Governance, risk and compliance got the attention of many enterprises this year, even as some put their large GRC software implementations on hold. But the more budgets tightened, the more imperative it became that both IT and the business target their biggest exposures and eliminate redundant controls and audits.
Whether the three disciplines of governance, risk and compliance should be treated as a single control framework -- GRC -- is still up for debate among pundits and practitioners. But few question that a risk-based approach to governance, risk and compliance, as opposed to putting out individual fires, will occupy a prominent spot on corporate agendas in 2010, even with the recession dubbed officially over and even if budgets fatten.
In fact, some of the underlying causes of the recession, such as fraud and inadequate consumer protections, will figure large in risk scenarios at not only the "too-big-to-fail" banks but also in other industries, experts said, as the federal government take steps to prevent a crisis from recurring as well as monitor stimulus funds. In addition, national laws on data breach notification and emissions cap-and-trade are brewing.
As the year draws to a close, inquiries about GRC are up at consultancies Forrester Research Inc., Gartner Inc and the nonprofit Open Compliance & Ethics Group (OCEG), according to people who cover the GRC field there. And companies appear to be in the throes of redefining their approach to GRC. Trends include:
- A demand for enterprise risk management (ERM), pushed by boards and government scrutiny.
- Increased interest in formal approaches to governance, risk and compliance, often driven at the board-of-director level to cut out waste and rationalize controls.
- A shift in spending to broader GRC technology solutions and away from the spending by internal audit departments that kept vendors afloat in 2009.
- Growing C-suite interest in monitoring key performance indicators (KPIs) and key risk indicators (KRIs) side by side to correlate the impact of risk on business performance and of performance on risk.
- More interest in CIOs and IT working more closely with business on risk assessments, risk taxonomies and enforcement of business controls.
- Greater reliance on IT to track environmental and other corporate social responsibility issues.
- The advent of continuous controls monitoring (CCM) for business applications.
Is the enterprise ready for GRC?
Taking a comprehensive and risk-based approach to governance, risk and compliance remains a challenge, said Chris McClean, an analyst at Cambridge, Mass.-based Forrester. It's hard to convene people from audit, compliance, legal, security, IT and the business to settle on a common language for defining risk, to hammer out metrics for measuring risk and to develop standard processes for managing risk. But McClean said clients are increasingly willing to make the organizational effort necessary to get a better handle on risk.
"We are beginning to see a lot more interest from clients in a formal approach to risk and compliance," he said.
Carole Switzer, president of Phoenix-based OCEG, said company efforts to improve and become more organized around GRC have "never been stronger," at the same time that big implementations have taken a back seat to business survival. "It's been a bit paradoxical." That said, she said she has seen "a lot of self-education" by companies during the downturn to lay the groundwork for GRC, getting committees in place, finding a common language for defining risk. "Even that is a step forward," she said.
Gartner analyst Paul Proctor explained, "The maturity of organizations is increasing in their ability to address risk management."
McClean said enterprises have a "fairly good handle" on what needs to be done to comply with external mandates such as PCI DSS, the Health Insurance Portability and Accountability and Sarbanes-Oxley (SOX) acts and with their own internal standards and controls. Companies know how to do compliance. "What they are not doing a good job on is determining priorities. What level of mitigation is too much? How do you assess risk and apply the correct amount of control?" McClean said.
While there are many technology vendors, including Archer Technologies LLC, OpenPages Inc. and Paisley, that help companies with controls, McClean advises companies that have not yet gotten holistic views of their GRC landscapes to consider starting with one of the large risk consulting firms. Companies such as Deloitte, KPMG, IBM or Accenture can help with the requisite gap analysis before buying technology.
Aligning KPIs and KRIs to get to ERM
According to Stamford-Conn.-based Gartner, spending on GRC held steady through the first three quarters of 2009, along with security, in a year when IT spending was down about 6% by Gartner calculations. Analyst French Caldwell said the increasing number of inquiries about vendor selection in the fourth quarter suggests GRC spending may show an increase over 2008.
What [companies] are not doing a good job on is determining priorities. What level of mitigation is too much? How do you assess risk and apply the correct amount of control?
Chris McClean, analyst, Forrester Research Inc.
"We had anticipated that GRC markets would not suffer as much as other software markets, but frankly we were surprised to see it perform quite well throughout the year and certainly in the latter half of the third quarter," Caldwell said. "We are seeing a lot of new deals being closed."
Internal audit organizations helped to keep the spending up in 2009. Going forward, Caldwell is already seeing spending shift toward "the more typical broad GRC" solutions that bridge finance, legal, IT and business units. "We are back to where we were before the economic crisis," he said.
The heightened interest in enterprise risk management at the board level should come as no surprise. ERM, as opposed to a check-the-box compliance approach, for example, aims to anticipate and mitigate the risks that can prevent business goals and objectives from being met. ERM, which aligns performance and risk, can be applied companywide or to the objectives of a single department, like IT. Performing well in one area does not necessarily bode well for the whole, as the banks that made money hand over fist with risky loans and derivatives trading found out. A security framework that shuts out all threats but brings the business to a standstill is another example. (Caldwell has lobbied "half in jest" for GRC to be renamed PRC, with the P standing for performance.)
Continuous controls monitoring
Caldwell said boards of directors are reacting to two developments: continuing uncertainty about meeting business goals and objectives, and the fact that credit rating agencies are taking a closer look at ERM and factoring it into their credit ratings. "Lack of enterprise risk management affects the cost of money to the company," Caldwell said.
In addition, the country is heading into a big election year, where opponents to the Obama administration are certain to make their own hay by trying to show that American Recovery and Reinvestment Act money was wasted. The federal government is scurrying to put more effective reporting rules and risk assessment around the stimulus funds, although Caldwell said that it's "probably too little too late." But the upshot is that the political scrutiny from both sides will be intense.
Another trend Caldwell said he sees for 2010 is an increase in CCM for business and financial applications. From a compliance perspective, that may mean antifraud controls. IT has long used controls automation for configuring servers, conducting audits, maintaining security and so on. Continuous controls monitoring was used in complying with SOX requirements for segregation of duties. But CCM is increasingly being used for business performance issues -- for example, to eliminate duplicate payments in real time, rather than on a quarterly basis, or to ensure that invoices are paid on schedule but not in advance, to keep that working capital.
"Controls automation is moving up the stack. It's making sure the business rules are being followed," Caldwell said. The big ERP vendors such as SAP AG and Oracle Corp. are doing just that. Four areas where continuous controls are being applied are segregation of duties, transactions, application configuration and master data.
One last heads up, this one for CIOs: All the experts interviewed said CIOs and IT departments are increasingly being tapped to help on GRC. But Gartner's Proctor cautioned: "CIOs and risk officers have the next year to strike while the iron is hot for improving their company's risk management profile." If the recovery continues, after that, "business again will be distracted with other things."
Let us know what you think about the story; email Linda Tucci, Senior News Writer.