From GRC 1.0 to GRC 5.0: A History of Technology for GRC
Governance, Risk Management and Compliance (GRC) is “a capability to reliably achieve objectives [GOVERNANCE], while addressing uncertainty [RISK MANAGEMENT], and act with integrity [COMPLIANCE].” This is the official definition of GRC as found in the OCEG GRC Capability Model and their focus on Principled Performance that has been in place for the past 15 years. I have been honored to be a key part of the development and evolution of the GRC Capability Model since this time.
GRC is something organizations do, it is not something they buy. The organization is governed, it manages risk, and it complies with obligations and boundaries. There is technology for GRC, but you do not buy GRC an organization does GRC. Technology enables GRC and makes GRC processes more efficient, effective, and agile. It frustrates me to no end when an organization asks me to come in and they tell me we just purchased GRC now can you come in and tell us how to do GRC. That is putting the cart before the horse. You have governance, risk management, and compliance processes in place today. What is working? What is not working? What do you want to change?
GRC is something that organizations have been doing long before we had an acronym for GRC. GRC has existed since the dawn of business and has been a part of business strategy, processes, and behavior. Whether it was working or not, GRC existed long before an acronym came into play.
But we do have an acronym, and I was the first to use that acronym on a cold snowy day in February 2002 at the Chicago office of Forrester Research (I was an analyst at Forrester from 2001 to 2007). I had just sat through a solution briefing of a technology that mapped risks to controls to policies to regulations/standards and had structured workflow and tasks for accountability and to conduct assessments. I thought this is great. When I was managing a risk and compliance consulting practice in Chicago in the 1990s this is the type of solution I envisioned and wished was available. I knew there was a market for this type of technology that took existing GRC related processes and made them efficient, effective, and agile. Throughout that day in Chicago, I noodled over it and ended up calling it GRC technology. From there I wrote the first two Forrester GRC Waves before I left Forrester in 2007 to go independent.
We talk about GRC technology it is essential to understand there is technology for GRC, but technology itself is not GRC. In fact, there is no technology solution on the planet that does all things GRC. From a strategy, process, and technology perspective there can be a core platform to document and report on objectives, performance, risks, controls, and such. But this often means that the core platform integrates with other specialized solutions as not one platform does everything related to GRC. It does not exist.
The history and evolution of GRC technology has evolved over the years since I first defined it in 2002. We are currently in GRC 4.0 – Agile GRC and watching as it transitions into GRC 5.0 – Cognitive GRC. This is not a linear timeline but an evolution as the capabilities of underlying technology for GRC evolves. So they do overlap and while we are not at GRC 5.0 today, we see the early adoption and interest in it as the technology evolves and provides itself and will become mainstream over the next two years. The stages of technology for GRC are:
- GRC 1.0 – SOX Captivity (2002 to 2007). When I first defined and modeled technology for GRC back in February 2002 at Forrester, I clearly defined it as a broad and integrated view of objectives and the risks, control, and policies that relate to those objectives. Unfortunately, Sarbanes Oxley hit in 2002 and the focus for the first several years of GRC was on SOX compliance and internal controls over financial reporting. It drove and advanced solutions in the market, but also kept them away from being the broader GRC solution that I originally envisioned.
- GRC 2.0 – Enterprise/Integrated GRC (2007 to 2012). Once organizations addressed SOX, it was time for technology for GRC to get back to what I had originally defined it for – an enterprise view of business objectives and the risks, controls, policies, and issues related to those objectives. The concept of the Enterprise Integrated GRC platform gained hold that multiple departments can work off a common information and technology architecture to manage risks, control, policies, compliance, audits, assessments, and incidents. But solutions had their strengths and weaknesses, and no one could do everything. My last Forrester Wave I wrote before leaving Forrester at the end of 2007 had four different Wave graphics to show the strengths and weaknesses of a solution coming from different points of view of risk, compliance, audit, and overall.
- GRC 3.0 – GRC Architecture (2012 to 2017). As the technology for GRC uses expanded in the organization, it became apparent that no one platform solved all the challenges related to GRC. It required integration as organizations looked to leverage best of breed risk, compliance, control solutions where they made sense but still integrate with an overall platform for risk aggregation, normalization, and reporting. There was often still a central hub for GRC management, but it no longer pretended to do everything and integration with other business systems as well as deeply focused GRC solutions was necessary. GRC also started to evolve where it was no longer just about the back office of GRC processes (what some would refer to as the second and third lines of defense), but it was also about the front lines of the organization (first line) that are making risk and compliance decisions that impact objectives every day.
