It is said there is nothing new under the sun, just new ways of looking at the same problem. This is certainly applicable to the burgeoning topic of Governance, Risk and Compliance (GRC), a subject so hot that the marketplace for GRC solutions is growing at an annual compound rate of almost 15% with a projected global spend of more than $40 billion by 2020. Not surprisingly, risk management software is expected to be the largest contributor to the global GRC market.
So again, what is it?
The definition provided by think tank OCEG seems comprehensive – "GRC is the integrated collection of capabilities that enable an organization to reliably achieve objectives, address uncertainty and act with integrity."
The fundamental problem for many businesses is that they are siloed; strategic planning is separated from operations, risk management and compliance don't talk to each other, and rarely do all four get around the same table. But wait, you already need a bigger table - finance, IT, HR, legal, the C-suite and the Board itself all need a seat.
Communication is hardly revolutionary, it's just that many organizations don't do a very good job at it.
If you are dealing with performance issues, regulations and enforcement, rapid growth or have risk exposure concerns it's a good idea to start talking to each other. The idea is to learn together, align interests, execute the plan and monitor the results with feedback mechanisms for corrective action.
It's important to understand GRC is not against decentralized management, it's about creating a method that ensures the right people get the right information at the right times, that agreed objectives are established, that actions and controls are put in place to address uncertainty, and to do all this with integrity.
Sound complicated? It can be. The good news is that there is a substantial body of software and third-party expertise that can provide an organization with the means to identify risk, measure progress, conduct audits and generate meaningful metrics to monitor.
Adding to the challenge, data retention and risk management procedures mandated by the Sarbanes-Oxley Act (SOX), HIPAA, Basel II and regional regulations have placed unprecedented pressure on IT administrators who are now expected to coordinate enterprise-wide tracking and organization of compliance measures. Of course, the compliance headache for IT is only exacerbated by increased threats from relentless cyber attacks on business systems and networks.
Apart from the inherent value the organization derives from instituting a GRC program, the complex regulatory burden imposed on both executives and IT administrators will continue to drive the discussion and force the issue to advance. The good news is that the marketplace will respond accordingly with easier and smarter GRC solutions. Maybe we'll even get something new under the sun.
For further reading on this topic: