A Short Account of GRC Software
Big Impact in a Small Amount of Time
By Aaron Freeze
Listen carefully as you read. You can almost hear the guttural pronunciation of the words.
“Ooga booga gabooga googa, grog booga!”
Roughly translated, this basically means, “Watch out for that woolly mammoth over there, it’s dangerous!” Historians have come to believe that utterance of these words were the first time risk management became a profession. Governance, risk management and compliance have, as ideas, existed since companies were first formed, being created by necessity and reacted to out of tragedy or failure. I could look back over the eons of time and describe how the cavemen of yonder days would calculate the risk of attacking the woolly mammoth, or how the early fishermen wouldn’t sell fish that was spoiled, to be compliant with local laws. However, in order to do that I would need to discard all of the progress that has been made in the past few years, and I would also need to write a lot more. For all intents and purposes, GRC was introduced as a formal scholarly concept in 2007, with a paper written by Scott Mitchell titled, “GRC360: A framework to help organizations drive principled performance,” and published in the Internal Journal of Disclosure and Governance. A formal definition was also given, saying that GRC is “the integrated collection of capabilities that enable an organization to reliably achieve objectives, address uncertainty and act with integrity,” and from those beginnings, an industry has been formed around answering the questions of risk and compliance that have been posed since the dawn of time.
There are many different sections of GRC; the three largest categories in the industry however, are Finance and Audit GRC, Enterprise risk management, and IT GRC management. In the years since GRC was formalized, IT GRC management has begun to take over as the big dog on campus, having many different segments that have helped standardize other areas in the industry. This has led to many different platforms and products attempting to best satisfy the needs of the many, many companies in this area, and also provides the best answer to the question of how to manage risk within an organization. Along the same lines as GRC itself, there are three main sections in the realm of product vendors for GRC solutions, with virtually all of them offering some sort of IT product. These three sections are: Integrated GRC solutions, Domain Specific GRC solutions and Point solutions to GRC. These sections first reared their head, and companies started to see the need for this as a solution on the curtails of some of the largest scandals in American corporate history, namely Enron, WorldCom and Tyco. These scandals led, of course, to the Sarbanes-Oxley Act of 2002 (SOX), which kicked off the need for a way to confirm compliance with regulatory committees, manage governing policies and manage risk as a whole. In a small Chicago office shortly before SOX passed in 2002, the idea of a solution to these problems rose like the proverbial phoenix from the ashes of scandal.
The GRC software market has several different sections, ranging from full-fledged integrated GRC platforms to specific point solutions, and each of these can help a company deal with many different problems or tasks. The joining point of all of these different products is that they help answer the questions that the caveman asked eons ago: “How best to manage risk?” and “How best to integrate these risk management solutions into a productive business model while maintaining corporate integrity at the highest regulatory levels (direct translations from cavemen are rarely this coherent)?”
There are many changes that will happen in this industry over the next few years, and these changes will impact the industry for many years more. Artificial intelligence will drive further advances in technology and solutions to help best manage the different regulations that get rolled out. Big data is helping decision makers choose the best path for a company to tread, and it helps to see obstacles far in the future that can be avoided. All in all, GRC may be an old trade, but it is one that will never go away, and it is something that will continue to evolve with the world around it.