The Sarbanes-Oxley Act has long had a digital doppelgänger. Almost from the day it was announced, and certainly since its Section 404 emerged as a major corporate headache, IT companies have hawked products that promise to ease the regulatory burden. Often these have been hastily retooled versions of applications that were originally designed to do something else — manage documents and workflows, for example, or provide a repository or database for business rules.
If these software vendors were hoping for a bonanza, they were soon disappointed. While many companies have, over time, come to see automation as a part of the Sarbox solution, for most it has been ancillary to retooled processes and other activities. And with recent guidance from the Securities and Exchange Commission shifting the focus of Section 404 compliance to an assessment of material risk, instead of an exhaustive cataloging of every facet of every control that organizations rely on, the need to document the minutiae of corporate life may soon abate.
But when it comes to opportunity knocking, software companies and IT consultants have a sense of hearing that a dog might envy. Even before the Section 404 playbook was being altered, vendors were altering their Sarbox applications, morphing them into more-complex and more broadly focused products that could address two related areas heavily affected by Sarbox: corporate governance and risk management.
Thus governance, risk, and compliance (GRC) software was born. At its core it remains a tracking system, capturing data on various compliance requirements as they affect a specific company and chronicling how the company does (or does not) satisfy those requirements.
But the software is now more than an automated checklist. Increasingly it aims to provide more-sophisticated decision-support capabilities. That’s in large part because even as the growing list of regulatory requirements creates a new level of risk (namely, the risk that a company won’t meet a requirement and will thus face penalties), other forms of risk are also receiving more attention in Corporate America. In fact, the field of enterprise risk management (ERM) is nearly synonymous with GRC, and many GRC products are touted for their ability to help companies monitor and analyze a wide range of business risks, of which regulatory compliance is merely one.
If you find this both compelling and confusing, join the club. Even companies that have embraced GRC admit that they aren’t always sure exactly what it means or how far it can extend. Despite the advancing capabilities of the technology, some companies say they prefer GRC software that is limited in scope, and others are pursuing a GRC strategy that focuses on organizational structure and processes rather than IT.
Despite those differing approaches, however, many companies agree on two key points: there is a degree of overlap between governance, compliance, and risk-management efforts; and a failure to bring some order to bear in addressing those needs often leads to duplication of effort and higher costs.