Home > Risk > Selecting the right GRC solution for your organization

Selecting the right GRC solution for your organization

February 8, 2010 Leave a comment Go to comments

The latest issue of the ISACA Journal (volume 1, 2010) has an excellent article on “Criteria and Methodology for GRC Platform Selection” by Anand Singh (an experienced senior consultant in IT risk management) and David J. Lilja, Ph.D (Professor at the University of Minnesota). I commend this to everybody interested in solutions for their organization’s GRC processes. Unfortunately, access to the Journal is limited to subscribers. The good news is that ISACA has given me permission to quote from the piece. (ISACA membership is worth the price of admission.)

I like a lot of what is in the article, but there are also points where I disagree or would expand the discussion. In this post, I will attempt to draw those out in a way that helps people looking to acquire software for GRC.

By way of background, Singh and Lilja say: “governance, risk management and compliance (GRC) issues around information have become central to organizational strategies. Investment in these areas has been increasing steadily, topping US $32 billion in 2008, a growth of 7.4 percent over 2007”.  The numbers are from an AMR report by John Hagerty.

They continue: “GRC platforms provide a single, federated framework that integrates organizational processes and tools, supporting those processes for the purpose of defining, maintaining and monitoring GRC. An appropriately chosen GRC platform can lead to reduced complexities and increased efficiencies.” This is a little idealistic, as most (including Forrester Research and Corporate Integrity) recognize that no vendor has solutions for every single GRC process. However, the ideal of a single technology framework, preferably one that is common with other enterprise applications (such as the ERP) is commendable and one I share.

The trouble is that the authors don’t really define what they mean by GRC. As I have blogged previously, there are many different ideas on what GRC means and what functionality is included. At first, they appear to take the larger, more holistic view when they define what they mean by each of governance, risk management, and compliance.

Governance—The IT Governance Institute (ITGI) defines governance as “the set of responsibilities and practices exercised by the board and executive management with the goal of providing strategic direction, ensuring that the objectives are achieved, ascertaining that the risks are managed appropriately and verifying that the enterprise’s resources are being used responsibly.”

Risk management—Risk management is activity directed toward assessing, mitigating (to an acceptable level) and monitoring risk. The principle goal of an organization’s risk management process should be to protect the organization and its ability to perform its mission, not just its IT assets.

Compliance is an increasingly complex task given the global footprints of organizations, the increase in regulatory environment (which is likely to become even more stringent given the opportunities exposed by the current economic crises) and local regulations.”

However, when the authors list the functionality that should be assessed by the potential buyer, they only include a few items under each category. For example, under governance they list (a) the ability to align governance with business objectives; (b) policy, standard, and procedure management; (c) the ability to enable oversight through reporting mechanisms; and, (d) information for decision support. They don’t mention potential governance requirements around code of conduct dissemination and training, a whistleblower hotline, management of board briefing and discussion materials, investigation management, and management of the internal audit function.

The authors appear to recognize this when they provide a list of questions that can be asked to help understand the potential buyers’ functionality needs.

What is your biggest GRC area of concern?

  1. What compliance regulations are applicable to your area?
  2. Have you failed any areas of compliance audits in the past? If so, what were the findings?
  3. What improvements would you like to see in your current mechanism for prioritizing the security budget?
  4. How do you rate the effectiveness of your security controls?
  5. What would you like to see in the reports indicating the current status of compliance?
  6. How do you evaluate your risk currently? What are possible areas of improvement?
  7. What are critical threats to your area?
  8. How many times have you experienced these threats in the past 12 months?
  9. What area are you more concerned about, insider abuse or external threat? Please provide specifics.
  10. Have any of your end users expressed dissatisfaction with the extra steps they have to go through because of the security controls?
  11. Do you have a good data classification mechanism?

These are all good questions. I would change the ones that are IT-focused (such as questions 4, 5, 11, and 12). But the very first question is the most important, critical question:

What is your biggest GRC area of concern? What are the business problems you need to address, in what priority?

This is what I suggest.

