Compliance management: GRC software may not be the answer

By Linda Tucci, Senior News Writer 16 Jan 2009 | SearchCompliance.com

Compliance news and advice for senior IT and business managers Digg This!     StumbleUpon     Del.icio.us

More compliance news Data protection tops CIO security agenda for 2009 IT security trends move toward information risk management

Here in the Dilbertian world where IT and compliance professionals struggle daily to keep up with the myriad risks facing their companies, GRC is not so black and white. Indeed, it's not hard to find experts who remain unconvinced that governance, risk management and compliance should even be grouped together as a discipline, let alone a technology market.

For CIOs looking to spend money on GRC software in the coming year, a broad sampling of analysts, independent consultants and even some vendors suggests you might want to go slow. Start by isolating and articulating the GRC issues facing your business in the near term. Then look at how technology investments in those areas might have multiple uses within IT and other parts of the business. As one expert put it, don't boil the ocean. Be prepared for turf battles. CIOs probably have the best vantage point for seeing the connections between rules and regulations that appear disconnected but require the same IT underpinnings to work. Whether you can translate that knowledge into influence is another matter.

"During tough economic times, a lot of people don't want to hear about these grand schemes," said John Hagerty, vice president and research fellow at AMR Research Inc. in Boston. "But it is incumbent on the CIO to, in essence, educate the business leads that some of these things are tightly connected, and that the business can embark on programs that have a much broader applicability rather than meeting the objectives of one executive."

GRC solutions: Buyer beware

Semantics is partly the problem in getting a grasp on GRC.

"If I talk to 10 people, I get 20 different answers for what they think GRC is, which I think, by definition, raises the question whether there really is a software package or a suite of software packages from one vendor that would allow you to solve all those problems" Hagerty said. "The answer is probably no."

Others are skeptical, too. A research note published by Gartner Inc. in July states that any vendor claims to a comprehensive governance, risk and compliance management (GRCM) solution are premature. "Solutions that span finance, IT and operations GRCM, as well as integrate reporting from common technical and financial controls, will not arrive before 2010," the report states. When such solutions do arrive, they might not be appropriate for many organizations, Gartner cautions. And whatever you do, don't look to vendors as reliable sources.

If I talk to 10 people, I get 20 different answers for what they think GRC is. John Hagerty vice president and research fellow, AMR Research Inc.

"Most IT vendors can't address complex GRCM --which includes audit, compliance, risk and policy management -- despite vendor marketing that implies they can," the report warns. "Vendors have perpetuated a level of market confusion that works to their advantage, rather than to the buyers.'"

You can't blame vendors for trying. GRC is big business. AMR pegs the market for GRC-related activities in 2008 at $32 billion. Enterprises of all sizes are spending significantly on technology products and services to address risk and compliance management programs, AMR's Hagerty said.

While there is no requirement that software be employed to meet compliance requirements or manage risks, GRC tasks managed manually, with only cursory use of software, are prone to error and expensive, Hagerty said. AMR calculates that approximately two-thirds of GRC spending goes to people-related expenses. And a GRC program that is effectuated largely by human labor is only as strong as its weakest link: "If one worker deliberately or inadvertently bypasses critical GRC activities, the whole enterprise can pay the penalty," he said.

Tags: Managing governance and compliance,  Risk management and compliance,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Managing governance and compliance A business continuity management standard would offer consistency Business Model for Information Security: Security right the first time Facing uncertainty, IT turns to governance, risk and compliance, ERM Google adds Dashboard: Does transparency mean more online privacy? NERC CSO warns of cybersecurity threats, risk to electric grid Priorities for your sound regulatory compliance management policy Threat management for information systems relies on categorization HITECH FAQ: What is the impact of the HITECH Act on IT operations? Survey shows privacy policy success lies in collaboration with IT Record locator service a step to health information exchange Risk management and compliance Facing uncertainty, IT turns to governance, risk and compliance, ERM FTC compliance mandates new rules for social media marketing How to design an FTC compliance program for social media marketing GPS devices, geolocation data create privacy, security risks Threat management for information systems relies on categorization Mass. data protection regulation passes big test in public hearing Does using ISO 27000 to comply with PCI DSS make for better security? FTC pursuing HIPAA violations as a matter of consumer protection Are mandatory business continuity management standards good business? PCI DSS compliance requires better management of vendor risk

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary IT controls  (SearchCompliance.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary