"When I describe this to a client, I usually say if you break GRC down, governance is how you make decisions, risk is how you prioritize your decisions based on how risky something is and compliance is how you address various mandates, be they external or internal," Proctor says.

"What GRC is really about is those three things actually tightly rolled up."

In the past, those functions usually were siloed and barely crossed paths, Proctor says. "Now organizations have figured out that those things are actually combined, so they need a repository in order to make decisions," he says. "They need some workflow capabilities and they need some data gathering function."

What new functionality will GRC products offer in the future? "Analytical capabilities are going to be increasingly important for GRC," McClean says.