Companies are hungry for technology that rationalizes their ever-expanding governance, risk management and compliance (GRC) requirements. Many are hoping GRC software packages
That would create more opportunities to automate compliance processes, but getting to the point where you can use technology to automate and improve your GRC environment is difficult, said Carole Switzer, president of the nonprofit Open Compliance & Ethics Group (OCEG).
In a soon-to-be-published survey of technology and GRC professionals by OCEG, 72% of respondents said they are not enabling GRC as efficiently and effectively as possible. Ninety-two percent agreed that they could make better use of software to make GRC more efficient and effective.
One roadblock is the GRC software itself. Many GRC professionals tell the OCEG that compliance software marketed as comprehensive GRC solutions are in fact standalone tools and do not integrate with the software that manages mainstream business processes.
"How are you supposed to use GRC strategies to help drive business objectives, if you can't integrate the information flow?" Switzer said.
Another barrier to implementing a comprehensive GRC program is the disconnect between the IT and GRC sides of the organization, Switzer said.
Most companies don't know all the GRC technologies they have, how best to use them and where they need to eliminate redundancies or fill in gaps. This is due partly to the history of GRC technology, which has been implemented in piecemeal fashion as companies scramble to meet imminent business risk or compliance regulations. Especially problematic is the lack of communication between GRC and IT professionals.
"It is not that they don't try to talk to one another; they just speak different languages," Switzer said.
Indeed, mistrust runs deep. In another recent OCEG study probing the gap between GRC and IT folks, 40% said they did not believe IT understood GRC well enough to shape corporate risk and compliance responses; 40% also said IT architecture and compliance technologies are poorly understood by the organization's governance and compliance experts. The majority of those surveyed (64%) agreed that "the disconnect between IT and GRC in their organization poses a significant risk or challenge."
Switzer explained, "An IT person cannot build an integrated GRC solution if they do not know that the same piece of information needs to flow through different systems or is used in multiple ways."
Why CIOs need to be involved in GRC
Many companies are not even sure they want a holistic solution. Analyst French Caldwell, who covers risk management at Stamford, Conn.-based Gartner Inc., said the first question for a CIO evaluating GRC software should be whether his company wants to take an enterprise-wide approach to risk management.
"If the company has decided that, 'Yes, we are going to do our best to provide integrated reporting across all the silos of compliance,' then the next question is whether the CIO is part of that company's risk management council or committee" that puts policy in action, Caldwell said.
The decision to look at GRC management software usually goes hand-in-hand with the company's decision that it no longer wants to take a siloed approach to risk management. Because IT is a central support organization fielding the various requests from business units for particular controls solutions, CIOs are often in the best position to see the potential connections between these granular solutions.
An IT person cannot build an integrated GRC solution if they do not know that the same piece of information needs to flow through different systems or is used in multiple ways.
Carole Switzer, president, Open Compliance & Ethics Group
"For central coordination you need some type of system of record, and that is where these management applications come in, enterprise GRC platforms," Caldwell said.
Caldwell said enterprise management GRC platforms -- or what Gartner calls "big GRC" -- are "fairly mature" and offer a significant improvement over spreadsheets and desktop solutions. Gartner defines GRC management as "the automation of the management, measurement, remediation and reporting of controls and risk against objectives, and in accordance with rules, regulations, standards and policies." Leaders in this technology include OpenPages Inc. in Waltham, Mass.; Paisley Consulting Inc. in Cokato, Minn., and software giant Oracle Corp. in Redwood City, Calif.
But it is not realistic to expect to buy everything in one package, Caldwell said. And the selection of an optimum platform will almost certainly trigger debate. "It is hard to balance the requirements of internal audit vs. the chief risk officer, vs. the CFO or the IT chief risk officer,' he said.
Plus, even the GRC software leaders started out with a particular focus in IT or financial or operational controls.
"Oftentimes what I'll see is that IT may have an IT vendor primarily focused on IT risk GRC, like Archer [Technologies LLC]. Archer also will support enterprise GRC, and they had added audit management functionality but their heritage is IT GRC. The internal auditors may say, 'Well, look, we have been using Paisley forever for audit GRC and they do management GRC, too, so we want to use Paisley,'" Caldwell said.
"Someone is always going to feel suboptimized," he added.
But increasingly, companies are opting for compromise, Caldwell said.
Gartner is seeing risk experts on the IT GRC side, for example, decide there are indeed places where they could use an enterprise GRC solution but still need to retain the IT GRC solution for the chief information security officer, who needs a tool that interfaces effectively with the automated controls reporting for operational reasons. "So, you'll sometimes find that companies will retain that IT GRC solution but integrate it into an enterprise platform for reporting and tracking purposes," he said.
Let us know what you think about the story; email Linda Tucci, Senior News Writer.