Governance, risk and compliance (GRC) programs have a high corporate profile, requiring approval and often participation from top executives. For risk and compliance professionals who perform well in the spotlight, that's good news, but failures can also attract more attention.
Forrester Research Inc. recently surveyed 70 risk and compliance professionals selected as customer references for the
Forrester Wave™: Enterprise Governance, Risk and Compliance Platforms, Q3 2009
. These customers were all using similar documentation, workflow, risk quantification, compliance mapping and reporting capabilities of these tools to manage a wide range of GRC functions, including operational risk, audit, IT compliance, vendor risk, environmental health and safety, and financial controls management. Some of the most telling feedback Forrester received from the GRC customers had little to do with the vendors themselves, but rather with the business improvements resulting from the implementations.
The basics of enterprise GRC project management
Implementing an enterprise GRC project requires not only the right technology and training, it also requires cooperation with executives and employees.
Most organizations are gradually working to get better at managing broad risk and compliance programs, but those that have implemented GRC platforms tend to see value from improved efficiency, convergence of efforts and greater consistency. When building a business case for a GRC platform to present to executives, focus on these three most commonly cited benefits:
- Greater process efficiency --
Compliance requirements continue to swell, and the risk landscape is getting more complex. Above all else, customers cited process automation as the core value of their GRC platform implementations. Workflow management capabilities help keep everyone on task, and centralized content management and reporting reduce the need to jump back and forth between different systems. In addition, ongoing improvements in automated controls and control-testing functionality generate even greater efficiency gains. The manager of corporate compliance for a large pharmaceutical company told Forrester: "Managing all GRC initiatives in one platform saves time, resources and money. The ability to build a solid foundation for our compliance program in a relatively short time frame allows us to focus on the acute compliance issues facing our industry." Convergence of GRC efforts --
As well as increasing efficiency, converging the various efforts relevant to governance, risk and compliance fosters cooperation between business functions and improves overall GRC insight. Comparing exposure across different categories of risk or using risk assessments to generate audit scopes are just two examples of GRC convergence benefits. An operational risk management director for a large financial services company said that one of the biggest benefits of implementing a GRC platform was the ability to "integrate the risk disciplines, including internal audit, ORM [operational risk management], SOX and compliance." Consistency of processes and methodologies --
Getting different functions to work with each other is one thing, but getting them to use the same processes and methodologies is much harder. GRC platforms allow organizations to create standard templates for documenting and assessing risks, controls, incidents and other elements of GRC. Consistency also leads to convergence and efficiency and is often an initial driver for the development of a GRC program. The director of risk and compliance for a top high-tech company succinctly explained to Forrester that one of the most important values of GRC technology was the creation of a "consistent way to manage compliance, operational and ERM [enterprise risk management] projects." Pay close attention to this aspect of GRC value. As risk and compliance become more complex, consistency will quickly become a necessity.
Expansive GRC programs are becoming more common as the number of corporations that classify themselves as "heavily regulated" rises. Make sure to keep a few things in mind during your vendor selection and rollout phases:
- Take advantage of a desire to please. GRC is still a relationship-based market, and vendors know that. The best vendors will work closely with customers to assure a good proof-of-concept, smooth rollout and ongoing success. Don't miss opportunities to get some free guidance or to suggest additions to the product road map. Also, ask to participate in user and peer discussions to share best practices whenever possible.
- Be clear about what you expect. Detailed requirements for ongoing support and maintenance, as well as for technical demands like scalability, must be clearly defined upfront. GRC programs have a tendency to swell during platform implementation, so make sure to discuss potential large-scale scenarios in order to understand how performance and price will be affected.
- Expect some hurdles and hiccups. Considering the relative newness of the GRC space and the overwhelming breadth of what GRC seeks to achieve, there will be plenty of unforeseen issues that arise from both your organization and your vendor. Remember: Between the two, the vendor is more likely to have experience and willingness to find the best solution. Savvy customers will turn to the vendor to act as a moderator when organizational and internal political issues arise. If nothing else, vendors can offer guidance based on previous customer experiences.
GRC is a long way from being a commodity
The GRC vendor landscape is maturing quickly, and the leading vendors can all demonstrate successful customer implementations. As the market gradually moves toward greater consolidation, Forrester predicts GRC software won't fully commoditize for at least another five years. In the near term, smaller vendors will continue to drive competition based on customer satisfaction and industry expertise, while larger vendors capitalize on opportunities with their existing customers and drive further consolidation.
About the author:
Chris McClean is an analyst at Forrester Research, where he serves security & risk professionals. He covers GRC and CSR strategy, organization, best practices, and technologies.
This was first published in December 2009