Indeed, the promise of convergence may be slightly ahead of the reality. Consider DreamWorks Animation SKG. In 2006, the creator of Bee Movie licensed a compliance application from — wait for it — BWise, in order to automate the testing of internal controls as required by Section 404 of Sarbanes-Oxley. Vicki Halliburton, head of internal audit at the company that gave us Shrek and Shark Tales, says the software has freed DreamWorks from the “distraction of spreadsheets.”
The company is now finding additional uses for the program. The software, for instance, enables authorized visitors to view the policies and procedures governing the animator’s dealings with suppliers. In addition, DreamWorks recently loaded financial information from its general ledger into the application. The data dump, when run through BWise’s rules engine, allows managers to more easily scope hazards that might be material to the business. Indeed, Halliburton says that what was at first regarded as a Sarbox application now goes well beyond internal controls. “It has great functionality for conducting risk assessments,” she says.
Even so, Halliburton says that management at DreamWorks is not entirely sure how to integrate other stand-alone applications into its GRC portal. And she grants that a more-holistic, enterprisewide approach to risk, compliance, and governance is a ways off. “Convergence,” says Halliburton, “is a work in progress.”
That’s true both for companies’ processes and the software they might use. Vendors like BWise, Qumas, 80-20, OpenPages, and Paisley have created impressive GRC platforms — that is, portals where managers can access and monitor information about governance, risk, and compliance. The problem, say analysts, is that no software publisher covers all the GRC bases. BWise and Qumas, for example, are strong in content and process management. Approva excels at helping customers automate controls. Axentis, another major player, markets an intriguing hosted product. Says Haggerty: “No vendor today offers a platform that can handle everything.” And customers see some organizational roadblocks as well (see “Who Owns, Who Pays?” at the end of this article).
This may change as a different sort of convergence takes hold — among vendors. Industry consolidation has already commenced as smaller vendors (such as Securac Holdings and Certus Software) merge, and as ERP giants Oracle and SAP elbow their way into the space. In 2006, SAP indicated that it was getting into the convergence arena by acquiring automated-controls specialist Versa. Oracle announced its GRC strategy in March 2007, about a year after the company bought content-management specialist Stellent. “Oracle has a ton of GRC pieces,” says Rasmussen, “but it’s still putting them together.”
So is SunTrust. The bank is now in the process of integrating its general ledger into its compliance software. It’s only a trial, but one that underscores the promise of convergence. “We will be able to identify not only the most significant balances, but the controls associated with those balances,” he says. “It will give real visibility to risk managers.”
Is this the future of GRC? “We don’t talk much about convergence or GRC,” says Wheeler. “We still use the term ‘enterprise risk management.’”
Give it time.
Who Owns, Who Pays?
Key challenges in implementing a GRC plan*
59% — No single point of ownership/accountability
57% — Obtaining executive sponsorship
56% — Lack of budget/resources
47% — Unable to justify return on investment
28% — No perceived input on corporate goals & objectives
*Percentage of companies; Source: Approva Corp.