INQUIRY: What are the 3 most critical areas for further GRC automation in 2009 – and why?
- The top of my list is what I am calling “Next Generation Policy & Procedure Management.” This may not be on everyone’s radar – but it is a significant area to drive efficiency, consistency, as well as consolidate spending across the business. The typical organization – large and small – is in a mess as to how they define, manage, and train on corporate policies and procedures. Add to this the fact that regulators, new laws, and the courts (USSC) are pushing that individuals not only be aware of policies but that they be trained on them. The typical organization has policies and procedures scattered across internal websites and no consistent approach to managing their life-cycle not concerted effort to train employees. Best practice organizations that I am monitoring are beginning to consolidate dozens of different policy and procedure systems (typically intranet sites) into a single policy and procedure management platform owned by legal or compliance. The best of these systems is able to present and communicate policies and procedures with the training courses delivered in the same user interface. One single platform for managing corporate policies and procedures.
- Next on my list is the critical area of loss & investigations management. Like policies and procedures, this is a mess of hodge podge systems – or even no systems at all. To manage risk effectively, as well as manage sensitive investigations, it is time for organizations to consolidate on a single investigations, loss, event, complaint, issue management platform (you pick the term that best suits your organization). A single platform for managing loss and investigations allows for greater transparency in where issues are across the organization and feeds the risk management process which needs to understand historical loss data to effectively build risk models.
- The third area of criticality is managing business relationships. Organizations are complex entities that extend to hundreds or thousands of business relationships around the world. These business relationships need to comply with your respective regulatory requirements, corporate culture, statements of corporate social responsibility/sustainability, and business practices. Thus organizations need to use GRC technology to extend policy & procedure communication and training, assessments, and even investigations to their extended enterprise/relationships. As I have mentioned previously, this is a significant opportunity for the Software as a Service/on-demand GRC solutions.