Contact Us: +61 (0) 416 226 486
service@allgovernance.com

Blog Item

Posted by: In: Blog 14 Jun 2014 Comments: 0

2014 GRC Drivers, Trends & Directions

Written by Michael Rasmussen

I trust your governance, risk management, and compliance (GRC) initiatives are fruitful. It is important to note that every organization does GRC.  Every organization has some approach to governance, risk management, and compliance processes.  These may be siloed or integrated, centralized or federated.  They may be fly by the seat of your pants or defined and disciplined.  GRC is not just technology; it is about people, strategy, process, information and technology.  GRC maturity is measured by how this is integrated, aligned with the business, and provides business value.  GRC is not only about a strategy that spans the enterprise – GRC happens in different departments and functions throughout the business.  There are top down enterprise-wide GRC initiatives, but a lot of GRC happens in the trenches throughout the organization in disconnected departments.

It is good to be forward looking to see what the future beholds us in GRC.  As a market research analyst I dust off my palantir (that is a crystal ball for the non-Tolkien enthusiasts) and tell you what is important for 2014 as we look ahead.
The future depends on the past and the events that drive us toward the trends that lay before us. The drivers impacting organizations to improve their GRC related processes are:

  • Rapid pace of change. Business itself is changing rapidly (e.g., employees, partners, technology, processes, strategy).  Risk environments are changing (e.g., geo-political, financial, environmental, competitive). Regulatory and legal requirements are changing.  Trying to keep business, risk, and regulatory change in sync is not easy.  The greatest challenge for GRC is to coordinate all of this change and ensure that the organization achieves its objectives while addressing uncertainty and acting with integrity (see blog:  Tracking Change that Impacts Policy).
  • Increased risk, regulation, and scrutiny.  Not only is risk and regulatory change happening faster than organizations can keep, risk, regulations, and scrutiny of business governance and operations are also increasing.  This results in an exponential GRC impact on organizations as we manage increasing new risk and new regulation in an environment where existing risk and existing regulation is also rapidly changing.
  • Extended enterprise adds layers of complexity.  It is one thing to manage all of the change bearing down on business in a contained environment.  When you begin to think of the hundreds to thousands to tens-of-thousands of business relationships impacting the organization you face GRC terror.  Suppliers, vendors, outsourcers, service providers, contractors, agents, temporary workers, partners . . . they all impact your business (see blog:  Growing Risk Exposure in Business Relationships).  Your risk and regulatory issues are their risk and regulatory issues, however you are the one left in the spotlight when things go wrong and fines are imposed and your organization is on the front page of news in a negative way.
  • GRC addressed in silos.  We talk a lot about Enterprise GRC.  It is a great idea – how perfect the world would be if we had one single integrated view of GRC information and processes.  Reality is different.  Organizations have GRC processes and data scattered across the organization with several “GRC platforms” installed.  Sort of makes you think of the ERP world.  We talk about how wonderful business will be with one instance of ERP when in reality the organization has several.  Right now 80% of the spending on GRC solutions happens at the department or issue level and less than 20% on top-down enterprise GRC strategies. Some of the 80% is moving toward the enterprise view but are still on the journey.
  • Herding cats.  There are those that have vision for an enterprise approach to GRC and bringing everything together.  Many times these roles are a voice crying in the wilderness.  Worse, there are several with a vision but internal political strife rises within the business over who controls enterprise GRC strategy.  Needless to say, getting people on board and cooperating is a lot like herding cats.
  • Multiple GRC solutions in house.  As stated, most organizations have many GRC solutions in house.  Some are home grown, others are commercial software.  Every week I am told how such and such a vendor is the GRC platform for some organization and I reflect back to last week when someone else told me they were for the same organization and the week before that . . .
  • Documents, Emails & Spreadsheets. Oh My!  Despite multiple solutions in house, much of the business is still struggling with manual and document centric approaches to aspects of GRC.  Yes, some solutions have been purchased – but many areas of GRC are still encumbered by the inefficiency and ineffective use of documents, spreadsheets, and emails.  Not to mention that this approach is often not defensible in a growing legal landscape that requires auditable and defensible GRC.
  • Policies are a cornerstone to successful GRC.  There is growing awareness that policies are the cornerstone of a successful GRC initiative whether focused on a specific issue, department, or enterprise.  Policies need to be properly written, communicated, and maintained.  They address risk, define how to comply with obligations, and establish culture (at least properly written, managed, and enforced policies).  Policies are essential to successful GRC.
  • GRC to the scale of ERP cost and complexity. Every week I am hearing the weeping from organizations as they tell me tales of GRC initiatives that are burying them. Monstrous and costly initiatives that are over budget and past deadlines.  I taught a workshop in 2013 in which I had to rein attendees in three times throughout the day as they wanted a GRC psychiatrist to listen to their PTSD stories of GRC implementation. Ironically, the GRC solution providers are not the only culprits for selling complex and cumbersome GRC initiatives; large consulting firms that love the services revenue from these projects also drive it. I had one client I helped with an RFP (who chose a solution against my recommendation) tell me it took them two years to roll out and was significantly over budget . . . they now wished they had listened to me.
  • Unintuitive and difficult to use GRC solutions. I am regularly told about the frustrations on easy of use of GRC solutions.  Many of the leading GRC solutions are very complex, lack intuitiveness and ease of use, and have dated interfaces. Interesting, you talk to some vendor references and you hear glowing reports.  However, these references tend to be the decision maker who is thrilled to be paraded at conferences, given press, and like to bask in the light of their ever so wise decision of a GRC solution.  Instead, if you talk to the users of the platform in the same organization you often get a completely different point of view.

Leave a Comment!

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>