Respondents’ market representativeness is strong since, for example, geographical coverage does not neglect any region and that “81.5% have accountability for GRC initiatives at their organizations,” the report says.
GRC is a process!
1st, and most importantly, GRC is acknowledged a process, and taken care of as such. It is not just a point activity performed under pressure, threat or timed circumstance. GRC is an ongoing, never-ending process comparable to continuous improvement.
“You can’t look at risk once a year”, states Frank Santora, First Vice-President, Operation Risk Management Group at Hudson City Savings Bank. “Not since ERP applications became popular has there been an application that so intensely requires equal attention paid to people, process and technology,” the report mentions. It means that the corresponding support activities tend to be integrated with one another, which is particularly true for internal control.
GRC support functions tend not to be isolated from operational activities any longer, but tightly interwoven instead. This can be regarded as a sign of maturity. In effect, it is much more productive to optimize a set of activities (operational and control in this case) together than to optimize them separately. It seems that a systemic approach can be applied to get more value from activities that are, anyway, mandatory.
eGRC and IT GRC are converging.
That’s actually not really new. I mean, signs that eGRC and IT GRC are converging have been often discussed by various analysts firms over the past 2-3 years. The intent is therefore not new, however now it becomes a reality that goes beyond theory, wishful thinking and vendors’ roadmaps. Today, the boosting factor for that is the growing number of regulations regarding personal data access and management.
It is obviously subject to great care both from a legal-organizational point of view and from an IT point of view: personal data usage – for example – needs to be tracked, explained and reported to regulators. Workflows and information circuits need to be clearly defined.
And new regulations raising the bar appear here and there “as we speak” (and as you read, dear reader). In France for example, the “CNIL” – National Commission for Information and Liberty – has created a “label” that ensures personal data is managed according to certain ethics rules. European regulatory instances mean to build upon this label to create a formal regulation (not just a label) covering personal data management and protection. This set of requirements unavoidably leads to automation using IT. New tools appear, a new market even appears, known as “Data Governance”, where technology vendors provide data governance-driven capabilities.
In addition, while yesterday IT GRC vendors and enterprise GRC vendors were clearly distinct, today they tend to provide similar capabilities for both domains.
Integrated GRC boosts corporate performance
Finally – and it’s a very interesting viewpoint – Hypatia’s report also reminds us what has not changed in GRC: “executives need a holistic view in order to accurately discern patterns, trends and activities.”
It means that all GRC-related support functions need to share the same version of the truth, while each may have their own point of view, data, expectations and objectives. The fragmented, silo-driven users’ perception of GRC functions does not fully optimize resource usage and allocation, be it human, budgetary or IT. Unifying such support functions as audit, compliance and policy management, enterprise risk management, IT risk management… is still a challenge in that it requires a good understanding of how they are articulated, organized, and interwoven. In one word, architected.
“Hypatia Research believes that the GRC software segment has a great potential to […] support corporate performance management goals”. This, based on MEGA’s experience, is only possible if holistic approaches are taken to optimize globally, not locally. If not, the G of governance becomes – or remains – the main hurdle to business agility.