I keynoted at The GRC Summit produced by the Global Strategic Management Institute where executives from across the world gathered to collaborate and get the latest education on governance, risk and compliance (GRC). I keynoted on a topic called “Picking the Right Software for GRC” which is timely with the growing confusion in organizations and across attendees. My colleague elaborated on this recently in “Does GRC Software Exist? Should It?”. New releases of analyst reports from Gartner, Forrester and others are advancing the topic that only vendors who label themselves with GRC or have products with that acronym can address this set of requirements. This is unfortunately misleading since many technologies across multiple software categories can address the need of governance, risk and compliance and not just ones with the labeling.
Unfortunately these IT analyst firms who have dedicated analyst practices fail to mention this since they do not have and background or knowledge of these technologies. This is in part a failure of these firms management ability to cross pollinate and put incentives in place that are focused on the right answers for the client and not for the IT analyst practice. The other element is that these analyst firms only focus on IT and do not advice or research into the business who actually understands their needs across governance, risk and compliance making it unfortunate that they do not truly understand the value and benefits of these technologies. It is important to understand the requirements for GRC within finance and operations that vary dramatically from addressing risk compare to specific compliance. Now, the need to have infrastructure and security systems for IT is something that can be addressed more easily and important part of IT systems to support GRC like security, auditing, content/data management and other well defined categories.
Since GRC is a set of processes and activities, your organization should establish some common definitions that help provide the business need across finance and operations. Part of what software that can be used is business process management systems that utilize a process model, workflow, rules and other capabilities to help drive repeatability and efficiency but can be used to establish a wide array of GRC requirements. The next category is actually that of Operational Intelligence and Complex Event Processing (CEP) which can help provide the right level of monitoring and analytics to determine what issues might arise and to be more responsive. After this is the categories of Analytics and Business Intelligence (BI) which can provide robust set of calculations to reporting and dashboards on the information that needs to be provided in a visible manner. Of course this also means that Information Management which helps in the integration and synchronization of information along with the storage of it. Yes, Performance Management can help too since it provides the method to define these initiatives and objectives along with creating the measurements and key indicators to determine overall success. For those organizations that want to ensure the full organization is appropriately planning for GRC along with mitigating the risks of using spreadsheets should examine the use of Integrated Business Planning (IBP) A new category of capabilities called Information Applications that I recently wrote about (“Information Applications: New Generation of Information Technologies“) also helps provide the direct accessibility to semi-structured information found in documents and in text that can be formulated into solutions.
Be forewarned that as you read analyst reports on GRC that they are a small component of what you will need to address this range of needs in the enterprise and across business and IT, let alone address specific requirements of finance and operations. I am not saying that the GRC specific software do not help address specific issues or needs but that they are not designed to address the entirety of GRC, and in fact should really just be addressed individually as governance, risk or compliance software for one or all of the finance, operations or IT areas of your organization. Many organizations already have the skills, software and relationships with many vendors that can be put to work in your organization. Since you are not able to get information you can trust to be forthcoming and expansive of what you need, further analysis and review is necessary. Determining what is the right software for your meeting your GRC needs could be easier or more difficult than you think. There is no one silver bullet to help you in GRC but some pragmatic and well found advice and education does not hurt and I appreciate the efforts of GSMI to help provide that platform for direct education with finance, governance, risk and compliance teams across the world.