In the minds of many finance executives, the words governance, risk management and compliance are inextricably linked together; but what of the GRC software that claims to do likewise? Lesley Meal, FSN contributing editor, tries to find out.
‘One of the things that happens with IT analysts is that they invent software categories that have nothing to do with buyers,’ says IT analyst Robert Kugel, from Ventana Research, and when he has finished laughing, he cites the TLA (or three letter acronym) GRC as an example. ‘There is definitely a market for software products for governance, risk management and compliance,’ he says, but there is no clearly-defined range of products, as there is for example with accounting systems, because as Kugel observes: ‘From a buyers’ perspective, GRC software doesn’t really exist,’ – and there are good reasons for this.
‘In the wake of Sarbox, since people started focussing on GRC, there have been elements integrating it into a unified approach, and they may coalesce,’ he says, ‘but they are the exception.’ So the GRC umbrella is wide open, and under it you will find a disparate, and sometimes disconnected, assemblage of software. And although this rag-tag collection includes (potentially) all-singing, all-dancing enterprise-wide GRC platforms, these tend to focus on governance and compliance (and be aimed at the financial services sector), so they are less much less common than products tailored to meet various ‘select’ GRC needs, and more specific (new and legacy) point systems.
As John Hagerty, an AMR Research analyst explains: ‘The GRC marketplace is made up of a series of discrete buyers.’ They are from different areas, and they have different needs and expectations. ‘Some are from IT, some are from finance, so if you ask 20 different people what they hope to achieve with GRC, they will give you 20 different answers,’ he says. For some GRC is linked to security, while others focus on audit and fraud, or sustainability and environmental health and safety, and their ideas and expectations are rarely tied to one all-encompassing GRC system. But with risk overtaking compliance as the leading priority for GRC, this situation is evolving.
The fear factor
Seven years ago, there was a Sarbox-fuelled focus on compliance, but things have gradually changed. ‘Sarbox compliance can’t be a project you undertake periodically, it has to be an ongoing process,’ states Kugel. This has resulted in the principles that underpin Sarbanes Oxley being incorporated into everyday procedures and becoming standard practice, and the focus subsequently moved on to governance, and then risk management. ‘SOX and an increasingly risky world will continue to drive this,’ says Kugel, because companies have concluded that ‘it is in their best interests to anticipate and monitor a greater scope of risks’.
A report on GRC in 2010 from AMR Research makes very similar assertions: managing and mitigating risks has taken an overwhelming lead as the top motivation behind GRC investments. ‘People are really interested in identifying risks and how to size them,’ says Hagerty, ‘so there has been an increased emphasis on risk, and performance, and the two are bleeding together more,’ resulting in a growth in availability and use of tools for analysis, business intelligence (BI), financial forecasting, and performance management. As the report states: ‘Better risk management is looming larger in executive thinking.’
But what does this mean for governance, risk management and compliance and GRC systems? In Q3 2009, when AMR Research conducted its GRC survey of the plans, motivations and spending priorities of 151 US companies (of all sizes and across industries), it found that although GRC-related spending had fallen in 2008 and 2009, an upward swing was on the way. AMR expects US companies to spend $29.8bn on GRC activities in 2010, and although this will only take spending levels back to near where they were in 2007, it does represent an increase of 3.9% over 2009. What a difference an economic crisis makes.
As the CFO of one large industrial firm comments: ‘I want no more surprises. We must operate with our heads up, eyes open, connecting the dots between risks, policies, compliance mandates, and overall performance.’ So business policy has gained prominence on the GRC agenda, bringing with it an increased emphasis on governance, driven in part, by the changing rules and practices affecting US listed companies. ‘The shift from US GAAP [Generally Accepted Accounting Principles] to International Financial Reporting Standards is having an impact on governance and controls,’ observes Kugel, because it is a move away from a rules based system.
‘Ventana Research believes that the absence of specific rules will, somewhat paradoxically, put a premium on having software that can manage the governance and control of financial systems,’ says Kugel. ‘What vendors are selling is systems that can automate parts of governance and control mechanisms,’ he explains, and organisations can use them to ‘bake control into their finance systems’ so that they can cut down on the amount of time and effort involved in auditing. ‘What you are talking about is systems that are more efficient and more auditable,’ he says, because they give you plausible control of things, but as he asks: ‘Is this GRC?’
The answer depends on your perspective. AMR’s research respondents have a lot of different job responsibilities in their organisations, so they view governance, risk and compliance through many different lenses: they don’t all equate it with a discrete GRC system, any more than they all equate GRC only with software - and the increased spending predicted by AMR encompasses more than software products too. Companies spending on GRC includes three main areas:
- Technology, including software, hardware and integration requirements;
- External services that encompass consulting, implementation, and outsourced processes conducted onshore and offshore;
- Internal efforts needed to make GRC management a reality within companies, including day-to-day management and execution tasks across lines of business, IT, legal, and audit roles.
Companies are clearly increasingly interested in managing GRC more effectively, and reducing risk, and CFOs seem to want an enterprise-wide perspective on this. But with GRC meaning so many different things to so many different people, and GRC vendors still beefing-up their risk management capabilities, what are the chances of finding a GRC system that can take a holistic view of the risk, governance and compliance needs of an entire organisation. ‘If you are asking is there one product or service provider that can address all of these GRC needs,’ ponders Hagerty, ‘as of today, the answer is no.’
