Rather than inquire about Sarbox-only software, vendors say clients now routinely issue RFPs for programs that can handle an array of mandates, including Basel II and sustainability reporting. In addition, prospective buyers appear to be zeroing in on software that offers a range of functions (such as risk modeling and survey publishing). “The Sarbanes-Oxley market has almost disappeared,” confirms Luc Brandts, chief technology officer at compliance-software publisher BWise. “But convergence is hot.”
Application vendors, who cling to marketing hooks the way cats cling to curtains, have been only too happy to cater to this desire, probably motivated by the fact that since 2003 the average price for such applications has more than tripled, to $400,000. At last count, Corporate Integrity president Michael Rasmussen found 114 software vendors that claim to offer GRC platforms. The hijacking of a three-letter acronym is standard practice in the software world, of course, and makes life difficult for would-be GRC customers. “Convergence is about processes, about getting different roles to talk to each other, and working toward a common goal,” Rasmussen says. Most sales pitches don’t acknowledge the nuances, or difficulty, of such efforts.
If the need to bridge various divisions and departments within an enterprise in order to achieve a holistic view of compliance and risk issues sounds familiar, it is. Remember enterprise risk management(ERM? Highly touted by insurance companies (and the business press), it emphasized the need for managers to address risk in a systematic rather than a compartmentalized fashion. Approached in this way, responsibility for risk management fans out across functions and operating units and becomes a part of many people’s jobs.
The concept has merit, but when software companies rushed in to the nascent ERM space with elaborate — and expensive — applications, corporate interest seemed to wane. While credit-rating agencies remain keen on the concept, the proliferation of ERM applications seems to have led some managers to view enterprise risk as a technology problem rather than a business-process issue.
Ahead of the Curve?
Will GRC follow a similar path? Hagerty believes that, five years from now, GRC will be as common a business term as ERP. The pace of regulatory reform seems to be quickening, and consumers now appear to be more loyal to businesses that can point to a range of governance improvements, be it greater transparency or a broader acknowledgement of their impact on the environment. Those trends may give GRC a boost that ERM lacked.
Ed Fox, vice president and chief sustainability officer at utility Pinnacle West, believes managers are finally waking up to the importance of what he calls “principled business.” Such an approach involves assessing the long-term societal impact of a company’s operations. Toward that end, Pinnacle West recently purchased a sustainability and EH&S (environment, health, & safety) reporting program from Enablon. Among other things, the application helps the utility track some 150 key performance indicators. “But this must involve a change in corporate culture, too,” says Fox. “It must be a top-down, bottom-up, unified approach. That’s the hard part.”