March 19, 2010 // By: Alex Joseph (itelligence), Alec Arons (Tatum) // A Practical Approach to GRC
Even companies with no apparent challenges have begun to look to improving governance, risk and compliance measures, in order to capitalize on global markets. When going through SOX compliance activities, these companies realized that although their operations ran on a single IT platform, processes and controls lacked consistency on a global scale, representing an under-leveraging of investment in enterprise resource planning (ERP) software.
Recognizing an opportunity to drive more systems, these companies now seek to tighten business rules and enhance consistency across business processes. Risk management remains U.S. companies’ top GRC motivation, based on a November 2009 AMR Research survey of 151 companies representing all sizes and industries. These same companies plan to spend $29.8 billion on GRC activities in 2010, up 3.9 percent, according to AMR Research. From a broader global perspective, leading analyst firm Gartner predicts worldwide corporate GRC spending to top a robust $1.3 billion by 2011.
Because of the size of GRC investments and the role that ERP plays in successful GRC implementations, many companies are surprised to learn that the key challenge involved with achieving true GRC is cultural, not technological. For instance, if a company exports to 150 countries, it needs to ensure compliance with 150 different sets of specific regulations, while also cross-referencing its partner roster with domestic embargo and “denied parties” lists. While a GRC-optimized ERP solution can automate the compliance reports required for these activities, the accuracy of those reports ultimately depends on a workforce that understands how to properly enter and source information. Policies, procedures and training thus become necessary in order to fully capitalize on the IT solution.
In order to achieve this cultural change, some companies recruit outsourced partnership teams of risk advisors and IT subject-matter experts. Risk advisors with senior-management experience provide the objectivity and oversight demanded by each stage of implementing the new governance structure. By assisting processes and addressing critical issues during the lifecycle of the project, these advisors also allow the internal decision makers to continue functioning in their day-to-day roles.
Meanwhile, the advisors work closely with the IT service provider to ensure that the developing business vision is reflected in the technological solution that will ultimately be deployed to support and sustain governance measures. The outsourced partners will assist with each step of the implementation, including the formation of a project steering committee; performing risk assessment; devising a risk-mitigation strategy; and assisting with the numerous additional steps involved with implementing a true GRC program.