INQUIRY: What are the 3 biggest misunderstandings about GRC-enabling technology? Why these particular areas are the most misunderstood outside of the IT organization and how can IT help clarify information?
RESPONSE: There are several areas that are highly misunderstood in regards to GRC-enabling technology. The following represent what I see as the most common misunderstandings:
1. First biggest misunderstanding – GRC is not just about technology. That is the first issue, if you do not have the process and organization structure down the impact of GRC enabling technology is limited. GRC is not just about technology – it is about building a collaborative approach and framework for GRC across business functions. This is also something to understand before investing in technology. It is important the organization understand what they are trying to achieve before selecting a vendor or else they may be locked into a specific vendors concept and framework of GRC – and thus disappointed and limited.
2. Second biggest misunderstanding – we have a lot to do still in the world of automated controls. We have seen a lot of control enforcement and monitoring be successfully deployed for SOX, AML, OFAC, and other areas of compliance, but there are many other areas of GRC that this has not extended to. In 2009 we see the world of automated controls move full scale across other GRC processes and become a holistic solution.
3. Third biggest misunderstanding – dashboards. I have seen very few good GRC dashboards. Don’t get me wrong, everyone has a dashboard in their product and that is great. But very few are good business dashboards across GRC processes. The issue is that many have not achieved or do not get the relationship between business performance and risk/control/compliance indicators. An effective GRC or risk dashboard is a corporate performance dashboard that ties key risk indicators to key performance indicators of the business.