GRC stands, I like to say, for “governance, risk management, and confusion”. The confusion is caused by the multiplicity of definitions for GRC. I think the answer to that lies with adoption of the OCEG definition, which I paraphrase as how an organization optimizes performance to deliver value, considering risk, and remaining in compliance. This is a business-oriented definition, rather than one focused on selling services or software, or putting together a limited set of functionality that is easy to rate. The OCEG definition just makes sense!
When I talk about solutions for GRC, I am talking about solutions that enable you to do what I just described as GRC: optimize performance, leveraging risk management, and staying compliant with applicable laws and regulations.
This is much more than risk and compliance management, with internal audit and policy management thrown in to represent governance. It’s about getting the various parts of the organization who contribute to governance, risk management, and compliance working together to deliver optimal performance and value for stakeholders.
It’s about the whole, not just the parts. See this post for a metaphor that explains what I mean.
Back to the question: what solutions would I buy for GRC?
First, I will digress and say that I would not seek out a so-called GRC platform. I hate the term (see here) because it is a collection of software that some vendors and analysts think goes together. However, they don’t necessarily match a company’s business needs and I buy software to solve business needs. (You don’t buy the highest-rated power tool without first understanding what you need to build. Maybe you just need a hammer and nails.) In fact, you may end up with a grab-bag of software that integrates with each other but not necessarily with the primary enterprise applications. You fragment and make less efficient the overall IT infrastructure.
I think the best way to answer is to take each of my last few companies and talk about their business needs and which solutions I would get. (I am ignoring the need to update the software they had and no, this is not a pitch for SAP solutions.)
The last company before SAP was Business Objects, where I ran internal audit, risk management, SOX, and license compliance. In general, the company made good use of technology. It had a single ERP and made decent use of its own applications for business intelligence and performance management. But, as someone responsible for implementing risk management (I liked ANZ 4360), I was severely limited by the lack of solutions; MS Office products are fine, but not what I needed to run risk management for a global company. The SOX program was in good shape, but again we were running it on MS Office products and certainly not being as efficient as I wanted. Access to the ERP and major enterprise applications was managed pretty manually, and we used Excel and Business Objects queries to monitor excess access to the ERP. While we were starting to use software for continuous auditing (primarily Business Objects own solutions), the testing of automated controls was manual. We had recently implemented a package to help us provide the board with secure information, so that was not a problem, and neither was our whistleblower service. But, the legal function was working off paper files and could really use a case management solution. So, my shopping list for the company would have included:
- Software for user access provisioning that would prevent, to the extent possible, users and IT people having more access than they needed – and reports to let us know if something slipped through the cracks
- Risk management solutions
- SOX software
- Software to test automated controls (primarily one that would monitor configurations of key automated controls and confirm they were approved by the right people)
- Legal case management
Prior to Business Objects, I was with Maxtor, a global $4b manufacturer of hard drives. I was in charge of internal audit, SOX, and process improvement. Maxtor also had a single instance of a major ERP and some business intelligence capability. But the latter was limited to a few people in financial reporting. We had acquired a solution that just gave us reports of who had what access to the ERP and whether there were any segregation of duties issues. But the number of issues was far too high and the risk of inappropriate access unacceptable. We needed an access provisioning system as well as an access reporting system. One area I worried about was IT change management, especially when it came to some of their outsourced operations. It was hard to find out what changes were being made and whether they were tested and authorized. We needed risk management (the company eventually failed, at least in part because it failed to manage a number of strategic and operational risks), but we hadn’t got there yet. We had acquired a SOX solution which worked pretty well, but automated control testing consumed a heck of a lot of resources. My Maxtor shopping list would include:
- Application change management
- ERP system access provisioning, including the ability to limit superuser access privileges
- More extensive business intelligence use, beyond financial reporting into business performance management
- Software to help test automated controls
- Risk management
Taking one last one, I worked at Solectron. I ran internal audit and advised on SOX. Solectron was a large, global company that did outsourced manufacturing for technology and phone companies (they made boards, phones, servers, and more). From an IT perspective, this place was a mess! It had a combination of basically autonomous operating divisions and regions, each of which had a collection of ERPs (we had one of everything) and other software. Consolidations were done in a combination of business intelligence software and MS-Excel. If you wanted to see operating information across a division or the company, that was done in Excel. Internal audit used ACL and we had acquired a solution for SOX. The business intelligence software was rudimentary at best, and we didn’t have anything to manage performance. In fact, it was a tremendous task to find out how many contracts we had with the same vendor or customer. My Solectron shopping basked would have to be one of those very large carts and would include:
- A single, major ERP that is used by all
- A top-of-the-line business intelligence system so management knows what is going on and can make intelligent decisions to run the company (BTW, did I mention it failed?)
- Risk management
- Compliance management. Maybe I should have mentioned that compliance was nearly as fragmented as IT?
What does all this mean? Where am I going?
As an old manager of mine once told me, don’t think you have the solution until you understand the problem!
Before you go out there to get technology for GRC, understand what you have to address – what are the business problems. Prioritize them, and only then get the software you need: the software you need to improve performance, add or create value, manage risks, and remain in compliance.
There is no single, “off the rack”, solution that will match every organization. Get stuff that is designed for your needs.