OCEG President, Carole Stern Switzer, asks three leading GRC analysts about what they see coming for GRC technologies. Michael Rasmussen, Founder and President of Corporate Integrity, LLC; John Haggerty, Vice President, Research Fellow at AMR Research, Inc.; and Chris McClean, Analyst, Forrester Research, Inc. provide insights that will help you plan your approach to IT for GRC.
OCEG: What are the top three questions the board of directors of any public company should ask regarding the status of GRC enabling technologies in their organization?
McClean: The most important questions are whether the information they receive is accurate, whether it gives them full visibility into critical GRC issues across the organization, and whether it meets the necessary requirements for corporate reporting and decision-making. Hopefully the enabling technology allows those responsible for GRC to give the board a more satisfactory answer when these questions arise.
Haggerty: Many of our customers note that their boards are mandating better risk visibility and management across the business, not just within organizational silos. Depending on the industry, risks take different forms across sectors, but the three questions management should be asking are: Is our information environment completely secure from unauthorized internal and external access? Are we fully aware of the scope of risks we face as a business? Have we prioritized remediation actions to maximize shareholder value?
Rasmussen: My experience is that the board of directors is not really focused on the technology enablement of GRC . My fear is that organizations and boards of directors, will begin to view GRC as a technology issue. Technology enablement of GRC is critical, but GRC is much broader than technology. GRC is about a philosophy of business in which the organization is looking at governance, risk and compliance from a holistic perspective across islands of responsibility. The board should not be focused on whether the organization is using technology; the proper question from them is “Do we have sustainable, consistent, efficient, and transparent GRC processes that work together collaboratively?” In answering this question you will find it can only be done through the use of technology enablement.
OCEG : For the remainder of 2008, what are the least-obvious business or market trends that have the highest impact resulting from GRC automation?
Rasmussen: The biggest value I am beginning to see is the extension of policies and procedures, training, and risk and control assessment to an organization’s business partners. Highly regulated organizations already have to see that certain vendors have communicated and trained vendors/business partners and their respective employees on policies and procedures. Liability and new regulatory requirements are driving this growth. Further, I am seeing many organizations begin to ask how they can leverage technology that they have used for SOX to conduct self-assessments of controls to assess their business partners.
McClean: I expect audit departments to really extend their visibility and value throughout organizations as GRC automation increases. So much of their function has historically depended on manual processes and has been limited in scope. As risk management and compliance information moves closer toward a centralized source of record, auditors will have a much better view into the organization’s complete control profile. Ongoing, enterprise-wide risk assessments provide a great foundation for auditors to scope and prioritize their efforts and possibly identify areas of the business where they could be providing more value.
Haggerty: Based on our research, operational and enterprise risk management will be the area of biggest impact throughout 2008. Buyers recognize the need for more rigorous evaluation of riskï¾—in fact, it’s now part of everyone’s vocabulary and an action item for many firms we advise. Going forward, we see organizations formalizing their risk identification and assessment processes with a plan to prioritize actions or to simply decide which risks are worth accepting.
OCEG : What are the biggest misunderstandings about GRC -enabling technologies? Why are these particular areas the most misunderstood outside of the IT organization, and how can IT help clarify information?
McClean : Unfortunately, the biggest misunderstanding is what really constitutes a GRC - enabling technology. This is caused in large part by software vendors claiming to provide GRC solutions while only offering small pieces of the total package. Other misconceptions include the idea that licensing a software platform is a good first step when beginning a GRC program and that it’s typical to tackle a large number of GRC elements at the same time.
The best way to clear up all these issues is to start with a very clear strategy that explains what will happen, who will be involved and how they will benefit. Once this plan is laid out, it’s much easier for the process owners to work with IT to identify what they need from a product standpoint so that they can cut through the clutter and only talk with vendors that can address their actual needs.
Haggerty: I see four big misunderstandings. Somewhat surprisingly, business owners still think that software/technology alone can solve GRC -related issues. Security breaches come from both within and outside the firm. Most companies feel their biggest exposure is unauthorized external access. But internal threats are more common and more costly, and need to be remediated.
GRC is not a one-time project but an ongoing part of most if not all business practices. IT alone cannot lead the way. Management across the business must set the right tone for how GRC becomes part of standard operating procedure. Without that, each business owner will act in its own self-interest, suboptimizing the potential impact of an organizationwide approach.
Rasmussen: GRC is not just about technology. If you do not have the process and organization structure down, the impact of GRC enabling technology is limited. This is something to understand before investing in technology. There are more than 500 technology providers in the GRC space, and it is a $5 billion-plus market. Approximately 100 of these technology providers are trying to be the central GRC platform. However, many of them were designed for a specific purpose and were not designed from the ground up to be a holistic GRC platform. It is important the organization understand what they are trying to achieve before selecting a vendor or else they may be locked into a specific vendor’s concept and framework of GRC and, thus, disappointed and limited.
