GRC 2011: Gripes & Directions
No matter if you use the term or not – GRC (Governance, Risk Management, & Compliance) is a reality. We are in 2011 and it has been ten years now since I first started using the term GRC in research and interactions with organizations.
The truth of the matter is – GRC as an acronym is approximately 10 years old, but GRC as part of business is as old as business itself. Organizations are governed and approach compliance and risk management in some form. The question before them:
- Are they doing it in a way that makes sense?
- Are they doing it to achieve business agility, effectiveness, and efficiency?
Whether you use the acronym GRC or not does not matter to me – the truth is you are doing GRC in some form or fashion. As we enter 2011 it is time for me to put on the pundit hat and give you my gripes from 2010 and directions for GRC in 2011.
2010 Gripes
It is best to get gripes out of the way first – that way I can get them off my chest and not be weighed down as I discuss directions. Interestingly, my gripes are mainly focused on technology vendors – I am sure I can find a burr or two under my saddle in other areas, but today I am focused on venting my frustration with GRC technology vendors:
- Ignorance. Yes, vendors often frustrate me – some are great others need a lot of help. What frustrates me is when vendors ignorantly communicate GRC as being about technology – technology is the enabler for GRC to achieve agility, efficiency, and effectiveness. GRC itself is broader than technology and should align with process and strategy.
- Generic messages. Ignorant vendors have a generic message. I am tired of seeing vendors come into buyer situations telling them they have the best and most adaptable solution out there – it slices, it dices, it does your laundry. Good night – GRC is about solving problems, generic answers do not cut it. Most sales people from vendors completely miss the boat; they cannot put themselves in the shoes of the buyer. I remember one situation in which a buyer was addressing a Corporate Integrity Agreement (CIA) – several vendors that came into the deal never even read the CIA, which was publicly available and referenced in the RFP.
- Blowing Up Deals. My biggest issue is the fact that the primary GRC vendors are focused on large enterprise deals. They are pressured to close the big deal – often looking for 7 figures. Vendors come into a situation and are trying to fix organizational political issues/silos that the organization is not ready to address. I have seen more GRC opportunities trashed or postponed because vendors insist on making the deal bigger than what the organization is ready for today.
2011 Directions
2011 will be an interesting year for GRC strategies, processes, and technology. I pull out my crystal ball and give you the following predictions:
- Standardized GRC process and definitions. Much of the problem about GRC is a lack of standardized guidance. As my friend Norman Marks has commented, you can go to a conference and hear a dozen or more definitions of GRC. This is changing as the OCEG GRC Capability Model has grown in popularity and adoption. Dell is one company to be among the first to seek process certification for their anti-corruption processes against the GRC Capability Model.
- GRC professional certification. OCEG also is poised to roll out the GRC Professional Certification in the next month. This is an encouraging process to get more individuals trained and supporting a common GRC framework. The last two GRC Process, Strategy, and Technology Bootcamps delivered the early version of the test and enabled attendees to be among the first to get the certification.
- Year of corporate compliance. A lot of attention has been given to SOX, audit, and IT risk and compliance. 2011 is the year that the most significant growth will be in the corporate compliance department. This is a department that has been burdened by manual and ad hoc processes for years and is now becoming aware of how technology, particularly integrated with content, can streamline operations. Issues such as the UK Bribery Act and other regulatory/enforcement actions continue to drive this role as well as compliance evolving into a champion of values and ethics and not just the corporate cop.
- Performance and ERM. Back to a gripe that I forgot above – ERM. I continue to be frustrated with many ERM programs that are nothing more than an expanded view of financial controls (an evolution of SOX initiatives). I see growing interest in ERM being driven by the board down and one focused and integrated into strategy and performance. BTW – many vendor offerings are inadequate for true ERM as they simply are a replacement for spreadsheets and have very basic models for representing risk.
- Risk & compliance in the extended enterprise. Extended business relationships — those involving the supply chain, value chain, vendors, service providers, outsourcers, and contractors — require the same vigilance in mitigating risks and staying in compliance, as do internal enterprise activities. Third-party risk management and compliance obligations have steadily increased over the past decade, coming either directly from statutes and regulations or indirectly. Whether imposed by statute or from a business partner, managing such risk across the constellation of business relationships requires an approach that is effective, repeatable, and defensible.
- Risk & regulatory intelligence. A sound GRC strategy is not just built on technology but also content. More and more solutions are differentiating themselves by offering packaged content of policies, procedures, risk libraries, assessments and controls. Leading solutions also integrate with knowledge/content services to keep the organization apprised of relevant risk and compliance developments around the world that impact their business.
- Effective policy management. I am seeing increased interest in developing consistent policies and procedures within organizations and manage them within a well-defined life cycle. Policies and procedures are a cornerstone of a solid GRC strategy that in the past has often been neglected. Organizations are finding increased exposure to liability for ineffective policies that are out of date, confusing, and not understood.
- Fixing problems. There are some organizations executing large enterprise-wide GRC strategies that focus on collaboration across GRC roles. However, this represents only 10 to 20% of GRC deals. Most GRC deals are focused on fixing specific problems that bear down on the organization. Organizations want to leverage processes and technologies for other areas – but immediately they want to solve the problem before them. This will continue over the next several years as organizations remain reactive and only a few focus on strategic proactive GRC initiatives.
- Expansion and consolidation. The market for GRC technology will continue to expand as more vendors enter the market which will be complemented by further consolidation as larger vendors continue supplementing their GRC offerings through acquisition of smaller vendors. We will also see smaller vendors pull together to broaden their offerings and compete against the larger vendors.
- Mid-market focus. Mu
ch of the GRC focus has been on the Global 1000 – attention is now moving to encompass the mid-market companies into. These companies, as I started this discussion, have GRC strategies whether they call it or not – but are looking to improve their business efficiency, effectiveness, and agility for GRC. This starts with solving immediate pressing problems and expanding to other areas with consistent processes and technology.
- David and Goliath. The small vendor tends to be more agile, ready to adapt to customer needs, and quick to implement bleeding edge technologies. While the Goliath’s have entered their challenge and have pulled in smaller vendors to bolster their offering – it is the smaller vendors that tend to have the most intriguing cutting edge offerings that continue to expand how GRC can be managed within an organization.
- Prices come down. Regarding vendors, it is time for prices to come down. Many GRC technology opportunities are shut down because the primary vendors are looking for very large deals. I might not be very popular with this – but prices have to come down for GRC technology to achieve broader adoption. This will be done as a variety of new and existing vendors are poised to offer very feature rich solutions at lower price points – particularly to compete against the large IT companies in the space.
These are my collective thoughts – I could write volumes on this and more. In 2010 I had personal interactions (e.g., engagements, interviews) with over 100 different organizations implementing GRC strategies to address various problems across industries. This does not count the scores of interactions with vendors and professional service firms. Those subscribing to my newsletter and blog have grown to over 7,000. The Corporate Integrity LinkedIN Group has grown to over 2,300. It has been a good year – and I expect it to be an even greater year in 2011!
Happy New Year! May 2011 bring your organization commitment to sound values, ethics, and practices in light of Principled Performance supported by a sound GRC strategy, process, and technology architecture! Please feel free to comment and share your thoughts and experiences on the GRC market . . .