GRC Back on Track in 2010
The software category known as “governance, risk and compliance” (GRC) has struggled to find a clear identity. I think the general concept is understood well enough. But that seems to be where it ends.
Today there are at least 20 different “enterprise platforms” as well as a huge number of focused products addressing specific market segments or facets of GRC. Analyst Robert Kugel of Ventana Research recently wrote that “… from a buyer’s perspective, ‘GRC software’ doesn’t exist today.”
Most GRC products were created as compliance aids. According to AMR Research of 151 companies, managing and mitigating risks has taken an overwhelming lead as the top priority for GRC investments. Pressure from the Securities and Exchange Commission or other financial regulators, product recalls (Toyota, etc.) and increasing Foreign Corrupt Practices Act prosecutions have all contributed to the renewed interest in risk management practices.
At a high level, GRC can be divided into two categories, products that oversee risk-management and compliance programs and those that automate and monitor controls. Although these categories are not mutually exclusive (just take a look at Teamstudio’s ), a product will usually fit into one category or the other.
Implementing GRC across an entire organization is extremely difficult, expensive and time consuming. Most would agree though that it has to be done. With U.S. companies’ spending on GRC growing by 3.9% this year (AMR Research), and half of the spend going for day-to-day internal management and execution across lines of business such as IT, it would seem the time to get serious has arrived.
If you have already adopted GRC strategies, I would love to hear from you. What have you done? Has it helped? How do you measure the results? What would you recommend to others who have not yet adopted GRC?
If you have not already adopted GRC strategies, I would love to hear from you. Why have you not already started? Is senior management hesitant? Is there a perception that this is optional? Are Lotus Notes applications immune from GRC mandates?
No matter your current situation with regard to GRC, I would love to hear from you.
Scott
Category GRC Compliance Risk Management
| Permalink |
|
|
|
|
|
Comments
I believe that the key components for a GRC strategy are company policies and procedures (including IT policies) which are sound and realistic.
Lotus Domino is a great platform for defining and communicating such policies and procedures, but this fact is sometimes overlooked at Notes/Domino shops.
Posted by David Jakelic At 06:05:37 AM On 03/16/2010 | - Website - |
Thanks for the comment.
Posted by Scott Johnsen At 05:04:22 PM On 03/18/2010 | - Website - |