Enterprise governance, risk, and compliance, often known as GRC for short, is turning out to be a crucial focus for enterprise leaders. But it's unfortunately not an area where most organizations are up to speed.
Various reports cite the typical GRC effort in many enterprises as either one-sided, relegated to a specific department, or having a cock-eyed perspective.
Let's break that down: A recent report from Hypatia Research LLC states that the meaning of GRC is changing, thanks to a host of new regulatory requirements, along with often-conflicting needs within increasingly complex distributed organizations.
In the past, the functions within corporate GRC were often treated via disparate efforts -- regulatory compliance was the job of internal auditors, for instance, while IT handled security, according to Leslie Ament, Hypatia's VP, research and client advisory. Now, companies wishing to be more effective must look to a holistic approach that integrates these functions.
Adding to the challenge is the fact that companies looking to improve their GRC are turning to software, according to Hypatia. These present a roster of solutions, ranging from IT-oriented ones based on data monitoring to business-side solutions centered on financial risk metrics.
How to get it all together? Choosing the right software for GRC is often tied to selecting outside help -- which can be a virtual minefield for unwary execs.
“While most consultancies offer both business and IT GRACS [governance, risk, compliance, and security] advisory services via discrete practice areas such as Risk, Audit, or IT Security, less than 30% of those evaluated actually walk the walk in offering clients integrated advisory services,” Ament noted in a prepared statement for another Hypatia report.
GRC also presents challenges when tackled internally. Experts have argued, for instance, about whether internal auditors are focused on the issues and measurements that will really deliver the information top management needs to make decisions about corporate risk.
Ultimately, the issue of GRC is one that each organization must put through its particular filter of needs and priorities. But it's certain that advances in the volume of data, the level of technology available, and the complexity of organizations and regulations will ensure they'll have a lot to consider in that task.
— Mary Jander , Executive Editor, Internet Evolution