A Lack of Standards Holds GRC Back
|
The one thing that just about everybody is certain will happen in 2009 is the fact that we're going to see a whole lot more emphasis on governance, risk management and compliance (GRC). After all, just about every economic calamity facing us right not can be traced back to a lack of governance in one form or another. And with both the White House and Congress in the hands of Democrats, you can be sure new regulations will be coming fast and furious. This isn't necessarily a bad thing. But the folks that are inclined to pass all these regulations should take note of two inalienable facts. The first is that all regulation comes at a price in the form of lost productivity because of the time needed to provide oversight to make sure people comply with the regulations. And secondly, the GRC interoperability standards that exist in today's IT market are pretty thin. In fact, if you take a good look at the GRC market it quickly become apparent that the phrase GRC is really a catch all for a collection of point products that don't adhere to any widely adopted set of standards. The good news is that there are some nascent standard process efforts in the GRC space, including the creation of a best practices framework called OCEG and a Control Objectives for Information and Related Technology (COBIT) framework. Naturally big vendors such as IBM, CA and Symantec have their eyes on the whole GRC space as it matures. But in the meantime smaller rivals such as OpenPages have been doing a nice job of creating some of the first commercial GRC management frameworks. Regardless of the current state of the economy, it's pretty clear that demand for GRC-related technologies is going to be higher than it was in 2008. In fact, the only thing that may holding this whole space back is the vendors themselves, which once again have been characteristically slow when it comes to creating standards that would ultimately increase the number of products they might actually sell by making it easier to sell more useful products to more customers. |
Comments (3)
Actually, there is not a lack of standards...just perhaps lack of awareness of the good ones.
Readers may find more intellible, accessible and useful guidance from more widely (globally) adopted standards like AS/NZ 4360 and the recently ratified ISO 31000.
These standards are principles-based, rather than narrowly responsive to specific regulations.
Posted by Ed Alexander | November 21, 2008 4:12 PM
We absolutely agree with your sentiment above that the need for GRC and the spending on this will only increase over the next few years. Common standards will certainly help, but the reality is companies need to take action now, and what we’re hearing from customers is they need an enterprise platform that addresses all of their GRC requirements regardless of specific LoB, industry, region or regulation. Our vision is to provide a uniform framework so the governance of risks and controls can be addressed in a common way across multiple business processes. Today the fragmentation of so many solutions has dampened transparency because the numerous point solutions address the identification and response to risks differently. The common element is the process of risk identification, establishing controls, and monitoring the performance of controls. Companies continuing down this point solution path will find themselves in a continual reactive mode without a framework to address multiple areas and business processes. We’re working with our customers to develop and deploy solutions that attack prominent processes that have the biggest exposures and volume where automation and analytics can result in a quick win and ROI. Examples are financial, global trade and environmental areas.
Gary Dickhart, SAP GRC Customer Advisory Office
Posted by Gary Dickhart | November 24, 2008 2:20 PM
Michael - both prior comments touch on some important considerations. However, it's important to note that the vendors you mention do not create the standards and regs against which organization must measure themselves (ISO/SOX/Cobit and so on.) But do work with a number of organizations, like OCEG, to drive practices and methods for efficiently working with/complying with or adopting those standards and regulations. CA, for example takes a holistic view of the regulations/standards and associated controls and works with clients to create a centralized control (or risk) repository; identify and eliminate redundant efforts associated with those same controls, and track and manage resources and costs associated with governance, risk and compliance efforts. The result: a single data source; enterprise-wide visibility into compliance posture; elimination of redundant testing and reporting; prioritization of activities based on key risk indicators and and task/resource-level reporting on enterprise GRC effort and costs.
Posted by Matt Caston, Global VP Business Governance CA, Inc | December 2, 2008 5:39 PM