Home > Risk > A new study on “Effective GRC Management: Positioning your company for growth”

A new study on “Effective GRC Management: Positioning your company for growth”

January 25, 2011 Leave a comment Go to comments

The Aberdeen Group recently published a new report on this topic. You can access it here.

Although I disagree with the way the report defines GRC, their report is interesting and I recommend it to all risk and compliance professionals. (While they don’t detail their definition, it is clearly limited to risk and compliance. The “G” in GRC is silent. See this post for a discussion of how I see GRC.)

Perhaps the most interesting section (on page 10) is where they explain that the top 20% of organizations (in terms of GRC maturity) have obtained:

  • 23% reduction in risk value in the past two years
  • 23% reduction in compliance-related costs in the past two years
  • 22% growth in new-market revenue in the past two years
  • 90% positive compliance audit success rate (yielding favorable results) in the past twelve months
  • 84% success rate in execution of management directives in the past twelve months

It is interesting that Aberdeen reports that a growth in new market revenue can be achieved. This is explained in an insert on page 13: “GRC management has traditionally been viewed as a means to reduce liability-related costs, and problems associated with financial and operational control. Given the dynamic regulatory environment, GRC management is now setting the stage for new revenue opportunities. By improving access to selling into global markets, and attracting customers through liability-reduction, companies are increasingly viewing GRC solutions and services as key elements to their growth strategy.”

I believe this significantly understates the potential to drive new revenue through effective GRC programs. GRC is about understanding stakeholder needs, setting appropriate strategies, optimizing performance, considering risk, and remaining in compliance (see this post for more.) Aberdeen’s thin focus on compliance does not include the opportunity represented by integrating strategy and risk management, performance management and risk management, and building an agile risk-intelligent organization that can deliver sustainable, optimal performance.

Also interesting is their list of enablers, on page 11, in particular the inclusion of strategy management and ERP solutions. It includes:

  • GRC solutions (which they do not define)
  • Risk management tools (point solutions)
  • Workflow automation solutions
  • Strategy management solutions
  • ERP
  • Financial modeling solutions
  • Enterprise Performance Management solutions
  • Business Process Management solutions

I am interested in your take on this report – leaving aside the fact that it focuses on risk and compliance rather than GRC. Does anything surprise you?

  1. Norman Marks
    January 25, 2011 at 8:57 AM
  2. Michael Corcoran
    January 25, 2011 at 9:35 AM

    Some helpful observatiions – liked PACE and good practices identifieid.

    I did find the industry concentration of participating companies in this study perplexing: IT consulting firms made up 22% of responders, 8% software companies, 5% financial services firms, and all other industries less that 4% each? Is this really a representive survey to determine best of class! I do not think so.

    Equally perplexing were who responded to the GRC survey – Sales folks 19%, IT folks at 18%, Corporate folks at 11%, Finance folks 8% and Audit folks at 4%. So GRC is being led by Sales/IT 37% of these companies. Really! I will have to change my business development strategy.

  3. Dan Clayton
    January 26, 2011 at 11:54 AM

    I hate to be pessimistic, but I can’t see much value in this report. It feels more like a marketing tool. It provides lots of generic numbers with few scope parameters, assumptions, etc. However, the real gap is that there is no “chicken verses the egg” discussion. Is the presence of the enablers what creates success or is it the formal GRC related efforts? I would put my money on the enablers.

    Businesses mature over time. Standardizing and formalizing will always improve accountability and transparency, which usually leads to better decision making and results. Experiencing positive results comes from standardizing; strategic and business objective dissemination, performance expectations of management/people given the objectives received, and aligning operational processes and related technology with overall objectives. That basic model brings success.

    True the GRC conversation can promote more awareness of the business to move in this direction, but would it move and Ad hoc organization to a more formal environment. I don’t think so. Rather I would say that the current state of GRC helps mostly mature organizations (who are poised to think about formality already) to move from step 3 to step 4…, where step 5 would be ideal.

    A more valuable focus would be on identifying the state of business maturity and then helping them get to the next step.

    My thoughts,

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: