The Future of GRC
Posted on May 16th, 2008 by Silas Matteson »Permalink
Is GRC a market category, or a set of features & functions within other existing market categories? That’s a debate for Industry analysts, which is what they do best. Frankly, I’m not sure Global 2000 companies are that worried about it. I think what they are concerned about is how to better manage the internal controls that help keep their businesses from veering off the highway and into a ditch of waste, fraud or corporate malfeasance.
Today, so many products get lumped into the category of GRC that it makes it hard for the casual observer to understand the differences.
Historically, I lump products into 2 simple categories:
1) Products that document and report on controls within a business and
2) Products that test & analyze controls.
Maybe an analogy will help; think of a student taking a class. All the materials the teacher uses to teach, from lecture notes and handouts to labs –even the student’s final report card — are the documentation products. Everything associated with the quizzes and exams the student takes, on the other hand, are the testing products.
The testing products determine what information a student should know about the class and measures how well they actually performed in meeting those objectives. Where this all gets more complicated are students or corporations take more than one class.
In today’s market, most “GRC” products support one student – one class, and the teachers have little input to the tests the student take to measure the effectiveness of the class and the teacher. In other words, the documentation products and the testing products are largely independent of each other and they tend to focus in subsets of business functions, control areas, and compliance programs.
You can probably guess how we need the “GRC” products to evolve. First, the two primary categories of products need to become more closely aligned and integrated. The tests need to reflect the documentation and vice versa. Secondly, we need an enterprise view; a corporation is not one student taking one class. The GRC products need to support controls across all business functions within the entire corporation including financial controls, operational controls and IT controls. Third, the GRC products need to support all compliance programs and transform the results into actionable business information that will support a diverse audience of executives, business process owners and auditors.
At Approva, one of our interests is in how to take testing to the next level. This means testing more controls, streamlining the processes for resolving and mitigating control weaknesses and using the results of the tests to drive business efficiencies and effectiveness.
Measuring against a control objective or standard is a problem that has been solved. The future lies in using information from controls testing to drive business improvement. How? Why not use the results from the tests to change the way the business operates so these problems can be prevented? Why not use the results to make predictions about potential future control breakdowns? Why not use the results to give business leaders better visibility into the areas of their business that needs attention? Better visibility makes for better decisions. Better decisions make for better run businesses. Now that’s a class that’s easy to understand but hard to get an A in.
Tags: GRC, governance, risk & compliance, controls intelligence
June 12th, 2008 at 7:56 pm
[...] May 16, 2008 The Future of GRC Posted in: Post of Note, Industry News with: 0 comments [...]
February 23rd, 2010 at 10:31 am
[...] we’ve been saying for quite a long time now, one of the best things to come of increased regulation is automation of [...]