A new study on “Effective GRC Management: Positioning your company for growth”
The Aberdeen Group recently published a new report on this topic. You can access it here.
Although I disagree with the way the report defines GRC, their report is interesting and I recommend it to all risk and compliance professionals. (While they don’t detail their definition, it is clearly limited to risk and compliance. The “G” in GRC is silent. See this post for a discussion of how I see GRC.)
Perhaps the most interesting section (on page 10) is where they explain that the top 20% of organizations (in terms of GRC maturity) have obtained:
- 23% reduction in risk value in the past two years
- 23% reduction in compliance-related costs in the past two years
- 22% growth in new-market revenue in the past two years
- 90% positive compliance audit success rate (yielding favorable results) in the past twelve months
- 84% success rate in execution of management directives in the past twelve months
It is interesting that Aberdeen reports that a growth in new market revenue can be achieved. This is explained in an insert on page 13: “GRC management has traditionally been viewed as a means to reduce liability-related costs, and problems associated with financial and operational control. Given the dynamic regulatory environment, GRC management is now setting the stage for new revenue opportunities. By improving access to selling into global markets, and attracting customers through liability-reduction, companies are increasingly viewing GRC solutions and services as key elements to their growth strategy.”
I believe this significantly understates the potential to drive new revenue through effective GRC programs. GRC is about understanding stakeholder needs, setting appropriate strategies, optimizing performance, considering risk, and remaining in compliance (see this post for more.) Aberdeen’s thin focus on compliance does not include the opportunity represented by integrating strategy and risk management, performance management and risk management, and building an agile risk-intelligent organization that can deliver sustainable, optimal performance.
Also interesting is their list of enablers, on page 11, in particular the inclusion of strategy management and ERP solutions. It includes:
- GRC solutions (which they do not define)
- Risk management tools (point solutions)
- Workflow automation solutions
- Strategy management solutions
- Financial modeling solutions
- Enterprise Performance Management solutions
- Business Process Management solutions
I am interested in your take on this report – leaving aside the fact that it focuses on risk and compliance rather than GRC. Does anything surprise you?