It depends on the scenario.

You can check whether there are existing SR catalog items used by GRC Team (Compliance, Governance, Audit or Risk Team) for starting their works. Some organization would have Policy Exception Requests, Risk Assessment Requests, Reporting Risk Events and etc. 

These kind of use cases can be achieved using GRC since GRC has more extended features of the same. 

Based on the case study, either you can use the existing catalogs to produce the records to GRC tables or decommission the existing SRs and use the new SRs under GRC category. 

Another way of finding this is, you can do a requirement gathering with GRC Teams and check the works they are doing frequently and among them how many services are initiated as requests from outside of GRC Team (e.g end users will requests policy exceptions) and then do a feasibility study how these services can be offerred in GRC. 

Moreover, there is a direct configuration available in Advanced Risk in GRC that you can configure that the Problem, Change, Incident records can be converted as Risk Events in GRC. Also any new CMDB record (new server, new application) that is onboarding to organization can be assessed using Risk Identification Process.