How to Implement and Align Technology within Your GRC Fram..
How to Implement and Align Technology within Your GRC Framework
by James Bone, Executive Director TheGRCBlueBook
GRC Summit – Michael Rasmussen (GRC 20/20), Norman Marks (SAP), Lance J. Freedman (Lockheed Martin Corporation)
Norman Marks’s introduction of the Day Two keynote speaker, Michael Rasmussen demonstrated the dichotomy of the divergent views evolving in GRC. Norman set up the introduction with an overview of the State of the Industry address. Marks’s view is informed by developments in predictive analytics and the promise of big data.
“GRC stands for Governance, Risk and Confusion”, half joked Marks. “The GRC solution remains elusive as does agreement on definitions and a common taxonomy for implementing an effective framework.” So how does one align GRC with technology?
According to Marks, “there is no informed approach that has proved effective in deciding how to purchase a GRC solution.” The available analyst reports from leading consulting firms were deemed to be insufficient in providing prospective users with the tools needed to make an informed choice between respective risk solutions. “[Analyst’s] reports are based on a generic set of business outcomes intended to address the preconceived needs of risk managers”, according to Marks. Even Michael Rasmussen admits that risk managers need more than three client references from GRC vendors. “Do you expect to receive a bad reference from a GRC vendor?” questioned Michael.
Rasmussen has broadened his view of GRC beyond a strict definition of the features embedded in the platform to now include a focus on GRC architecture. In Michael’s view, “GRC is about organizing the manual processes, data and accountability to solve for the complexity inherent in today’s business environment”.
This is what Rasmussen calls “GRC3.0, Enterprise Architecture.” Rasmussen has adopted the OCEG Red Book framework as his operating model which advocates aligning business objectives and performance with GRC. “Effective enterprise architecture will require half a dozen or more GRC solutions in order to address the full complement of risks outlined in Michael’s framework.”
What both evangelists agree on is that the end solutions must have a positive impact on the performance of business objectives. One of the best lines came from Norman Marks as he described the cause of diluted successes in GRC to date. “These random acts of improvement lead to uncoordinated progress”, according to Marks. “The key is aligning GRC for business value from strategy to operations.”
Each of the panelists provided a comprehensive set of examples for why risk tools are needed to manage increasingly challenging regulatory and business objectives while leaving the audience with no more clarity on a prescription for moving forward. The missing piece to the puzzle remains elusive. How does one determine which solution is appropriate for their needs given the unique risk challenges each firm faces?
Will there be a convergence of approaches after a critical mass of firms adopts a systemic solution to manual processes and begins to see the benefit of Big Data analytics? Will predictive analytics make today’s subjective risk assessment irrelevant? Will a disparate set of solutions be needed, as Rasmussen suggests, once a clear data management program has been implemented with the requisite ability to query data to the business answers one is seeking?
The panelist debate prompted more questions than answers. What is clear is a prospective buyer of these tools has very few reliable options for choosing the appropriate risk solution. Given the number of available GRC solutions providers the odds of finding the tool that fits your need is a daunting task. This task is made less clear by a lack of transparency into the market, generic standards for defining GRC implementation, and no professional consultative services independent of the solutions provider to develop a strategic plan before choosing the solution that addresses one’s needs.