Luc Brandts is co-founder and chief technology officer of the Netherlands-based BWise Inc., a contender in the...
relatively new marketplace known as governance risk and compliance (GRC) management, or GRCM. Brandts, for one, doesn't use the term GRC. He prefers instead to meet his customers where they are on the long road to implementing an enterprise-wide -- and many levels deep -- understanding of risk and compliance. When we spoke with Brandts by phone recently, the Dutch native updated SearchCompliance.com on BWise's integration of continuous controls monitoring (CCM) with its GRC suite. These two efforts -- one (CCM) focused on monitoring risk and compliance, the other focused on management -- traditionally have not been combined. In three to five years, GRC and CCM solutions will be one market, not two, Brandt predicts.
What's new at BWise?
Brandts: Our biggest innovation has been to integrate CCM into our suite, which effectively means we are one of the very few, if not the only broad GRC vendor that has an integrated solution for both managing and monitoring risk and compliance.
Who are your competitors in this space?
Brandts: We don't want to position ourselves as a CCM vendor, although from a product point of view, we could compete against them. But our differentiator obviously is that we bring CCM into a broader GRC space. And I think the only ones who also claim to have a position in this would be SAP and Oracle. Now, our proposition is much broader and also in some areas, deeper, and it is less focused on just SAP and Oracle. I understand that their technologies are broader than just Oracle and broader than just SAP, but realistically that is what the solution is engineered for.
How is CCM going to change the GRC market?
Brandts: CCM doesn't make it into something that you click a button, and all of a sudden everything happens automatically. What it does do is lower your cost tremendously, because what is now done manually by many organizations can happen automatically. The most important thing is that as soon as you understand the power of data analytics, you start to look at very different controls and very different ways of monitoring your risk than you are doing today. Your risk management is at a much higher level, by standardizing and monitoring your processes rather than just checking a box for compliance.
My view is that CCM vendors will automate a process because that is what they are good at -- if you are a carpenter, all you see is a nail. What we try to do is be a combination of things. We look at what are your key risks. Some of these risks need to be modeled by a very manual process because there is no data involved you can pull from any system. Some of the controls that need to be tested automatically can run through automated workflows: No human interception is needed. And there are things in between. That is the reality, and that is what we see among our customers. It is not a black-and-white situation. If you are a CCM technology user, then everything needs to be automated, whereas in reality your risks are maybe 30% to 40% in your automated systems. All of the big, famous cases in fraud are not because of transactions going wrong, it is a different thing. That is why you need a combination of both GRC [management], which is partially manual, and CCM, which is partially automated.
GRCM covers a lot of territory, from IT auditing and financial controls to operational risk. Do your customers tend to start in a particular area?
Brandts: That probably depends on the country and by vertical. I would say that the majority, especially in manufacturing, would be starting in financials and immediately after, IT. Sometimes it starts with IT because they have a very concrete issue at hand. And in financial services, most of the financial controls are in place or can be optimized; this vertical is looking more at [operational risk] and some of the regulations that are coming in, especially in insurance in the European realm. So, not one answer, but we do see that the more mature companies are starting to see the need to have one common approach. One of our clients, the CFO of a very large retailer, globally active, said 'one solution or no solution.' That's what we like. It sometimes makes the sale more complex because you have to talk to more people, but at the end of the day, that is where our strength is.
What is the biggest reservation you're still hearing from companies when you go out and talk about GRC?
Brandts: We try not to use that term, GRC.
What term do you use?
Brandts: We try to use the term the client is using. So, it might be financial controls management or IT governance. It might be policy and procedure management, or operational risk management, or enterprise risk management. In some cases it might be GRC. The thing is, GRC is such a broad thing that it immediately becomes a very political debate, especially in the large organizations. That is the challenge with GRC. Obviously we like the concept. We are in the midst of it on a daily basis. The biggest challenge for most organizations is to get everybody on the same page, to have people speak the same risk language. What people are trying to achieve is that everybody use the exact same terminology, and that is not realistic. There are different levels. Sarbanes-Oxley risk management is on a much more granular level than enterprise risk management or operational risk management. So, these can be done with one common approach, but they are not necessarily the same thing. They are not necessarily using the same risks. There are also a lot of false promises being made in the market that everything will become that simple -- you just push a button and everything is automated.
That's an interesting distinction, between common approach and common language.
Brandts: Let me be clear. There needs to be a common language so everybody understands that risks can be on different levels. If we talk about a risk "owner," is that the same thing as what somebody else would call responsible or accountable? These details are important. What we are seeing many times is that if you don't get that common understanding properly defined in the beginning of a project, then you will end up with one solution technologywise, but internally, it is still a lot of "buckets." So, the only benefit is that you only pay the maintenance for the technology rather than for five different tools, but there is no benefit because nothing integrates. We are trying to get away from forcing everybody to use the same risks, because that is not realistic. You need to allow different layers of risks, and layers of controls and processes, because there are differences between enterprise risk management and IT governance, and that is often misunderstood. Being on the same page doesn't mean that everybody is using the same risk catalogue. That is really crucial to get across to clients: We will allow them to use their own risk structures, but they need to be built in one common platform; otherwise, reporting is going to be impossible.
What will be the biggest driver for adoption of a comprehensive approach to risk?
Brandts: People have a very good view of what the numbers are, but can they trust the numbers? A lot of those famous companies that went bankrupt made a profit but then, all of sudden this risk thing happened. What people are seeing is, the equation has two sides: There is the performance side and the risk side, the positive and the negative side of what could happen. Now, the view on the numbers is all pretty well documented, and everybody has that pretty well in place. But the view on the risks is very poor, and boards and management are seeing that this can no longer be the case. The boards are beginning to say, 'OK, I get the numbers but what about the risk profile?' There is a lot of external pressure to get a better grip on the company.
Let us know what you think about the story; email Linda Tucci, Senior News Writer.