From the June 2009 issue of Treasury & Risk magazine

The ABCs of GRC

As regulatory risks loom, companies evaluate how to get more out of governance, risk and compliance software.

Companies see regulatory changes as the second biggest risk facing global businesses, second only to the economic slowdown, according to a recent survey by insurance brokerage Aon Corp. Reflecting these concerns over new regulations and legislation is the rising profile of governance, risk and compliance (GRC) software, a term applied to products that help companies deal with areas as far ranging as Sarbanes-Oxley compliance, risk management and IT governance.

That breadth of functions can make the category a bit hard to pin down. John Hagerty, a vice president and research fellow at AMR Research, puts total 2008 spending on GRC products at $32.1 billion and estimates there are hundreds of GRC providers. Various GRC products perform such distinct tasks that it's hard to compare them, Hagerty says. "The GRC marketplace is a collection of functions that don't all interact with each other."

GRC products got a big boost earlier in this decade from the Sarbanes-Oxley Act, and since then, other regulations have helped fuel demand. But slower economic growth may temper companies' willingness to invest big bucks in GRC products, Hagerty says. When the economy was flourishing in the middle of the decade, "someone just had to breathe the word compliance and everyone jumped," he says. "And someone would invoke risk, and people would jump. In flush times, people were able to use compliance and risk as levers to get projects moving."

Others argue that the recession is increasing companies' interest in handling more of their governance, risk and compliance chores with a single solution--an approach referred to as "integrated GRC"--instead of buying and running a number of different programs.

Chris Leone, group vice president of fusion and GRC applications development at Oracle Corp., distinguishes between integrated GRC and what he terms "disparate GRC," in which companies use a different solution to deal with every regulatory requirement or effort to manage risks.

More organizations today are bringing those solutions to a common GRC platform to reduce the cost of compliance, Leone says. The reason they do that is because "many times the control they have in place for a particular mandate is the same control they need to attest to in a different mandate. With siloed deployment, they're doing the same test multiple times and not achieving any greater result.

"What we're seeing are customers that have deployed a solution in one area of their business, like an automated solution for SOX, expanding it into IT governance," Leone says.

Bethesda, Md.-based USEC, a uranium processor with $1.6 billion in 2008 revenue, has spent the last few years extending its system for monitoring Sarbanes-Oxley controls, Protiviti's GRC Portal, to cover the company's non-SOX risks and controls, as defined by the COSO enterprise risk management framework.

The company has worked to map those processes, identify the key controls on those processes and establish which executives are responsible for each key control, using the electronic repository of the GRC Portal, just as it does for its Sarbanes-Oxley controls, says Barry Mumford, USEC's director of auditing. The GRC Portal, which the executives who own SOX controls use to perform quarterly assessments of their controls, will survey the owners of non-Sox controls, he says.

Extending the system to non-Sarbanes-Oxley risks gives the company a better vantage point from which to assess its internal controls. "It's all part of positioning management to do the job of keeping a finger on the pulse of its controls," Mumford says. He notes that some types of risks are still monitored separately, including all the work involved in complying with the requirements of the company's main regulator, the Nuclear Regulatory Commission.

Scott Wisniewski, director of global risk technology solutions at Protiviti, a consulting and internal audit company as well as a software provider, says that it can be a challenge to get different organizations within a company to combine forces to implement an integrated solution. "The value of integrated GRC often isn't a value to the individual stakeholder group, but it's a value to the broader enterprise," he says. "You need strong leadership."

But Wisniewski says some users of GRC products within companies are now coordinating their purchases. "What you're starting to see is subgroupings of buyers," he says. "SOX and internal audit are starting to cluster together." Wisniewski also points to coordination by IT executives who deal with such issues as business continuity, information security, privacy and supplier risk. Compliance executives seem to be the least likely to buy software in cooperation with other business units, he says, and suggests that that reflects the industry-specific nature of compliance.

There have been some deals executed within the last year in the GRC market, including Thomson Reuters' purchase of Paisley and Trintech's acquisition of Movaris. Hagerty says more consolidation is likely and predicts that it will occur along the lines of such "buying centers." Meanwhile, new regulations are always coming down the pike that could create more demand for GRC software solutions. Hagerty says one current example is environmental issues. "Cap and trade, what [companies'] options are on carbon, may indeed cause [a company] to do something sooner rather than later," he says. "Environmental management seems to be a very hot issue for a lot of companies."

Oracle's Leone says companies are increasingly interested in monitoring their supply chain risk: "If you don't take a proactive approach to risks with your suppliers, then you're very reactionary." And Wisniewski points to the coming convergence of U.S. and European accounting standards: "That's going to spur a lot of activity in the United States and Canada.

"Integrated GRC is a process," Wisniewski says. "Given the dynamics of business, there are always emerging threats, always some new domain-specific knowledge that you need to bring into your organization. Are you always fully optimized? Probably not, but you need to have a process that allows you to optimize, to converge."

Meanwhile, Hagerty advises that companies look before they leap into the market for governance, risk and compliance products. "If you come in thinking, 'I want to buy some GRC stuff,' take a step back and look at what you're trying to accomplish," he says. "GRC can be many things. Understand what you're trying to do and once you've honed in on that, initiate the search for the vendors who do what you want to do."


Advertisement. Closing in 15 seconds.