A Brief History of GRC
Told from a Xennial Perspective
By Evan Stos
So, who wants to read about the history of GRC? If you’re sitting down, don’t worry about using the entire seat, because you’ll only need the edge. However, before I delve into that, I want to talk about how I can’t stand being referred to as a millennial.
It’s not that I dislike the Millennial generation—I could go on a tangent here (but I won’t!) that history has shown that older generations have been dogging the newer ones for, well, generations—but I don’t feel like I fit the typical profile of a millennial.
The widely accepted definition of a millennial is someone born between the early 1980s and mid-1990s, and I graced this world with my presence in the early 1980s, right on the edge of the date range. So while I technically fall into the millennial category, I always felt stuck in the middle between both that and the Generation X category. There are a couple of reasons why I feel this way, but for the purposes of this tech blog, the reason I’ll elaborate on is—you guessed it!—how I interact with technology.
Fortunately, I’m not the only one who feels this way. Researchers have determined that there is a “microgeneration” of those born on the cusp of when Gen Xers and millennials meet (namely between 1977 and 1983). Rather than call it something cool, they just combined the phrases “Generation X” and “millennial” and came up with the word “Xennial”.
Way to be creative, researchers.
One of the primary things that makes Xennials different is that they are old enough to remember a world without intricate, game-changing technology. The internet was not part of my childhood, but computers existed and I could sense there was something special about using one. I remember when I was in high school and we got our first 14.4K dial-up internet modem…those of you old enough to remember can probably hear the “handshake” noises it made when connecting in your head now. I got my first cell phone when I graduated from high school—a giant Nokia “Zach Morris” brick phone—and it was glorious. My first official email address came when I went to college and I remember when Facebook was “TheFacebook” and was only available at college campuses.
Ok, so enough with the nostalgia: What does this have to do with the history of GRC, you ask? Because a lot of articles I’ve read detailing the history of GRC talk about how GRC “started” in the mid-2000s. As someone who has worked in GRC for the past 12 years, I don’t totally agree with this. GRC was around far before we had advanced technological tools to automate, consolidate and manage it…we just didn’t call it GRC. Instead, the silos were specifically called out and managed accordingly: audit, risk, policy, vendor, business continuity, etc. People used pen, paper and file cabinets. This evolved to archaic spreadsheets. Then maybe they used…gasp…Lotus Notes! The point is, organizations found a way to manage these processes long before GRC technology existed. But just like how I can remember my life without a cell phone and email address, my life was made markedly easier and I was able to communicate much more quickly and operate more efficiently (in most cases!) once I had them. Except for when I was playing the “snake” game on my Nokia phone.
When GRC platforms started becoming a “thing” in the mid-2000s, there were only a few major players in the market. They focused primarily on IT: whether it be controls, policies or risk management. Additionally, with the Enron and Worldcom scandals, SOX and its myriad of financial reporting controls rapidly became platform offerings as well. As the market started expanding quickly at the turn of the decade, the concept of “eGRC,” with the “e” standing for enterprise, swept the landscape. Why settle for managing IT processes when many of the tools were capable of managing an entire organization’s Governance, Risk and Compliance frameworks? The natural progression had begun.
Fast forward to today, and now some GRC platforms in the market—and there are plenty now—can do much more than just GRC. These select few have evolved so that they are able to automate almost any business process you’re looking to manage. Furthermore, I think many people in this space have begun to realize that GRC isn’t just about the technology you use to support it. At a high level, it helps you communicate more quickly and operate more efficiently (sound familiar?) all while having an environment where information is easily shared between what were previously disparate processes. However, it all starts with having a solid procedure to begin with. So much like being a Xennial, when you know what it’s like to manage GRC processes without technology, you can really appreciate how much easier your life is when you manage and automate it with technology. Unfortunately, you still may long for the days where you had to memorize peoples’ phone numbers.