Anton wrote a nice piece, called "Unified GRC: Replacing a piecemeal response to compliance" for SC Magazine defining GRC and how it fits together with other areas of security and prevention management. The article, as expected, has a major slant toward Log Management, but it is a very good summary that also highlights other key capabilities / areas important to GRC.

Even though most security vendors are marketing IT Risk Management, many customers are beginning to realize there is this new breed of software products that compliments your vulnerability, log, configuration security solutions. These IT GRC products normalize all the various regulatory or standardization controls into a common framework and then pull scores/results/data from these products into that model to go along-side data gathered from controls that can't be instrumented with software (e.g., people, processes, procedures, physical). As mentioned in previous posts, without this other side of the coin you're not getting a complete picture of risk/compliance/governance.

So if you you've already made investments in these other products but need something to pull them together into a unified view and are looking to get the complete picture, come check out IT GRC.