traces their evolution—from early engineering safety practices and financial uncertainty, to their integration in today’s regulatory, digital, and strategic landscapes.
Origins of “Risk” as a Concept
The word risk derives from the early Italian risco, which likely evolved from the Latin resecare—meaning “to cut.” Originally associated with maritime hazards in the 16th century, the concept of risk gained traction in commerce as European traders expanded into uncertain global ventures.
By the 17th and 18th centuries, “risk” was firmly embedded in insurance contracts, financial models, and legal language. In English-speaking contexts, it became tied to ideas of uncertainty, loss, and probability—concepts that remain central today.
The Rise of Risk Assessment
Early Industrial and Military Use (Pre-1970s)
The term risk assessment began appearing in engineering and defence circles during the early 20th century. It addressed the need to identify and evaluate potential failures in complex systems:
- Ammunition storage and detonation risks (WWI and WWII)
- Railway and aviation safety protocols
- Chemical and nuclear safety systems
In the UK, early legislative efforts such as the Factory Acts (1833 onward) laid groundwork for risk-informed safety inspections. The Health and Safety at Work Act 1974 formally introduced risk-based thinking into workplace regulation.
Post-1970s Expansion and Regulation
By the 1970s, risk assessment was being applied across a wider set of domains:
- Environmental Risk Assessment (EPA, UNEP initiatives)
- Cybersecurity Risk Assessment (emerging by the late 1980s)
- Financial Risk Modelling (intensified by Basel I in 1988)
In the UK, the Management of Health and Safety at Work Regulations 1999 made formal risk assessments legally mandatory in many sectors, reinforcing their role in everyday operational decision-making.
The Emergence of Risk Management
Insurance and Financial Sector Foundations
The term risk management began in earnest in the insurance sector of the 1950s, driven by efforts to mitigate losses through better controls and forecasting. It matured into a business function in the 1960s, tied to broader organisational decisions about:
- Loss prevention
- Investment volatility
- Emerging market exposures
One landmark moment came with Russell Gallagher’s 1963 paper Risk Management: A New Phase of Cost Control, which helped establish the term in corporate boardrooms.
Institutionalisation and Strategic Adoption
From the 1970s through the 1990s, the concept expanded rapidly:
- Enterprise Risk Management (ERM) frameworks emerged.
- The Cadbury Report (1992) and Turnbull Guidance (1999) in the UK enshrined structured risk practices into corporate governance.
- Boards and audit committees began requiring formal internal controls and risk ownership.
This period transformed risk management from an insurance task into a strategic priority.
Governance, Risk, and Compliance (GRC)
Origin of the GRC Acronym
The term GRC—an integrated model for managing governance, risk, and compliance—was coined between 2003 and 2005 by the Open Compliance and Ethics Group (OCEG) in the United States.
Its emergence was a response to major corporate failures (e.g. Enron, WorldCom) and new legislation such as SOX 2002. GRC frameworks sought to unify:
- Governance: Organisational leadership, structure, and oversight
- Risk Management: Handling uncertainty and threats
- Compliance: Ensuring adherence to laws, regulations, and internal policies
GRC Adoption in the UK
In the UK, the GRC model gained momentum via:
- The UK Corporate Governance Code (from 1998 onward)
- Regulatory bodies like the FCA and PRA
- ISO standards: ISO 19600 (Compliance) and ISO 31000 (Risk)
- National frameworks: Cyber Essentials, NCSC’s 10 Steps, and DORA-aligned approaches
GRC became especially prominent in regulated industries—banking, healthcare, utilities—and formed the foundation for integrated cyber governance models.
Today: Digital Integration and Strategic Convergence
Today, the formerly separate disciplines of risk assessment, risk management, and GRC are increasingly interdependent:
- Enterprise Risk Platforms (e.g. MetricStream, Archer, Cyber Tzar) integrate real-time data and reporting.
- Cybersecurity strategies embed risk assessments into DevSecOps pipelines.
- AI-driven analytics offer predictive insights and automated controls.
- Regulatory compliance is increasingly continuous, requiring built-in monitoring and attestation.
The focus is shifting from retrospective audits to proactive, real-time resilience.
Conclusion: From Fragmented Practice to Integrated Resilience
The evolution of risk assessment, risk management, and GRC reflects a century-long journey from niche engineering practices to central strategic functions in digital-era organisations.
In the UK, this evolution has been shaped by regulatory foresight, public sector uptake, and alignment with global standards such as ISO 27001, NIST, and CMMC.
Together, these terms now represent more than jargon—they are pillars of operational trust, resilience, and strategic foresight in an increasingly complex world.