The financial crisis led to a surge of new or sharpened regulations by the respective governing bodies trying to fulfill raising public expectations into their oversight performance. Companies in 2010 are struggling stay compliant with the ever-increasing complexity of laws, rules, and regulations on more and more complex business and technology. Personal accountability today is common practice and also increasingly enforced, a board of directors that fails to oversee a system of compliance may give rise to claims of tort liability or even criminal liability.
But the average maturity of compliance programs is not very high. No wonder: a 2005 benchmarking survey conducted by the nonprofit Open Compliance and Ethics Group demonstrated that 54% of all existing compliance and ethics programs had been created in the years 2000–2005.
With the Sarbanes Oxley Act as a major driver companies noted that the overwhelming complexity of financial compliance alone was not controllable on a document basis. Information technology became a key factor also in this management area. So software vendors stepped up and created the first mostly topic driven support functionalities to ease the pain. But soon a document based workflow was seen as not sufficient as the need for process orientation to ensure efficiency and sustainability of these programs became evident. In parallel companies and consultants understood that there is a high overlap between compliance topics and to further enhance efficiency generic process driven platforms were developed. The ARIS Solution for GRC is a good example hereof.
These generic approaches incorporated in the last years formerly separated risk management functionalities and linked with objectives and balanced scorecards to provide more and more integrated platforms instead of topic driven isolated applications. The basic pain points Transparency, Consistency are addressed with single repositories connecting all relevant data and Efficiency is given by using simple, flexible workflows and unified control sets. Those platforms being able to link with performance management and measurement address also today's most difficult challenge: The balance between Objectives, Performance, Risk and Control. But that is material for another post.
The GRC market is still very fragmented and disrupted; customers, analysts, vendors and researchers tend to have different approaches and definitions. The OCEG is one non-profit organization taking up the fight to bring structure and common understanding into that topic, providing good generic approaches and framework definitions. But still the customer has to choose from a rarely comparable set of offerings. So it comes back to trust and expectations. Those looking forward to a quick and dirty solution to their most pressing pain may look for a topic specific vertical solution. Companies planning to build a foundation for the years and regulations to come should choose an more generic but process oriented approach offering sustainability and flexibility for changing business needs.
But talking about the future: I believe that the future for GRC is in the combination of today's compliance platforms with automation options. But not just access control exceptions monitoring or tracking of pre-described indicators for control deviations. Future automation options need to be low-effort and event based to open up dynamic setup of automated controls with automated response to allow in-time reaction to non-compliance behavior and processes and to support audit tasks flexibly.
(to GRC Lounge follow here!)
