As the regulatory landscape becomes increasingly convoluted, so has the governance, risk and compliance (GRC) technology market. Even the term GRC has evolved to cover different regulations and processes for virtually every organization and industry, causing GRC solutions to become more vertically focused as vendors strive to cater to their target audiences.
People need to recognize the need, define the process, what maturity level they want to get to, before they deploy technology.
During a panel discussion held at the Governance, Risk Management and Compliance Summit in Boston last week, however, participants said increasing complexity and specialization in GRC technology has not yet spawned a targeted approach to buying decisions among enterprise consumers. Organizations still base most GRC purchasing decisions on what leading analysts tell them, rather than on what is best for their individual purposes.
"[Buyers] look at surveys rather than going through a formal methodology and evaluating requirements in a more traditional IT sense," said Norman Marks, a vice president at the Walldorf, Germany-based software maker SAP AG. "They go out and get what the vendors are telling them are the best GRC solutions."
During the discussion, titled "How to Implement and Align Technology within your GRC Framework," panelists agreed the "one-stop shop" -- an organization-wide GRC technology solution -- just isn't realistic in most modern organizations.
The GRC market has grown in recent years to include several different domains, such as vulnerability scanning, operations management, and compliance. As the market has grown in definition, one solution for all GRC processes no longer makes sense, said Michael Rasmussen, president and risk and compliance authority at Corporate Integrity LLC in Waterford, Wis.
"The GRC technology for your organization is going to be a lot different from [that of] the person sitting next to you because your needs are different, your industry is different, your roles are different," Rasmussen said. He added that vendors getting the most attention are those aiming to solve what he calls the "document problem": Organizing and managing risk for the endless number of spreadsheets and documents within an enterprise.
But there are more and more forward-looking GRC technology solutions that focus on achieving specific objectives. These solutions -- while perhaps most effective in the current GRC landscape -- are often overlooked because they are not the sexy, all-encompassing solutions getting all the press, panelists said.
"How do we build in the idea of performance, strategy and objective management, and tie that in to risk and compliance? [Those are] some of the mature areas the leading vendors are starting to take us," Rasmussen said. "Just leveraging the 'Waves' and 'Magic Quadrants' [is] a little misleading now, and there's a lot of really good vendors that don't fit in them because they are doing compliance really well, but maybe not doing risk well."
As this niche-oriented approach to GRC solutions continues, panelists suggested that an integrated approach across GRC technologies could be a better strategy. Carole Switzer, president at the Open Compliance & Ethics Group, noted that organizations are running dozens, or even hundreds, of IT solutions.
Of course, if they decide on a new GRC technology solution, enterprises will not automatically scrap all of these solutions and bring in all-new processes. Any GRC solution has to be able communicate with existing continuity or performance management tools, as well as any other systems the organization already has in place.
"The biggest problem I find is reconciling data and being able to utilize it among different systems," Switzer said. "You have to be able to interface and get the right data into your tools."
This communication between departments and operations will prove invaluable to meeting GRC objectives. An important factor when choosing any new GRC technology is cutting into information silos and employing these new systems to gain information, which assists GRC processes at all levels and departments within an organization.
"Siloed operations, down to that level of vocabulary and taxonomy, and how data is managed and kept, is incredibly different everywhere," Switzer said. "When you factor into that global operations and native language differences, it becomes really hard."
But no matter what high-level tools you choose to implement GRC, it still comes down to people doing the initial research on what's best for your business, not just buying into the latest trend.
Before you can begin to protect your information assets, you've got determine the people, processes and technology to start building layers of control. Once you determine your specific GRC goals and existing resources, you can determine the GRC technology that's right for your business.
MORE ON GRC TOOLS AND TIPS
Summit organizers promise real-world examples of leading GRC strategy
Pilot program best practices to help determine your GRC requirements
"A technology program is very expensive, and it takes time, but it all starts with people processes," said Eddie Ho, senior vice president and CIO at OmniAmerican Bank in Forth Worth, Texas. "People need to recognize the need, define the process, what maturity level they want to get to, before they deploy technology."