Why I hate the term “GRC platform”
OK, this is another rant. I admit it.
But, I am not really a technology-oriented person. I look at stuff through the eyes of a business practitioner, not those of somebody that is developing and selling software (even though I work for SAP – and this rant like my other posts is mine alone and may bear no relationship to official SAP views).
GRC is not about technology. As I have said in earlier posts, it is about how organizations optimize performance, considering risks, and staying in compliance. It is about how you direct and manage the entity. See here and here for just a couple of related posts.
Directing and managing the organization involves a large variety of business processes and many different organizations. So, when I hear people talk about a “GRC platform” (or “enterprise GRC platform’ – which is the same thing) and what potential buyers should expect to see it include, I cringe.
Technology can be of great value in optimizing the business processes involved in governance, risk management, and compliance. Of that there is, I hope, little doubt.
However, the technology any company needs depends on its individual facts and circumstances. There is no ‘standard’ or recommended set of capabilities that makes sense for everybody.
In addition, the use of the term ‘platform’ implies that all GRC software needs to be on its own, separate technology base. As I said in this post, I think this is narrow thinking – and overlooks the significant values of (a) a common, optimized enterprise technology, and (b) the integration of GRC products like risk management with enterprise applications like financial management – in this example enabling automatic risk monitoring.
Vendors are free to use the term ‘GRC platform’ to describe their set of products, as long as we all understand it is not a complete set of products that addresses every important governance, risk management, or compliance process business need. I believe I am very safe in saying that nobody has software for every possible GRC need.
Analysts may use the term to describe what they believe to be a set of products often included in buying decisions. But, buyers should realize the product set is limited and may not meet their specific needs.
So, I never use the term “GRC platform’. Instead, I prefer to ask what is the best set of products, given all considerations, for the business.