Ventana Research recently completed benchmark research on governance, risk and compliance (GRC), three business activities that are naturally linked. Although managing them requires separate and sometimes very different processes, on the whole these activities affect each other: Effective corporate governance ensures compliances with laws, regulations and company policies, and without governance, there’s no way to control risk. Separately or considered together, managing governance, risk and compliance is increasingly important.
Risk is part of any business undertaking and comes in many forms. Managing it involves anticipating negative events, understanding their costs, determining whether potential benefits outweigh the risks, and applying controls to prevent risk events or mitigate their impacts if they occur. Managing risk intelligently is a hallmark of successful companies.
Similarly, compliance with existing laws and regulations is essential. Governance ensures that processes are in place to perform legally mandated tasks (such as filing forms or performing tests) in ways that reduce or eliminate the risks and consequences of failing to meet requirements.
Automating tasks in governance, risk and compliance can enable organizations to complete them regularly and quickly while avoiding both errors that mean having to redo the tasks and the costs of mismanaged risks or inadequate compliance. Software that automates aspects of GRC management processes, from collecting data to analyzing it to submitting status updates or reports, can monitor risks and alert people when thresholds are passed. It likewise can manage the steps required for compliance approval.
Yet it seems that most organizations don’t deal effectively with GRC. Our research finds a solid majority of companies (63%) in the bottom half of our maturity distribution in their management of governance, risk and compliance. Our analysis, which assesses maturity in four organizational categories, found that companies are more mature in People and Process and less mature in Technology and Information. In both the last two categories, more than 70 percent of research participants ranked at the two lowest maturity levels. Regarding Information, the research uncovered what we view as a lack of engagement in the core issue of access to and use of the data necessary to measure and assess risk. One barrier that many companies face is their use of spreadsheets in GRC processes, which by themselves can introduce unacceptable levels of risk and errors.
Among the factors holding companies back here is that, like so many purely administrative tasks, corporations (especially those that are not heavily regulated) look to satisfice their compliance obligations, not optimize them. Investments that could improve the efficiency of these processes have a low priority. Another factor is that while risk management is a well-understood business requirement in financial services, with centuries of established practices and metrics, it’s much less well developed in most other industries. Companies typically consider risk in business decisions, but they do so more informally and in an inconsistent fashion. Thus, critical information needed for formal risk measurement and assessment is either not captured by a company’s IT systems or captured in a form that it is not useful for this purpose.
It’s certainly true that governance, risk and compliance activities do not generate revenue and rarely confer a strategic advantage. Nonetheless, organizations should not treat these activities lightly. Most companies do not need to make wholesale changes to their business priorities to add GRC processes, and they don’t need to make major investments to achieve measurable improvements in how they execute these processes or manage risks. Simply automating the processes as much as possible lets companies meet requirements while cutting the time and effort to manage them.
At present there are no software tools that address GRC as a package, as we’ve noted before. Our benchmark research shows that as organizations begin to consider options for each facet of their GRC compliance – whether financial, operational or IT – they must look for practical qualities in software, particularly usability and functionality, that will help them complete tasks more easily.
We expect to see a market developing to handle GRC as a platform as vendors build more unified and coherent arrays of offerings. I expect the driver of this to be a desire by large consulting partners with broad GRC practices to work with a limited set of vendors. Since many GRC projects require a heavy dose of intellectual property and expertise, I believe customers will find value in working with one or possibly two vendors, blending their intellectual property with packaged software. Organizations that take these steps will be more confident that they handle GRC well and turn their attention to other activities that directly impact their success.
Robert Kugel – SVP Research