  • Do not be persuaded by a vendor or service provider’s definition of GRC, which is typically based on the specific products and services they offer. Instead, understand that GRC processes are extensive; they are how an organization is directed and managed to achieve goals, considering risks to achievement, and complying with applicable laws and regulations.
  • Instead, define the needs you have in your organization for automation. The author’s questions are a good start to identifying them.

The rest of the article is sound (with one exception, which I will explain shortly). Singh and Lilja suggest and provide guidance on considering:

  • Cost, with an emphasis on the total cost of ownership
  • Vendor reputation
  • Product scope, vision, and strategy
  • Other factors (such as workflow and product security)

They also provide a useful example of how one company made its decision, using weighted assessments for each criterion.

Now to the final point of disagreement: The article lists a few vendors of GRC solutions. However, they omitted a major player: SAP. In a future blog, I will discuss how SAP provides solutions (and there are several) that enable efficient and effective GRC processes. If you want to know more now, please let me know.

  1. February 8, 2010 at 2:09 PM

    Hi Norman,

    Hmm – well as the advertiser on the back cover of the ISACA journal – I agree that the article in the journal attempts to be very informative.

    There are many definitions of gRc and notably, each definition seems to gravitate around the open ‘Center of excellence’ of the particular provider.

    In order to build and deliver a next generation gRc application suite, we started from a clean piece of paper and had to build governance, risk management, compliance and the accompanying single, integrated data framework from the ground up.

    That provides a common framework and a familiar application interface that works across an organization to provide substantial benefits. These benefits include:

    * a continuous improvement lifecycle for all aspects of governance, risk management and compliance.
    * a real time view of reported operational risk.
    * a comparative view against enterprise risk.

    This is to name but a few of the advantages. (I could go on with items like the ability to produce consolidated audit and assessment checklists, in under a second, that can cover multiple regulations without duplicating control material….)

    I do agree with most of your comments, however at the present time the existing gRc market is somewhat smaller than it will be (2 of the leading gRc providers report their annual income between 31 and 33 million dollars per annum).

    In addition, whilst the approaches of Oracle and SAP have some merit in providing information into the gRc framework – there is a difference between obtaining reports from embedded controls and maintaining an agile gRc framework that supports continuous improvement.

    A really good post though.

  2. February 9, 2010 at 4:29 PM

    Hi Norman

    I don’t think you should take offense. The Forrester Wave report (Q3 2009) highlighted SAP as a contender and Gartner made it very clear in their July 2009 EGRC Magic Quadrant why SAP had been excluded.

  3. nmarks
    February 9, 2010 at 4:38 PM

    Fred, this post has absolutely nothing to do with either the Forrester report (which, incidentally, evaluated old versions of the SAP solutions) or the Gartner MQ. The analyst firms are of course free to assess vendor solutions based on their assumptions about the set of functionalities that customers need to address their GRC needs.

    My point is that each customer should understand their own needs rather than rely on any vendor’s presentation (even SAP’s) or other model. I have been of this opinion and blogging on it since 2008.

    I am a practitioner and consumer of GRC products by background and approach this topic from that perspective.

  4. Maritza
    June 22, 2011 at 9:17 PM

    In our company we are trying to select a system for authomation of the audit function and the organization is trying to buy a GRC solution. There are GRC solution that include a module for the audit fuction administration. Should we keep them together or separatelly

  5. maritza
    June 22, 2011 at 9:36 PM

    I am having hard times deciding wether or not to select an audit module within a GRC or go with TeamSuite for the authomation of the audit unit. Could somebody help me?

  6. Norman Marks
    June 23, 2011 at 1:49 PM

    Maritza, I would be happy to chat with you offline. The first question is whether you need a solution for internal audit (and what you need there) or for the set of functionalities that you can find in a pre-packaged GRC solution-set. See these posts: https://normanmarks.wordpress.com/wp-admin/post.php?post=163&action=edit and https://normanmarks.wordpress.com/2011/05/05/shedding-new-light-on-governance-risk-and-compliance-grc/

  1. March 4, 2011 at 11:47 PM

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: