News Stay informed about the latest enterprise technology news and product updates.

Compliance management: GRC software may not be the answer

A platform that can handle all your GRC needs probably doesn't exist, and in any case wouldn't work without a deep understanding of risks and regulations across your enterprise.

In the Marvel comics version of IT, governance, risk management and compliance (GRC) software would definitely be a superhero, a three-in-one dynamo able to take on all compliance management needs in every corner of the enterprise. As the number and complexity of governance, risk and compliance mandates proliferate, it makes sense to yearn for a single solution.

Here in the Dilbertian world where IT and compliance professionals struggle daily to keep up with the myriad risks facing their companies, GRC is not so black and white. Indeed, it's not hard to find experts who remain unconvinced that governance, risk management and compliance should even be grouped together as a discipline, let alone a technology market.

For CIOs looking to spend money on GRC software in the coming year, a broad sampling of analysts, independent consultants and even some vendors suggests you might want to go slow. Start by isolating and articulating the GRC issues facing your business in the near term. Then look at how technology investments in those areas might have multiple uses within IT and other parts of the business. As one expert put it, don't boil the ocean. Be prepared for turf battles. CIOs probably have the best vantage point for seeing the connections between rules and regulations that appear disconnected but require the same IT underpinnings to work. Whether you can translate that knowledge into influence is another matter.

"During tough economic times, a lot of people don't want to hear about these grand schemes," said John Hagerty, vice president and research fellow at AMR Research Inc. in Boston. "But it is incumbent on the CIO to, in essence, educate the business leads that some of these things are tightly connected, and that the business can embark on programs that have a much broader applicability rather than meeting the objectives of one executive."

GRC solutions: Buyer beware

Semantics is partly the problem in getting a grasp on GRC.

"If I talk to 10 people, I get 20 different answers for what they think GRC is, which I think, by definition, raises the question whether there really is a software package or a suite of software packages from one vendor that would allow you to solve all those problems" Hagerty said. "The answer is probably no."

Others are skeptical, too. A research note published by Gartner Inc. in July states that any vendor claims to a comprehensive governance, risk and compliance management (GRCM) solution are premature. "Solutions that span finance, IT and operations GRCM, as well as integrate reporting from common technical and financial controls, will not arrive before 2010," the report states. When such solutions do arrive, they might not be appropriate for many organizations, Gartner cautions. And whatever you do, don't look to vendors as reliable sources.

If I talk to 10 people, I get 20 different answers for what they think GRC is.

John Hagerty, vice president and research fellow, AMR Research Inc.

"Most IT vendors can't address complex GRCM --which includes audit, compliance, risk and policy management -- despite vendor marketing that implies they can," the report warns. "Vendors have perpetuated a level of market confusion that works to their advantage, rather than to the buyers.'"

You can't blame vendors for trying. GRC is big business. AMR pegs the market for GRC-related activities in 2008 at $32 billion. Enterprises of all sizes are spending significantly on technology products and services to address risk and compliance management programs, AMR's Hagerty said.

While there is no requirement that software be employed to meet compliance requirements or manage risks, GRC tasks managed manually, with only cursory use of software, are prone to error and expensive, Hagerty said. AMR calculates that approximately two-thirds of GRC spending goes to people-related expenses. And a GRC program that is effectuated largely by human labor is only as strong as its weakest link: "If one worker deliberately or inadvertently bypasses critical GRC activities, the whole enterprise can pay the penalty," he said.

Let us know what you think about the story; email: Linda Tucci, Senior News Writer

Dig Deeper on Managing governance and compliance

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.