2013 GRC Trends
Governance, risk, and compliance programs, and the technologies that support them, can move a company forward and sometimes even save the day.
By Steve Schlarman
For the governance, risk, and compliance (GRC) market, 2012 represented a bit of a tipping point. Companies seem to be getting the hang of GRC and a clear return on investment is beginning to form. Although the media reports the many failures such as high-profile data breaches and compliance violations that cost companies millions, there are also reports of robust, demonstrable compliance programs that have helped companies avoid major crises. Even though those instances don't make the headlines as often, performance gains, reduced costs, improved compliance, and other benefits have shown that GRC programs, and the technologies that support them, can move a company forward and sometimes even save the day. The question is what will be the course in 2013?
Enterprises Will Continue to Deal with Worst First
One theme will be the continued objective to deal with the most pressing issues in a prioritized manner. This concept is core to risk management -- identify the critical issue and deploy resources to manage the risk appropriately. The hump that many organizations need to get over to keep this moving forward is the progression from qualitative risk management to quantitative analysis. It is difficult to differentiate priorities in a "low/medium/high" risk world. Therefore, to target this "worst first" problem, companies will need to migrate risk processes towards more quantitative methods. In the financial risk management world, numbers are readily available. It is in the more subjective topics -- such as IT security or IT risk in general -- that calculable models are only emerging.
Companies will begin to adopt more numerical models -- whether it is financially based or arbitrary, but predictable, scoring models -- to assess risk and prioritize issues. The ability to aggregate and compare risks is very difficult when subjective values are used. Therefore, companies that adopt more quantitative methods will begin to hone their risk management processes and improve their ability to address the "worst first."
The Value of GRC Data
For companies that have been managing risk and compliance in defined programs for some time, the data generated from the program has intrinsic value that can give insight to the future. Many GRC-related processes inherently produce historical data that indicates how well the organization is meeting business objectives. Incident costs, loss events, compliance histories, and other sources of data represent an untapped treasure trove in many companies. Metrics and trends based on this data can indicate future courses of action. The challenge is building the appropriate repository to mine and analyze.
In 2013, enterprises will begin to utilize GRC data to enable performance improvement initiatives. This will be an evolutionary step in GRC turning the corner from a reactive program driven by compliance and "catch-up" to an enabling business process that drives action. Many GRC practitioners are seeing the potential -- it will be a matter of enabling the processes for the data mining, analytical and modeling capabilities necessary to facilitate process improvement, process re-engineering and performance gains.
GRC as a Business Management Paradigm
For enterprises that are bullish on the GRC market, the idea that GRC can become as essential to business management as enterprise resource planning (ERP) and customer relationship management (CRM) has been the end game all along. In many cases, this has been the minority in organizations. Some executives cringe at the mere term GRC. To them it represents a vendor-fueled, analyst-driven pipe dream that added cost and sowed confusion in the ranks. However, the thought that GRC can be an evolutionary business management approach is becoming more accepted. Companies can, and do, reap the benefits of approaching governance, risk and compliance in a cohesive, planned manner.
Although the final state (where mature, integrated, performance-enabling GRC is a must-have for every organization) may not come in 2013, the trend of GRC emerging as a core business management need will gain steam. What company doesn't have some CRM strategy or CRM infrastructure these days? Companies are already thinking of GRC in these same terms. Clear governance processes, consolidated risk management programs, and streamlined, integrated compliance initiatives, supported by a GRC technology infrastructure, will become part of the fabric of business management no different than ERP and CRM.
When December 31, 2013 rolls around, there will still be stories of major calamities that have impacted organizations. In fact, there may be an increased volume of these stories as regulators, industry watchdogs, and the many emerging threats facing enterprises today pile on top of the current ones. However, this underscores the compelling needs of companies in terms of GRC. The constantly shifting business environment will necessitate more "worst first" thinking, deeper analysis of untapped treasure troves of data, and drive companies towards the GRC paradigm to improve overall business management practices.
Steve Schlarman is the eGRC solutions architect at RSA, where he is responsible for applying his experience in governance, risk, and compliance and product design and architecture to RSA Archer's eGRC solutions. He manages a team of subject matter experts responsible for applying their expertise and industry experience to the suite of eGRC solutions on the RSA Archer platform. Steve's team performs market research, requirements definition and acts as the "voice of the customer and practitioner" for the eGRC solutions. You can contact Steve at Steve.Schlarman@rsa.com.