The simple answer: everywhere. In the 21st century, governance, risk, and compliance (GRC) has created a drumbeat of urgency and uproar for companies of any size. More simplicity – you can break down the whole concept of GRC to a handful of questions:
- What did you do?
- When did you do it?
- Did you do it properly?
- Can you prove it?
But something so fundamentally simple doesn’t account for the increasing Sturm und Drang regarding GRC since the turn of the 21st century. There are other reasons that account for the attention paid to GRC, such as these increasingly important aspects of business and technology:
Globalization. Ironically, globalization has complicated business by expanding choices for where and with whom you do business. That, along with the Internet, has also expanded the number of potential competitors a company has in any new business venture. Calculating the odds for success (or failure, that is, risk) brings more variables than ever before.
Scrutiny. From Enron and Worldcom to the mortgage meltdown, government entities are paying infinitely more attention to the way companies conduct business. The bigger a company gets, the more impact it has on both its market and the economy, and both the public and private sector are struggling with how to govern this. The result: new laws, new policies, new audit requirements.
Capability. Talk about the law of unintended consequences—when companies started eliminating paper-based processes, they replaced them with systems that could automatically answer the first two questions above. It’s (purportedly) easier to electronically monitor corporate activities, so those who have oversight – whether internal superiors or external regulators – are asking to see the digital equivalent of the paper trail. The result is an ever-increasing need for monitoring, tracking, analyzing, and auditing business processes. That’s where GRC comes in.
Clarifying GRC Definitions
For clarity’s sake, let’s define the points along the continuum in the context of how companies do business.
Governance. Corporate governance outlines the basic structure of the organization: who’s in charge, who’s responsible, who’s accountable, and what are their responsibilities? It also encompasses policies and procedures to ensure business processes are handled correctly. For instance, a company may have a policy stating that checks in excess of $20,000 must be signed by two executives, one of whom has a specific rank such as controller. This is to ensure that no one person can commit too much of a company’s financial resources. There may be a policy that no customer can submit an order if its account is 90 days past due.
But governance spans far beyond financial and accounting procedures. All contracts outline policies and procedures for each of the parties, whether it’s a distribution agreement or a service-level agreement. Governance oversees whether the commitments in those contracts has been fulfilled.
Applied to information technology, it outlines the basic structure governing the organization’s data: who can access it, how it’s protected, and how it’s secured. For instance, an employee’s salary may only be visible to themselves, their supervisor, and a member of the human resources department. It’s up to IT to make sure such private data is not inadvertently accessed. That’s the strict definition of IT governance.
What makes the concepts of corporate governance and IT governance confusing is that increasingly, companies are using electronic forms, workflow routing, and other capabilities to capture information relating to governance. It has becomes IT’s responsibility, as the master of all things digital, to oversee the systems that collect and analyze the information. It’s still corporate governance, even though IT is handling it. As we’ll show, Hypatia believes these two processes are so close that it’s logical and prudent to combine them.
Risk. Since long before technology was so completely entrenched in corporations, executives have been concerned about risk management. Deloitte Consulting defines six different kinds of business risk (see table 1: Categories of Business Risk) and they frequently involve the kind of heads-down qualitative analysis that only people can do. For instance, where might weak points exist in your supply chain? What’s your contingency plan if a shipment of components arrives from Asia with quality issues?
As noted in the definitions, many of these have a technological component, a process that compiles the information for assessment and subsequent analysis by a tool such as business intelligence software. In this scenario, technology is responsible for the quantitative aspects so that others can discern the qualitative aspects. For instance, analytics may reveal that a company has only 60 percent chance of making an international investment profitable; only a person can determine whether that probability is high enough to warrant the commitment.
Risk Categories Definition
Strategic risk: The risk that the organization is unable to implement appropriate business plans, strategies, decision-making or resource allocation, or to adapt to changes in its business environment.
Competitive risk: The ability to build or maintain sustainable competitive advantage in a given market or markets.
Financial risk: The risk associated with managing the organization’s assets and liabilities, both on-and off-balance sheet
Legal & regulatory risk: Risk that business activities are impeded through non-compliance with, or changes in, the domestic or international regulatory or legal environment
Operational risk: The risk resulting from management and operational processes, technology, human performance, or external events.
Reputation risk: The risk associated with the impact an activity may have on the organization’s image in the community, public confidence or its brand.
How Hypatia Defines Enterprise GRC Solutions
Hypatia Research defines converged GRC solutions as a continuum of people, process, and technology. The spectrum extends IT GRC solutions on one side to enterprise GRC (eGRC) solutions on the other. At the extreme end of the IT side of the spectrum lie highly automated digital controls for managing data access. At the extreme end of the enterprise side of the spectrum lays the element of business risk, which combines human elements such as instinct and experience with metrics for decision-making. In between, the solutions overlap, incorporating capabilities such as assessment; auditing; compliance with industry, partner, and government regulations, as well as internal policies; and workflow, all of which combine elements of human and digital analysis.
Figure: Hypatia’s Five Enterprise GRC Maturity Levels
Governance, risk, and compliance follow the traditional structure of contemporary business in that they have elements of people, process, and technology; there is a continuum that combines all elements of Governance Risk and Compliance. At one end, people analyze risk and develop governance structures based on their skill and experience and that of their employees (example: you may have a database that tells you what percentage of your bank’s loans were given without down payments, but a human would have to determine whether that was too high a risk or not).
At the other end of the spectrum, technology oversees compliance and governance through means of access, data protection, and
security. Along the continuum, processes driven by technological alerts and reporting ensure that supervisors are aware when employees are abiding by rules and regulations. Those supervisors can act on anomalies based on either their own knowledge or an indication from the system that compliance is in jeopardy. For more information on vendor evaluations, best practices, maturity models, and derivative reports by country, size, industry or function, or for vendor selection advisory, please contact research@HypatiaResearch.com.
Excerpted from our comprehensive 58 page primary research study: “The Convergence of Enterprise GRC: Benchmarks & Vendor Galaxy Rankings” ©2014 Hypatia Research Group, LLC. All rights reserved. No part of this research study may be repurposed, distributed, translated or published in any format without the express written consent of the Hypatia Research Group, LLC and its management.