Why I hate the term “GRC platform”
OK, this is another rant. I admit it.
But, I am not really a technology-oriented person. I look at stuff through the eyes of a business practitioner, not those of somebody that is developing and selling software (even though I work for SAP – and this rant like my other posts is mine alone and may bear no relationship to official SAP views).
GRC is not about technology. As I have said in earlier posts, it is about how organizations optimize performance, considering risks, and staying in compliance. It is about how you direct and manage the entity. See here and here for just a couple of related posts.
Directing and managing the organization involves a large variety of business processes and many different organizations. So, when I hear people talk about a “GRC platform” (or “enterprise GRC platform’ – which is the same thing) and what potential buyers should expect to see it include, I cringe.
Technology can be of great value in optimizing the business processes involved in governance, risk management, and compliance. Of that there is, I hope, little doubt.
However, the technology any company needs depends on its individual facts and circumstances. There is no ‘standard’ or recommended set of capabilities that makes sense for everybody.
In addition, the use of the term ‘platform’ implies that all GRC software needs to be on its own, separate technology base. As I said in this post, I think this is narrow thinking – and overlooks the significant values of (a) a common, optimized enterprise technology, and (b) the integration of GRC products like risk management with enterprise applications like financial management – in this example enabling automatic risk monitoring.
Vendors are free to use the term ‘GRC platform’ to describe their set of products, as long as we all understand it is not a complete set of products that addresses every important governance, risk management, or compliance process business need. I believe I am very safe in saying that nobody has software for every possible GRC need.
Analysts may use the term to describe what they believe to be a set of products often included in buying decisions. But, buyers should realize the product set is limited and may not meet their specific needs.
So, I never use the term “GRC platform’. Instead, I prefer to ask what is the best set of products, given all considerations, for the business.
Leave a comment
Norman Marks on Governance, Risk Management, and Internal Audit 
A good rant, Norman. I fullheartedly agree. GRC is about people, processes and is facilitated by technology, where applicable.
Norman,
I agree that “the technology any company needs depends on its individual facts and circumstances. There is no ‘standard’ or recommended set of capabilities that makes sense for everybody.” I would like to suggest, however, that companies strive for continuous improvement and not perfection, which is unattainable. Similarly, I believe that every company should do their best to improve their internal controls as defined in Internal Control Frameworks such as COSO and CobiT. Internal Controls such as Segregation of Duties, Access Control, Risk Management, Transaction Controls, Change Management, and Configuration Management apply to every company. Moreover, in light of recent experience, all companies should improve their Risk Management capabilities.
GRC Software including Oracle’s “GRC Platform” of Oracle GRC Technology Controls and Oracle GRC Applications are nothing more than “tools” that companies can use to help them implement their GRC Solutions. I believe that we need to put more emphasis on identifying and understanding a company’s GRC requirements than on the tools they use to accommodate their requirements.
Many of Oracle’s GRC Technology Controls Products and GRC Applications can be used with any platform. While not perfect, Oracle’s and SAP’s GRC tools help companies implement GRC solutions, which are significantly more effective and efficient than GRC solutions developed using Access Databases, Excel Spreadsheets and Word Documents.
Norman,
Great post, wich there were more like it! And let me take it a bit (smile) further…
There is a phrase in the defense community “fire and forget” i.e. once you push the button and the missile is launched, everything else is automatic, optimized, and no further intervention is required. I must admit I am not convinced that this is a good philosophy, even if it were feasible outside of a relatively narrow band of circumstances. As the number of confounding variables increases, the likelihood of any one solution remaining viable drops dramatically.
All technologies….let me say this one again…all technologies serve to constrain thought and action.
Sometimes technology can help us to do our jobs quicker and more efficient. Sometimes it merely helps us fail faster. An example of the latter would be “goofy” probabilities or decision rules that diverge from reality over time. As you can see, I’m not too much of an “enterprise kind of guy.” And the only thing I think ought to be automated are the termination notices for consultants and auditors that advocate “enterprise wide” solutions.
If there is a trinity in business it is people first, ideas second, and technology third.
Hey John,
I get your drift but I think your statement, “…all technologies serve to constrain thought and action.” is a bit extreme and in my outlook inaccurate. I live in the data analysis world where the idea of critical thinking (challenge what the system is telling your and find out for yourself) and making the impossible possible(like analyzing millions of transactions in a matter of minutes) is very much alive. I agree that “black box” technologies can be constraining, technologies that enable critical thinking are liberating.