OCEG: What are the most critical areas for further GRC automation and why?
McClean: Technical controls, such as those for application access or financial transactions will be major focal points for automation over the next year. These types of controls are very important for a lot of different regulations and best practices, and the automation of these controls is a prospect toward which software can add a lot of value. Testing these controls and reporting on their effectiveness is another critical area where automation will be important.
Automatically pulling in data from outside traditional GRC applicationsï¾—data related to human resources, financial transactions, health and safety, environmental management, and other key areasï¾—is another important area of automation. Tying this information for purposes of risk management and compliance is something that has traditionally been done manually, and companies have a lot to gain by moving this resource-intensive collection and analysis out of the hands of its employees.
Haggerty: First, establish continuous monitoring of business controls. People-related expenses are the biggest percentage of overall GRC budgets. Reducing human effort will have payback for years to come.
Access security. Security is still the largest concern within IT, and the one that has the most exposure at the CIO level. Automating access from provisioning through execution is essential to reduce IT risk.
Records retention policy management is also critical. Be it a document, an email, or a business transaction, a consistent policy for managing record storage and disposal is critical to establish a legally defensible environment.
Rasmussen: The top of my list is what I am calling “Next Generation Policy & Procedure Management.” This may not be on everyone’s radar, but it is a significant area to drive efficiency and consistency, as well as to consolidate spending across the business. The typical organization, large and smal l , i s in a mess as to how they define, manage and train on corporate policies and procedures. Best practice organizations that I am monitoring are beginning to consolidate dozens of different policy and procedure systems (typically intranet sites) into a single policy and procedure management platform owned by legal or compliance.
Next is the critical area of loss and investigations management. To manage risk effectively, as well as manage sensitive investigations, it is time for organizations to consolidate on a single investigation, loss, event, complaint, issue management platform.
The third is managing business relationships so they comply with your respective regulatory requirements.
OCEG: Among the companies you speak with, which organizational departments appear to have the most to gain from GRC automation?
Haggerty: I don’t see one department over another that has more to gain from GRC automation. Depending on what issues they’re tackling and priorities set at a strategic level, some groups will naturally take the lead on automation at different times in the GRC lifecycle.
Finance, as the steward of corporate data with explicit responsibility for external financial disclosure, continues to pioneer GRC -related automation. Legal departments are asserting their prerogative to define document and records retention policy and standards across the enterprise. This naturally leads to more automation. IT is also stepping up to the GRC challenge in two waysï¾—supporting business initiatives with technology support while applying GRC principles to better manage IT risk.
McClean: Audit professionals have a lot to gain from GRC automation. Operational owners that are plugged into the system, who can start to look at how their decisions impact the overall risk profile of the company, will see substantial advantages as well.
Generally, automating GRC is not about singling out individual departments for the largest gain. The idea is to coordinate all of the various departments to participate in something that benefits the organization as a whole. Unless all of the various areas of the business can see real benefits, it will be extremely difficult to achieve the advantages gained through broad collaboration.
OCEG: Which industries have the most to gain from further GRC automation? Where in the business, specifically, do you foresee the GRC automation process benefiting these industries?
Haggerty: Those companies that have not been subject to significant regulation and oversight to date are the ones who are in the earliest phases of GRC maturity. We expect companies to begin automation at their biggest point of pain. For example, environmental health and safety concerns may be priority number one for a discrete manufacturer. Privacy concerns might trump all in a healthcare environment.
Hopefully, companies will see connections between disparate initiatives and move toward a holistic GRC view. But a lot depends on their organizational maturity and, frankly, on external pressure to do the right thing.
McClean: Any organizationï¾—whether in retail, manufacturing, life sciences, or telecommunicationï¾— that has a large business partner ecosystem, diverse product portfolio, and broad geographical footprint, will find it extremely difficult to keep up with their regulatory requirements and risk profiles. In these cases, technology becomes an incredibly important element of success in their ability to set operational boundaries and have the monitoring and reporting capabilities to assure that decisions across the entire organization follow these boundaries.
Rasmussen: Large distributed organizations have the most to gain from GRC as they try to manage risk and compliance across multiple regions and jurisdictions around the world. The Global 1000 all should have GRC on their radar and be looking for technology enablement of GRC processes. In addition, we are also going to see a rising use of GRC technology in manufacturing and retail as organizations try to manage supply chain risk and compliance and develop their corporate social responsibility practices.
