The writing is on the wall – we are entering a new era of corporate governance, risk management, and compliance. The shake up on Wall Street is just the current example of a trend towards greater oversight of business in a volatile world. With this comes a renewed focus on integrity, ethics and values. Organizations large and small are in a period of looking in the mirror and examining themselves.
- Do we have the correct risk management oversight across business operations and relationships?
- Do we have appropriate compliance processes?
- Do compliance processes get to the principle of the matter are are they simply about checking a requirement?
- Are the values and code of conduct of the corporation adequately defined and communicated?
- Are people trained properly on the expectations set before them?
- Is risk and compliance managed across business relationships?
- How does governance, risk, and compliance practices intersect and support corporate social responsibility?
All this becomes particularly challenging when organizations look inside and see the disarray of overlapping and siloed risk and compliance initiatives. Corporate governance is handicapped. Directors and Executives have a duty of care to oversee risk management as well as compliance in the organization. This is further complicated as Standard & Poor’s and others focus on evaluating risk management practices. From the compliance perspective we have seen year over year growth in regulations for the past thirty years – regulations are an increasing burden on the business.
When I first defined and model a market for technology and consulting services and gave it the label of GRC it was at a time when organizations were struggling with Sarbanes-Oxley compliance. Over the past years there has been added interest in information risk and compliance to this.
Times have changed – so must our definition of Governance, Risk, and Compliance. The current demands on business require that organizations adjust their approach to GRC across their organization.
However, GRC initiatives are being led by different parts of the organization and still largely operates in silos. This leaves organizations struggling to breakdown internal silos and politics to encompass a holistic GRC strategy. It challenges vendors as many of the roles responsible for GRC silos are not focused on enterprise issues but on specific points of pain.
This has led me to redefine and model the GRC market as well as understand organizational approaches and leading practices. This is GRC 2.0 the GRC EcoSystem. The focus of this research is to map the roles responsible for GRC to their critical issues the company is trying to address. This has resulted in 27 solution areas that GRC products and consulting services are marketed and sold within to solve specific big issues areas that organizations struggle with. Beyond the specific points of pain that organizations need to respond to it also maps in 13 core technology areas that the organization should build into an enterprise architecture for GRC so that there is sustainability, consistency, efficiency, transparency, and accountability across GRC areas of the organization.
To date GRC 20/20 has identified nearly 1300 technology, consulting, and knowledge/content providers around the world that map into the GRC EcoSystem.
This new research will be released in a Webinar on October 7th. It will be followed by a written research document outlining the model for the market – solution/issue areas, technology categories, areas of professional services/consulting, knowledge content providers, as well as professional associations. In 2009, GRC 20/20 will be releasing detailed market models, sizing, and participants for our clients as well.