Peter, I don’t know. Do you think most people challenge what the system is telling them?
Moore’s Law has made analyzing thousands of transactions child’s play. But how many people, analysts included, challenged the Gaussian assumptions underlying most of our capital market risk models?
John, Simply put, “No. MOST people don’t challenge what the system is telling them.” But there are those who do. While in the minority, they exist: I’ve met them. And they make awesome assurance providers who deliver real value and exemplary insight into what’s really going on. So that gets back to my initial reply to your posting. I get your drift but I wouldn’t condemn all technology because most people aren’t critical thinkers. Don’t blame the tools for what people do or don’t do.
Peter, I couldn’t agree more. To take your comments one step further, software as everyone knows, is created by someone who is addressing someone else’s automation needs. Overtime, other people with similar needs try and use the same software to meet their needs. As the software is changed overtime to address slighlty different needs, it becomes increasingly useful to meet a broader range of needs. On occasion, the software produces inaccurate and/or unexpected results and needs to be challenged to identify potential problems and make corrections.
With this generalized understanding, it is is easy to understand why software could be blamed for forcing certain behaviors however, in many cases this is a good thing while in other cases, the user may be trying to address a need with the wrong software.
Technology advances while creating new capabilities enables people to do things they couldn’t otherwise do and that is not always a bad thing.
Norman as you know, I recently went unemployed by having my position eliminated at a “leading Enterprise GRC software” vendor. Back in 2001 when I was a newly appointed HIPAA Program Director (a former IT guy for 20 years) for a holding company of insurance carriers, I had hired PwC to help perform a GAP analysis of HIPAA Privacy regulations and our current practices to help build a list of requirements. I quickly realized that I would need some enterprise shared technology to manage policies, procedures, deliver role based training and perhaps manage reported incidents, perform periodic risk assessments and the like. I also was aware that Security, the Patriot Act and other regulations would have the same functional requirements to be managed across the enterprise of autonomously operated businesses but I needed central oversight. I asked the PwC project manager what other clients were planning on doing to address these needs. In the meantime, I began looking at LMS’s, Quality Management, Document management, etc solutions that would provide the functionalities I was looking for in a single application. This set of functionalities did not exist at that time as far as I, PwC, Gartner and other sources could find. It was at that time that I did not know what to call this type of application but was introduced to (my last employer) who was a new start-up that shared my same vision. Collectivley, my company, PwC, the vendor and a law firm along with Michael Rasmussen who was with Forrestor at the time, came up with this phrase (GRC – Governance, Risk and Compliance) to give a label to software that would meet my needs. The thinking was that other companies would also be looking for a “no name” software solution to accomplish the same things I was. Since those days, a lot has changed. Shortly after HIPAA, we had SOX and more and more people recognized the market opportunity given the dollars being spent on compliance. New “GRC” software companies came out of the wood work. Some of them just put on a fresh coat of paint to get a peice of the pie whils others came from the ground up. Associations sprang up from out of the blue creating training programs, certifications and conferences to benefit from the market spend. It has been crazy to see where all this has gone just because there was no way to find a solution that combined certain capabilities that a few companies were interested in almost 10 years ago. Now nearly every software company has a solution that has a market spin on compliance, risk, audit, e-learning, incident management, e-discovery, policies, etc. and I agree, they are not all eGRC nor does any single eGRC solution provide every function, every peice of content and every integration capability that would suit every need. What the term “GRC” does do however is get you in the same “city” for discussion.
People need to stick to the basics and the KISS method regarding GRC just as they do every other business problem or opportunity. However, when considering your plan, think BIG and work small. Before you make a significant investment in a Risk management application for example, look at the relationships of people, processes and information related to compliance, and audit before you finish your list of requirements and make your selection or in other words, avoid buying with blinders on to the rest of the business. Very few if any departments work in total independence from the rest of the business and most software applications can solve more than one business problem.
I came across this blog post two years after the fact while googling something else. Good points all, but I liked Peter’s observation about people being led more by technology solutions than by critical thinking. Similarly, the last paragraph in Brett’s reply should resonate loudly among people in our profession…