The value of GRC product integration
However you define GRC (see my other posts), everybody will agree that solutions for governance, risk management, and compliance (GRC) include a number of functionalities. For example, some focus on the risk management, compliance management, policy management, and audit management and refer to the combination as a GRC platform or similar.
There certainly is value – as a generality – in integrating applications. SAP achieved great success through its integration of applications for business processes into ERP and more recently into its Business Suite. Oracle has also integrated many of its applications into its ERP.
The question is whether integration of different GRC applications or functionalities has the same sort of value as integrating accounts payable and general ledger.
I would argue that there is clear value in integrating some of these applications. For example, when you integrate risk management and audit management, you enable the internal audit function to build a risk-based audit plan. Integrating compliance management and policy management allows you to link compliance requirements to related policies. Additional integration with risk management allows you to capture and report compliance-related risks together with other sources of risk, such as strategic and operational.
What many seem to overlook is the value of integrating these applications for GRC with the ERP itself. For example, integrating risk management with the financial, accounts payable, logistics, and other parts of the ERP will allow the building of automated, integrated, continuous risk monitoring. Running applications for transaction and master data monitoring (CM or CCM) or auditing (CA) is much more efficient when they are integrated with the ERP – where the data resides – than when you have to extract the data from the ERP so it can be tested.
Where is the integration most valuable for you? Is it in integrating the GRC solutions with each other, or with the ERP? Perhaps the answer is to be greedy and ask for both: integration between related solutions for GRC and integration of those same solutions with ERP.
What do you think?