Is Anyone Solely Responsible for GRC?
The more I learn about GRC (Governance, Risk, and Compliance), the more I
Is Anyone Responsible for GRC?
question whether “GRC” focused messaging resonates with anyone. Being in marketing, and representing products that play in this “market,” I’m continuously trying to tune my message and point it at the right person. But as governance, risk and compliance gets more traction as a category, I’m not sure anyone is out there thinking: “Hey, that’s what I do!”
With so many categories of responsibility (legal compliance, IT compliance, financial compliance, etc.), and so many layers of applicability (IT layer, business operations layer, corporate compliance layer, etc.), it’s difficult to categorize whether technologies (read: products) are addressing governance, risk, or compliance.
… or security… or regulations… or standards… or frameworks.
But perhaps more importantly, who cares? Do businesses want to feel like they’ve addressed GRC? Or do they simply want to comply with what they have to, and if they do it right, simultaneously achieve some operational efficiencies that will improve their ability to compete? I’m tempted to think the latter.
I’ve seen various analysts try to break down every GRC category for every part of a business and wind up with very complex (and differing) flow charts that make the concept of GRC looks so daunting, that it would make a business owner reminisce of the good old days before GRC mattered, and smoking was still cool.
As you look at one of these GRC breakdowns, GRC looks complex, expensive, and intimidating.
Where do you start? Who will manage it? Where will you find the resources given your shrinking budgets?
But perhaps these complex breakdowns are really only useful for the solution providers to understand how their products stack up against those of their competitors. So the question I ask is:
Is GRC a category that helps the vendors to understand their own offerings, but at the same time, confuses and intimidates their potential customers that have immediate problems to solve?
I’d like to know what you think…
Jeff Abbott
Related posts:
- A Closer Look: EMC Acquires Configuresoft This week, EMC announced the acquisition of Configuresoft, a Colorado...
Related posts brought to you by Yet Another Related Posts Plugin.
Change and Configuration, Data Center Automation and Compliance, Dependency Mapping
I think you raise a great point. GRC is a marketing term, rightly or wrongly, and I am rpetty sure that executives don’t see the world this way. With more than 800 software providers saying that they have GRC solutions (according to OCEG), I suspect it would be a better service to the market if the software and services ecosystem focussed on the issues rather than the labels . . .
Jeff - GRC represents a strong business-specific definition of what IT should be doing, and many are to some degree, but the customers we talk to actually run the operation and need to know what it does and why they should consider our solution. In a word, it’s about Control.
Ed
Love it, the good old days before GRC mattered and smoking was still cool. That does about sum it up - we know that exercise and eating right is good for us, but we still would rather sit on the couch with a smoke, a beer and a bag of chips (a really big bag from Costco) just hoping that if we think about meeting the mate of our dreams, earning a million bucks a year, and having a long healthy life it will magically happen. Funny, maybe that’s how our corporate world got us into the mess we are in today.
Yes, GRC as a concept is complex, but paradoxically, it is also amazingly simple - organizations will have longer, healthier lives with leaner operations that help to achieve their objectives, while avoiding the inevitable obstacles and still staying with those regulatory (and voluntary) boundaries, if they apply GRC principles to the way they do business. This does not mean simply using IT, no matter how good a product may be - it also means having the processes and organizational strucutures that enable the movement of accurate information throughout all parts of the organization that GRC involves from top to bottom and side to side.
Organizations worldwide are beginning to appreciate that GRC as a business methodology helps them to prevent, detect and correct issues that arise faster, better and cheaper. The OCEG GRC Capability Model (OCEG’s Red Book 2.0)(http://www.oceg.org/Details/RB2) helps them to do this and also identifies key technology types (by functionality not product) that support each step of the process.
Yes, hundreds of vendors claim to have “GRC” products, but most of them address only certain aspects - policy management, risk analytics, access controls, learning mgmt systems, etc. and each defines them differently.
This is why OCEG has recently published the GRC-IT Blueprint which categorizes and defines 72 technology “modules” or areas of functionality that support the various elements of the GRC Capability Model. We hope it will help clear up the confusion and let customers figure out what they really need. Download the Blueprint at http://www.oceg.org/Details/GRCTechnologyBlueprint
So perhaps another question then is whether the best approach to GRC is tops down or bottoms up?
Ideally, it would be great if every company that recognized a need for management of governance, risk, and/or compliance had the time and resources to engage top level enterprise GRC consultants and adopt a GRC technology platform that would unify all the supporting control and measurement tools at the bottom.
But I suspect that most companies feel that they have open wounds that need to be patched in the short term before, or at least while, they consider a more hollistic approach.
It seems that both need to happen. Businesses need to choose the point tools now that will both stop the bleeding (from security vulnerabilities, failed audits, pnealties, inneficiencies, lack of measurability, etc.). The key is that they must choose wisely, and adopt tooles that support/integrate with more enterprise-wide GRC systems, where collected data can be used to inform decisions about how best manage the business from the top down.