- GRC 4.0 – Agile GRC (2017 to 2021). This is our current stage of GRC technology. The need for highly configurable technology that engages the entire organization on GRC from the front office to the back office. Agile technology that is configurable without advanced certifications and knowledge, what we call citizen development (though this can get out of hand and cause issues if not monitored and controlled). Where things did not break on upgrades because of heavily customized coding. The provision of GRC interfaces that are highly intuitive and engaging that were contextually relevant and easy to navigate for the role using them. Interfaces that are highly visual and interactive. Many legacy GRC solutions try to adapt to Agile by putting a fresh coat of paint on the user interface, but the underlying data and application architecture is still fifteen to twenty years old. There is a new breed of Agile software for GRC that takes this technology to the next level of value to the organization.
- GRC 5.0 – Cognitive GRC (2021+). We are already seeing this today, the role and impact of cognitive/artificial intelligence technologies on GRC. Things such as machine learning, natural language processing, and predictive analytics are starting to bear hold and take Agile GRC technologies to the next level. While these capabilities are making strides with some early adopters, it will be about 2021 when cognitive GRC technologies gain a greater hold in the market and have proven themselves with the early adopters.
When I look at the GRC market, I break it out into the following categories of solutions that I monitor and differentiate. Any solution in the market might just operate in one of these areas, or across several. But no one does it all. But there are a range of solutions that GRC 20/20 monitors, differentiates, and follows in our market research that span:
- Integrated GRC Platforms. Capability to manage an integrated architecture across multiple GRC areas in a structured strategy, process, information and technology architecture. These are the hubs that bring multiple areas below together into one overall view of integrated GRC reporting across the enterprise.
- Anti-Money Laundering/KYC, Fraud & Corruption. Capability to manage AML, KYC, bribery, corruption, and fraud in the organization.
- Audit Management & Analytics. Capability to manage audit planning, staff, documentation, execution/fieldwork findings, reporting, and analytics..
- Automated Continuous Control Management/Enforcement. Capability to automate the detection and enforcement of internal controls in business processes, systems, records, transactions, documents, and information.
- Business Continuity Management. Capability to manage, maintain, and test continuity and disaster plans, and implement these plans expected and unexpected disruptions to all areas of operation.
- Compliance & Ethics Management. Capability to manage an overall compliance program, document and manage change to obligations, assess compliance, remediate non-compliance, and report.
- Environmental Management. Capability to document, monitor, assess, analyze, record, and report on environmental activities and compliance.
- Finance GRC Management. Capability to manage the financial risks, controls, and reporting of the organization.
- Health & Safety Management. Capability to manage, document, monitor, assess, report, and address incidents related to the health and safety of the workforce and workplace.
- HR GRC Management. Capability to govern and manage risk and compliance in employee relationships, training, activities, and issues/incidents.
- Internal Control Management. Capability to manage, define, document, map, monitor, test, assess, and report on internal controls of the organization.
- IT GRC Management. Capability to govern IT in the context of business objectives and manage IT processes, technology, and information risk and compliance.
- Issue Reporting & Management. Capability to notify on issues and incidents and manage, document, resolve, and report on the range of complaints, issues, incidents, events, investigations, and cases.
- Legal Management. Capability to manage, monitor, and report on the organization’s legal operations, processes, matters, risks, and activities.
- Physical Security Management. Capability to manage risk and losses to individuals and physical assets, facilities, inventory, and other property.
- Policy & Training Management. Capability to manage the development, approval, distribution, communication, forms, maintenance, and records of policies, procedures and related awareness activities.
- Quality Management. Capability to manage, assess, record, benchmark, and track activity, issues, failures, recalls, and improvement related to product and service quality.
- Reputation & Responsibility Management. Capability to manage the sustainability, ESG, and corporate social responsibility program of the organization.
- Risk Management & Analytics. Capability to identify, assess, measure, treat, manage, monitor, and report on risks to objectives, divisions, departments, processes, assets, and projects.
- Strategy & Performance Management. Capability to govern, define, and manage strategic, financial, and operational objectives and related performance and risk activities.
Third Party GRC Management. Capability to govern, manage, and monitor the array of 3rd party relationships in the enterprise, particularly risk and compliance challenges these relationships bring.
While these are categories/buckets of capabilities that GRC 20/20 maps solutions in the market into, the reality is that one solution can go across many of these areas, or be confined to just one area. But no one does everything that is why it is about GRC information and technology architecture.
GRC 20/20 is here to answer your questions on strategy, solutions, and technology for GRC. We are a research organization so it is our job to objectively understand and differentiate solutions in the market and the problems they solve. Feel free to ask
5