But the biggest question of all remains whether and to what degree software can automate and augment the many business processes that lie at the heart of governance, risk, and compliance. If a company takes a fragmented approach toward those tasks, the existence of a unified software package may not gain much traction at a time when each department or business unit is scrutinizing its budget like never before and shelling out for only what it needs today.
John Edwards is a freelance writer based in Gilbert, Arizona.
What We Talk about When We Talk about GRC
Since GRC technology and services comprise three separate activities, companies naturally emphasize different reasons for investing in it. Compliance was the main attraction at first, but after several years of wrestling with Sarbanes-Oxley, “people had compliance fatigue,” says John Hagerty, an analyst at AMR Research in Boston. Risk management subsequently started to drive the GRC market, beginning in the first half of 2007. “The conversation really changed,” says Hagerty. “Companies were looking specifically to understand what their risk profile was — which areas they were exposed in, which activities could be risky.”
Hagerty says the issues that dominate the news tend to drive GRC spending. In 2007, information technology risk, particularly that focused on data security and privacy, became a cause célèbre following widely reported thefts of credit-card numbers and breaches of government databases. In 2008, the banking crisis highlighted how irresponsible risk-taking can cause entire organizations to collapse. Thus risk management, increasingly for operational risk, continued to be “the new compliance,” as an AMR report put it.
However, compliance could make a comeback, says Hagerty, thanks to the recession. Cash-strapped companies are reviewing all of their investments with a gimlet eye, including their IT portfolios. If they decide “to get back to essentials,” he says, they may refocus on the compliance component of GRC, which handles regulatory issues that companies must address.
The next big driver of GRC technology could be environmental initiatives — managing carbon footprints and greenhouse-gas emissions, or implementing a sustainability program. In a 2008 AMR survey of GRC buyers in the United States, Germany, and Japan, only 6 percent said that environmental health and safety compliance was their largest single GRC investment, compared with 23 percent for IT-specific risk management, 15 percent for Sarbox or other financial-governance initiatives, and 14 percent for operational and general risk management. But that balance could change if global warming becomes a larger corporate priority, or if the Obama Administration steps up environmental regulation. — Edward Teach