Category: Blogs

In the previous post I reviewed the history of GRC.  In this post we examine the characteristics of GRC 3.0. REMEMBER:  every organization does GRC.  You may not call it GRC but your organization has some approach to governance, risk management, and compliance.  The question is how mature is the organizations approach.  The definition of GRC is “a capability to reliably achieve objectives [governance] while addressing uncertainty [risk management] and acting with integrity [compliance].”

The Core Characteristic of GRC 3.0 is Architecture

The core of GRC 3.0 is to approach GRC as architecture involving strategy, process, information, and technology working together across the business and its operations.  GRC requires the integration of different types of applications and content across the business to achieve efficiency, effectiveness, and agility in a dynamic and distributed business environment.  This requires that we understand the business and how it operates – and how mature GRC is about integration and not necessarily one platform that tries to be all things.

There are different architecture approaches to GRC – decentralized where everyone does their own thing, centralized where everyone has to use one common GRC platform, or a federated approach.  GRC 3.0 is focused on a federated GRC approach.

A federated GRC architecture allows best of breed solutions to exist where they make sense but has a centralized capability to integrate and manage GRC information.  Instead of “one platform to replace them all” (centralized architecture model) we have the “one platform to integrate them all” (GRC 3.0 federated architecture model).

The truth is – organizations often have multiple GRC solutions in house. Different departments have invested in best of breed solutions that make sense where they are.  Gutting and replacing solutions often means the department loses functionality and we manage GRC to the lowest common denominator. No GRC solution does everything GRC.  GRC involves a range of different roles, processes, technologies, and content.  One platform simply does not do everything – or at least it cannot do everything well.

A federated GRC model allows for consolidation where it makes sense, but also allows for best of breed where it makes sense. GRC 3.0 is about building a federated GRC architecture that centralizes oversight, reporting, accountability, and analytics yet allows for integration with other GRC technologies that do specific things very well. The goal is to let GRC work with and throughout the business and not force parts of the business into a mold that does not fit. It allows for diversity while still providing integration and consistency centrally. It allows an organization to have an ecosystem of process, technology, and content that works together to provide the best alignment and value to the business.

Other characteristics of GRC 3.0 include:

• Operationalizing GRC. Operationalizing GRC is extending GRC into business applications and processes. It is about enabling GRC across business systems and processes.  It is bringing GRC to the business intelligence, performance, and ERP environment to improve real-time insight into business decisions, operational intelligence, and monitoring.
• Integration of content.  The integration of content and technology is core to GRC 3.0. GRC strategies are looking to integrate GRC process and technology with content from content providers to rapidly assess changing regulations, risks, industry and geopolitical events, and how they impact strategy, performance, controls, policy and the integrity of the organization.
• 360º GRC contextual and situational awareness.  Through GRC architecture and extension into business operations the GRC environment gains a complete view of what is happening – situational awareness.  Where risk and compliance is monitored and understood in the course of business operations and transactions.
• Bringing GRC to the ‘coal-face’.  Organizations are recognizing that effective GRC includes those on the front lines of the business – the “coal-face.” GRC 3.0 is about delivering a better end-user experience: getting employees involved by providing elegant interfaces that are intuitive and social. The goal here is to engage employees and provide them with an interface that allows them to participate in GRC without feeling intimidated and lost.
• GRC gamification.  GRC 3.0 is focused on GRC gamification, engaging employees – that coal-face – with games and interactive content.  Implementing training and awareness programs that enables employees to earn points or badges – perhaps redeemable for certain things.  To recognize people when they make good risk decisions or alert the organization to a problem.
• Mobility. There’s an app for GRC! GRC is embracing mobile technology on tablets and other devices.  Issue reporting is readily done through mobile devices.  Tablets can be used to deliver policies, training, and other interactive content to employees, particularly those without desktop workstation access or as a mobile kiosk for a group of employees.  Mobile devices can be used in conducting investigations, audits and compliance assessments.  The ability to record pictures and video right into compliance applications will make these processes more efficient and effective.

What are your thoughts on GRC 3.0 and its characteristics?

GRC is “a capability to reliably achieve objectives while addressing uncertainty and acting with integrity."  The reliable achievement of objectives is the governance piece, addressing uncertainty is about risk management, and acting with integrity is the compliance angle.  All three of these provide a natural flow.  Governance provides direction and objectives giving the context for risk management.  Risk management in turn aims to comprehend uncertainty and set boundaries which then relies on compliance to ensure that we stay within those boundaries.

Organizations have been doing GRC since the dawn of business.  We did not need a three-letter acronym to all of a sudden do GRC.  Every organization has some approach to the aspects of governance, risk management, and compliance: from the ad hoc and disorganized to the mature and aligned.  GRC is part of business whether you call it GRC, something else like ERM, or you have no name for it at all.  The question to consider is how mature is your organization’s GRC practices.

GRC is more than technology. You cannot go out and buy “GRC” – sure, you can buy GRC technologies that enable, improve, and mature GRC related processes.  GRC, properly understood, is something the organization does and not buys.  The right solutions, and in this context GRC solutions, can enable and mature your organizations GRC processes.  But technology by itself does not give you GRC.

