It is time to integrate Governance, Risk and Compliance (GRC) activities into mainstream business processes, decision-making and management reporting. The impacts and implications for the design, development, implementation and use of information technology (IT) are deep and pervasive.
So what is the current state of affairs? GRC activities typically are fragmented, manual and not sufficiently integrated with performance management, reporting and analytics. There is a growing consensus that such approaches to GRC management are not sustainable, efficient or as effective as desired.
There is much activity in the use of technology for specific GRC tasks, activities and purposes. For example, technology is increasingly used to manage compliance documentation and records, and to automate the workflow of certain review and audit processes. Many organizations are using technology to better manage system access, security and information integrity. Identity management, user access and segregation of duty software have been particular favorites. Now, there is increased interest in the use of technology for business process management, control automation, continuous monitoring, analytics, portals and dashboards. But we are early in the journey.
Leading organizations are clearly looking for more comprehensive approaches to improve the efficiency and effectiveness of GRC activities, processes and programs. IT is a key part of this search. Technology is an essential element for GRC to work in any large enterprise. Few organizations have significantly leveraged technology to enable enterprise-wide governance, risk and compliance management programs. While there is widespread recognition that technology assets must evolve to support better governance, enterprise risk management and more efficient compliance, deciding how best to proceed can be complex and confusing. Part of the confusion stems from the hundreds of software vendors around the world marketing their wares as GRC enablers.
But things are changing. Large technology vendors have increased their focus on GRC. Last year, SAP formed a new GRC business unit and made GRC a significant strategy priority. Oracle announced its new GRCM strategy and platform earlier this year. Both SAP and Oracle have made strategic acquisitions in the GRC arena. They are integrating these technologies into broader product portfolios in order to deliver more complete solutions to better support GRC functions.
These moves by ERP software giants confirm that there is no single killer application to meet GRC needs. Aligning IT assets with GRC needs requires new ways of thinking about IT projects and priorities. Enabling GRC requires architected solutions drawing on multiple applications and demanding significant integration with core business transaction engines.
Where Technology Works -
Consider the many ways GRC can and should benefit from better use of technology:
• Group Facilitation
• Decision Support
• Research
• Loss Event Databases
• Systems of Record
• Assigning Responsibility
• Capturing Quantitative and Qualitative Assessments
• Anonymous Surveying
• Risk Prioritization
• Analyses
• Delegation of Authority
• Action Tracking/Controls
• Testing of Controls
• Surveys
• Self Assessments
• Workflow
• Status Reporting
• Issue Capture
• Monitoring Transactions
• Processes and Configurations
• Issue Resolution and Escalation
• Integrated Performance Management
We are entering a new phase of IT for GRC. We are moving from point solutions for point problems to an architected ecosystem to enable enterprisewide, integrated GRC. Technology will be leveraged to document policies and controls, communicate throughout the organization, enable risk assessments, assess controls, manage corrective actions, enable alerts, analyses and reporting, manage audits, and provide corporate performance dashboards. This new world is not the land of isolated, stand-alone applications. The overall IT infrastructure and architecture will be leveraged to create a GRC nervous system and enable what Cisco calls the “instantly responsive enterprise.”
