Any medium-to-large enterprise that faces government or industry regulations can probably benefit from GRC software solutions, if not a totally revamped strategy.
The days of using spreadsheets or Microsoft SharePoint and a variety of manual checklists and documentation that's locked up in the bowels of audit departments are far from over, but savvy organizations are definitely looking to save money, cut time, and find answers.
Through it all, one thing is consistent: Regulation.
"We always know there will be more regulations," said Tom Eid, vice president of research for Gartner. "For instance, we may see more regulations because of what is happening with Toyota, which may affect other manufacturing organizations across the globe. It's hard to be proactive because you don't know what the regulations will be."
GRC defined, sort of
As an umbrella term, governance, risk and compliance (GRC) is about as difficult to nail down as the interconnected compliance, security, governance, and risk management challenges it sets out to describe. While GRC might be misused and abused as a term, a loose definition is ultimately more workable than isolating each element because, really, it's the interconnectedness of the people, processes, data and technology that describes today's GRC.
What's your GRC strategy?
"We all think that everybody has a strategy in place, but strategy, actually, is just emerging," said Gary Dickhart, vice president of SAP's GRC customer advisory office.
While yesterday's GRC efforts were largely reacting, today's most successful GRC strategies are moving from industry point solutions that meet specific regulations to broader efforts that cross corporate silos. The main drivers tend to start with cost reduction but quickly move into opportunity.
When the auditors went in with Sarbanes-Oxley, they gave people tools, and a lot of those tools have aged to the point where they're worn out and unsustainable, Dickhart said.
"Businesses are saying, 'Where can we cut? We're spending a lot more here, and I know we're compliant, but I also want to know about our own risk -- I want to know about our strategic risk,'" he said. "'I want more information, not just whether we're compliant with external regulations.' So the need for this overall risk profile as well as being able to manage it effectively and efficiently, that's what's driving GRC efforts."
"If you consider SAP's Access Control -- or the new data-heavy GRC products -- a lot of what they do is increase efficiency, so that's the first area to look at -- cost reduction and efficiency," McClean said.
If you have all of your controls in one place and documented in the same way, that's going to save a lot of time on both the internal and external audit process, he said. Data gathering, for instance, is a huge area of wasted effort.
"If you have 10 people gathering data for a month, if you buy a solution, you might be able to cut that in half. And the same goes for conducting risk assessments," McClean said. "GRC software can definitely help with efficiency."
2. Risk mitigation
Risk, of course, can emerge from the cost of non-compliance with a regulation, but it can also arise from the failure of a business initiative. Consolidated processes can help identify not just areas of exposure but also areas of opportunity, he said, because information is collected in one place rather than scattered and lost across departmental silos.
3. Business decision support
If a company is choosing between India and China for outsourcing or looking at several potential partners, product lines, or acquisitions it should be making, if the company has a lot of good risk and compliance content, that can help make those decisions better, McClean said.
"It's a hard area of value to meet," he said, "and it usually takes a long time before GRC programs are at that level."
At first glance, GRC optimization is a daunting task -- monumental, even -- but SAP customers, it turns out, have increasingly good options that are helping them gain value across multiple areas of their enterprises.
Historically, in the areas of segregation of duties and super-user/developer access, Pearson North America used a combination of manual processes and consulting services to achieve compliance results. However, they quickly recognized the value of implementing an automated solution that would ensure a more consistent, cohesive and stable global business environment, according to Frank Di Pentima, vice president of financial compliance/systems integration for Pearson North America.
"Additionally, we wanted to build on the company's strong risk awareness culture and enhance our ability to continuously monitor and assess sensitive access for Functional and Basis environments by creating an automated/preventative control environment without impacting system performance," Di Pentima said.
"By implementing SAP's BusinessObjects Access Control solution, Pearson North America gained a variety of benefits. Through the use of preventative and detective controls implemented with our GRC solution, they were able to automate processes and controls further by eliminating potential audit risks associated with complex user access requirements within our ERP environments," he said. "Additionally, they were able to create a seamless process that allowed for Super-user/Development access to be granted and monitored, further reducing risk associated with sensitive access."
"We achieved this without affecting system performance and helped drive down the cost of compliance," Di Pentima said.
Who needs to be involved?
At the SAP Customer Advisory Office, Dickhart's GRC teams recommend that enterprises get their business departments, IT department and audit departments all involved as an organization looks to consolidate, streamline and build upon its aging GRC processes.
"A lot of companies still have their audit department driving GRC strategies," Dickhart said, "but until GRC is recognized and adopted by the business people as part of their everyday livelihood, it's not going to be part of the business -- it'll always be an adjunct process. So getting that alignment between the three areas is something we emphasize."
Getting different stakeholders involved in an SAP GRC revitalization project is a start toward embedding GRC into the fabric of the enterprise, but what's next?
Before engaging a vendor for GRC software solutions -- even SAP -- companies need to gather their stakeholder departments and isolate what it is they want to improve. Are you trying to get ROI by reducing audit costs? Are you trying to improve your understanding of your risk exposure? Do you need a better compliance management process or reporting process?
"Figure out those objectives first," McClean said, noting that GRC software has matured to the point where most of what organizations need right now is available. "If you start by talking with the vendors, you'll more likely come up with a whole list of requirements or capabilities that may fit in but may not be what you needed in the first place. Definitely get your list of requirements really strong before you start talking to vendors."