Enterprise Convergence of Governance, Risk & Compliance: Why Management Consulting Firms Should Provide a Holistic Approach

The market for governance risk and compliance (GRC) software is a maelstrom, the kind of maelstrom that engenders confusion among those accountable within organizations. Some vendors offer GRC for the enterprise, known as eGRC, focusing on operational risk management. Others offer what’s known as IT-GRC, focusing on monitoring access and communications for compliance. The fact that both branches of GRC use technology to automate highly complex processes is confusing. The fact that many vendors offer capabilities that overlap into both areas is confusing. The fact that many vendors offer limited pieces of the GRC puzzle is confusing. Which is why Hypatia believes that management consulting firms are uniquely positioned to provide a comprehensive approach.

Organizations most often function in departmental silos. Moreover, in the case of GRC, with its complexity covers so many areas, many of which overlap, companies’ efforts to manage risk and comply with multiple regulations are often hampered. Governance covers not only how data is accessed, protected, and secured, but also involves adherence to everything from partnership contracts and service-level agreements , and internal policies. Risk covers investment in new products, geographic expansion, and exposure to lawsuits and reputation damage. Compliance covers not only industry-specific governmental regulations, such as those for the finance, healthcare or energy industries, but also other government regulations such as maintaining privacy of customer data; add to this compliance to industry regulations for the manufacturing and pharmaceutical industries.

Converging Trends Add Complexity
Three converging trends further complicate companies’ efforts toward insightful and accurate GRC deployments. First, complexity of compliance increases not only because of new governmental regulations, but also because different regions or departments may have divergent or even conflicting requirements. Second, GRC applications themselves are changing, with eGRC applications adding more IT-GRC capabilities, and vice versa. Finally, advances in technology such as service-oriented architectures and master data management affect business processes and data integration, key elements of GRC efforts.