That being said – we do have a GRC market for technology, professional services, and content.  I know – I was the first to define, model, and label it GRC back in February 2002 “while at Forrester Research.  I have been working on refining and modeling the market in the eleven years since.  As with any market, they evolve shift and mature.  The GRC market certainly has shifted and changed.  This is what I refer to as: GRC 3.0 – Rethinking GRC.

Let’s explore the stages of the GRC market since it’s first definition and inception in February 2002 to the present day.  It all started . . .

• GRC 0.9, before 2002: Yes, we had GRC before we had GRC.  GRC is part of business and we have always used technology to manage it.  At one point pen and paper were high-tech.  Organizations have been doing GRC and using tools to manage it for as long as we have had business.  Similar to other technologies like Client Relationship Management – we did not need CRM systems to all of a sudden begin managing client relationships.  CRM came into the world to improve and mature how we manage client relationships.
• GRC 1.0, 2002 to 2007: On a cold snowy day in February 2002, in the offices of GiGa Information Group in Chicago soon to be acquired by Forrester Research I sat through two vendor briefings that struck me with a revelation.  The first was a technology vendor briefing demonstrating their solution to manage and integrate policies, controls, and risks.  This really struck me.  It was something I had envisioned in the 1990’s as a consultant but was not a software developer so never took action on.  It was simply brilliant.  What do we call it?  A few hours later I had another briefing with PwC reviewing their services.  My ADD mind was bouncing around back to this previous briefing while coming back the PwC briefing – sort of a mental Ping-Pong.  The PwC briefing had some terms that seem to drift toward me from the slides.  On different slides my mind locked onto the terms Governance, Risk Management, and Compliance.  There it was – a name for this new market – GRC.  Providence would have it that the timing for this market was spot on as Enron and Worldcom hit us hard and we had resulting legislation such as SOX.  GRC 1.0 was largely focused on addressing the challenge of internal controls over financial reporting, SOX compliance, as well as related IT controls.
• GRC 2.0, 2007 to 2012:  Over five years the GRC market grew and expanded.  It was growing in dimensions.  My second Forrester GRC Wave, published in December 2007 right as I left Forrester to become a boutique analyst/researcher, understood this.  It had four separate Wave graphics representing the solutions in different ways as different parts of the organization have different needs as well as some core common needs for GRC.  During the period of 2007 to 2012 we saw GRC expand and take on areas of audit management, enterprise and operational risk management, broader understanding of compliance beyond financial controls, and more.  I began referring to the market as the GRC EcoSystem as it had many components.  I worked with OCEG on defining the GRC Solutions Guide 2.0 and 2.1, which defines 28 categories of GRC technology.  GRC during this period was very focused on the back-office functions of GRC.  There are hundreds of vendors/solutions in its various sectors/categories. At the same time the major analyst firms continued to focus on GRC in their static, two-dimensional, vendor comparisons limited to about fifteen vendors – completely misrepresenting the market and leaving many worthy companies out.  As more solutions focused on this area – the bar gets raised by the analyst firms.  To be recognized you have to have so much revenue, offices in multiple countries, and more.  They expanded what they evaluated slowly but did not give more time to analyze.  In one major firm you now have a multi-billion market based on analyst research that allows a ninety minute demo covering nine very complex areas of GRC – and organizations are basing significant investment decisions on this report.  The GRC market has expanded but the major analyst firms have not kept up.
• GRC 3.0, 2013 into the future:  We now enter the era of GRC 3.0 – what I label Rethinking GRC.  Later this month I will be releasing the new GRC market model.  This is a representation of the market that understands the building blocks of GRC – functional areas of GRC solutions/technology.  How these come together into platforms that serve the needs of various GRC related departments in the organization (e.g., risk management, compliance, legal, finance, audit, security, health and safety, and more), and how they can come together into an enterprise GRC initiative.  There are industry specific views into the model, as well as issue specific views (e.g., anti-bribery/corruption, AML, conflict minerals, privacy, and more).  GRC 3.0 is also about significant changes to use of GRC solutions within organizations.  One is GRC architecture – it is not about one GRC solution to replace them all.  That can be a strategy, but organizations have different solutions serving different needs – how do we get it to work together.  It is about operationalizing GRC – brining GRC further into the business fabric/operations.  It is about brining GRC to the ‘coal-face’ where we focus on engaging employees in GRC and providing solutions that are simple, mobile, and easy to use for GRC happening at the front-lines/office of the business.

GRC is more than technology – but it is technology that matures GRC practices and processes to be more efficient, effective, and agile in a dynamic and distributed business environment.  The GRC market is a macro-market and not a micro-market. It is a market with many sectors that serve components of GRC scattered throughout the organization.  Some of these functions come together to serve an enterprise approach to GRC to drive consistency where there are similar needs across GRC areas of the business.

As
I wrap up my market definitions and models for GRC 3.0, I would love to hear you opinions, experiences, and thoughts.  Please feel free to comment below.