Home > Risk > The solutions I would buy for GRC

The solutions I would buy for GRC

GRC stands, I like to say, for “governance, risk management, and confusion”. The confusion is caused by the multiplicity of definitions for GRC. I think the answer to that lies with adoption of the OCEG definition, which I paraphrase as how an organization optimizes performance to deliver value, considering risk, and remaining in compliance. This is a business-oriented definition, rather than one focused on selling services or software, or putting together a limited set of functionality that is easy to rate. The OCEG definition just makes sense!

When I talk about solutions for GRC, I am talking about solutions that enable you to do what I just described as GRC: optimize performance, leveraging risk management, and staying compliant with applicable laws and regulations.

This is much more than risk and compliance management, with internal audit and policy management thrown in to represent governance. It’s about getting the various parts of the organization who contribute to governance, risk management, and compliance working together to deliver optimal performance and value for stakeholders.

It’s about the whole, not just the parts. See this post for a metaphor that explains what I mean.

Back to the question: what solutions would I buy for GRC?

First, I will digress and say that I would not seek out a so-called GRC platform. I hate the term (see here) because it is a collection of software that some vendors and analysts think goes together. However, they don’t necessarily match a company’s business needs and I buy software to solve business needs. (You don’t buy the highest-rated power tool without first understanding what you need to build. Maybe you just need a hammer and nails.) In fact, you may end up with a grab-bag of software that integrates with each other but not necessarily with the primary enterprise applications. You fragment and make less efficient the overall IT infrastructure.

I think the best way to answer is to take each of my last few companies and talk about their business needs and which solutions I would get. (I am ignoring the need to update the software they had and no, this is not a pitch for SAP solutions.)

The last company before SAP was Business Objects, where I ran internal audit, risk management, SOX, and license compliance. In general, the company made good use of technology. It had a single ERP and made decent use of its own applications for business intelligence and performance management. But, as someone responsible for implementing risk management (I liked ANZ 4360), I was severely limited by the lack of solutions; MS Office products are fine, but not what I needed to run risk management for a global company. The SOX program was in good shape, but again we were running it on MS Office products and certainly not being as efficient as I wanted. Access to the ERP and major enterprise applications was managed pretty manually, and we used Excel and Business Objects queries to monitor excess access to the ERP. While we were starting to use software for continuous auditing (primarily Business Objects own solutions), the testing of automated controls was manual. We had recently implemented a package to help us provide the board with secure information, so that was not a problem, and neither was our whistleblower service. But, the legal function was working off paper files and could really use a case management solution. So, my shopping list for the company would have included:

  • Software for user access provisioning that would prevent, to the extent possible, users and IT people having more access than they needed – and reports to let us know if something slipped through the cracks
  • Risk management solutions
  • SOX software
  • Software to test automated controls (primarily one that would monitor configurations of key automated controls and confirm they were approved by the right people)
  • Legal case management

Prior to Business Objects, I was with Maxtor, a global $4bn manufacturer of hard drives. I was in charge of internal audit, SOX, and process improvement. Maxtor also had a single instance of a major ERP and some business intelligence capability. But the latter was limited to a few people in financial reporting. We had acquired a solution that just gave us reports of who had what access to the ERP and whether there were any segregation of duties issues. But the number of issues was far too high and the risk of inappropriate access unacceptable. We needed an access provisioning system as well as an access reporting system. One area I worried about was IT change management, especially when it came to some of their outsourced operations. It was hard to find out what changes were being made and whether they were tested and authorized. We needed risk management (the company eventually failed, at least in part because it failed to manage a number of strategic and operational risks), but we hadn’t got there yet. We had acquired a SOX solution which worked pretty well, but automated control testing consumed a heck of a lot of resources. My Maxtor shopping list would include:

  • Application change management
  • ERP system access provisioning, including the ability to limit superuser access privileges
  • More extensive business intelligence use, beyond financial reporting into business performance management
  • Software to help test automated controls
  • Risk management

Taking one last one, I worked at Solectron. I ran internal audit and advised on SOX. Solectron was a large, global company that did outsourced manufacturing for technology and phone companies (they made boards, phones, servers, and more). From an IT perspective, this place was a mess! It had a combination of basically autonomous operating divisions and regions, each of which had a collection of ERPs (we had one of everything) and other software. Consolidations were done in a combination of business intelligence software and MS-Excel. If you wanted to see operating information across a division or the company, that was done in Excel. Internal audit used ACL and we had acquired a solution for SOX. The business intelligence software was rudimentary at best, and we didn’t have anything to manage performance. In fact, it was a tremendous task to find out how many contracts we had with the same vendor or customer. My Solectron shopping basked would have to be one of those very large carts and would include:

  • A single, major ERP that is used by all
  • A top-of-the-line business intelligence system so management knows what is going on and can make intelligent decisions to run the company (BTW, did I mention it failed?)
  • Risk management
  • Compliance management. Maybe I should have mentioned that compliance was nearly as fragmented as IT?

What does all this mean? Where am I going?

As an old manager of mine once told me, don’t think you have the solution until you understand the problem!

Before you go out there to get technology for GRC, understand what you have to address – what are the business problems. Prioritize them, and only then get the software you need: the software you need to improve performance, add or create value, manage risks, and remain in compliance.

There is no single, “off the rack”, solution that will match every organization. Get stuff that is designed for your needs.

  1. Premraj
    August 5, 2011 at 5:18 PM

    Hi Norman,
    Thats’s really Good , I agree with you , The technology/Software/ERP before buying these we must analyse our Business/Needs/Problems/Requirements etc.. No S/w or Technology can give 100% solution and strategic way to our Business, We only have to choose which one is Best for us .

    Thanks for sharing your exp..

    BR’s ,
    Premraj Kaushik

  2. Vik
    September 2, 2011 at 5:01 AM

    Hi Norman,
    Great post!
    I agree with you “There is no single, “off the rack”, solution that will match every organization. Get stuff that is designed for your needs.”

    I think the possible reason behind that is most of the software vendors are either good in Technology or they are good in Business only. In my view the GRC goes in the Business onto the other side goes equally into the Design of the software and Technology as well.
    Unfortunately there are very less vendors who are equally good in handling the complexity of the complex Technologies without losing the Business value which is given by that technology. While working in SAP ( The GRC Unit, which SAP formed after acquisition of Virsa Systems), SAP only thought of considering one at the cost of other. Since there was no perfect vision and scale-ability considered behind these decisions.

    I see there are very few software vendors who have this understanding of the subject in the GRC and Security domain. During my research for GRC and Security solutions, I came across “www.alertenterprise.com”. I have seen their solutions in some conferences.

    I was impressed to see the details, experience, domain expertise and completeness these solutions have offered to fill all the mentioned gaps with most of the Tech software vendors.
    I recommend you to spare some time to go through: http://www.alertenterprise.com

  3. July 10, 2014 at 7:44 PM

    Excellent post! We will be linking to this great content on our site.

    Keep up the great writing.

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: