Where do companies need enabling technologies to support compliance efforts? The simple answer: everywhere. In the 21st century, governance, risk, and compliance (GRC) has created a drumbeat of urgency and uproar for companies of any size. More simplicity – you can break down the whole concept of compliance (the ‘C’ in GRC) to a handful of questions:
- What did you do?
- When did you do it?
- Did you do it properly?
- Can you prove it?
But something so fundamentally simple doesn’t account for the increasing Sturm und Drang regarding GRC since the turn of the 21st century. There are other reasons that account for the attention paid to GRC, such as these increasingly important aspects of business and technology:
Globalization. Ironically, globalization has complicated business by expanding choices for where and with whom you do business. That, along with the Internet, has also expanded the number of potential competitors a company has in any new business venture. Calculating the odds for success (or failure, that is, risk) brings more variables than ever before.
Scrutiny. From Enron and Worldcom to the mortgage meltdown, government entities are paying infinitely more attention to the way companies conduct business. The bigger a company gets, the more impact it has on both its market and the economy, and both the public and private sector are struggling with how to govern this. The result: new laws, new policies, new audit requirements.
Capability. Talk about the law of unintended consequences—when companies started eliminating paper-based processes, they replaced them with systems that could automatically answer the first two questions above. It’s (purportedly) easier to electronically monitor corporate activities, so those who have oversight – whether internal superiors or external regulators – are asking to see the digital equivalent of the paper trail. The result is an ever-increasing need for monitoring, tracking, analyzing, and auditing business processes. That’s where enabling technologies that support GRC standards comes in.
Compliance. This is the area that has received the most attention recently, and is probably the catalyst (or culprit) behind the fact that there are so many vendors claiming to be part of the GRC marketplace. There are horizontal government regulations relating to financial and accounting activities, such as Sarbanes-Oxley. There are vertical government regulations relating to specific industries, such as the medical industry’s HIPAA and HITECH, or those in the energy industry overseen by the Federal Energy Regulatory Commission (FERC) and the North American Electric Reliability Corporation (NERC). At the same time, there are frequently industry regulations to which companies must adhere, such as ITIL, CoBit, and ISO 27001.
As if those weren’t enough, multinational countries just deal with regulations enacted by other countries, or those from individual states. It seems as if they sprout like mushrooms after a rain. Just as with the other two categories, this category incorporates elements of people, process and technology. Dealing with industry-specific data involves human expertise, while compiling results for auditing is a process, while a database can store the regulation’s contents.
How Hypatia Defines Enterprise GRC Solutions
Hypatia Research defines converged GRC solutions as a continuum of people, process, and technology. The spectrum extends IT GRC solutions on one side to enterprise GRC (eGRC) solutions on the other. At the extreme end of the IT side of the spectrum lie highly automated digital controls for managing data access. At the extreme end of the enterprise side of the spectrum lays the element of business risk, which combines human elements such as instinct and experience with metrics for decision-making. In between, the solutions overlap, incorporating capabilities such as assessment; auditing; compliance with industry, partner, and government regulations, as well as internal policies; and workflow, all of which combine elements of human and digital analysis.
Figure 9: Elements of Governance Risk and Compliance
Governance, risk, and compliance follow the traditional structure of contemporary business in that they have elements of people, process, and technology; there is a continuum that combines all elements of Governance Risk and Compliance. At one end, people analyze risk and develop governance structures based on their skill and experience and that of their employees (example: you may have a database that tells you what percentage of your bank’s loans were given without down payments, but a human would have to determine whether that was too high a risk or not).
At the other end of the spectrum, technology oversees compliance and governance through means of access, data protection, and security. Along the continuum, processes driven by technological alerts and reporting ensure that supervisors are aware when employees are abiding by rules and regulations. Those supervisors can act on anomalies based on either their own knowledge or an indication from the system that compliance is in jeopardy. For more information on vendor evaluations, best practices, maturity models, and derivative reports by country, size, industry or function, or for vendor selection advisory, please contact research@HypatiaResearch.com.
Excerpted from our comprehensive 58 page primary research study: “The Convergence of Enterprise GRC: Benchmarks & Vendor Galaxy Rankings” ©2014 Hypatia Research Group, LLC. All rights reserved. No part of this research study may be repurposed, distributed, translated or published in any format without the express written consent of the Hypatia Research Group, LLC and its management.