CFO magazine has an online article titled "A Defining Moment" that caught my attention because it talks about how vendors of governance, risk, and compliance (GRC) solutions are smarting from charges that they allowed their customers to be blindsided by the risks that have resulted in their businesses failing. In the article they quote someone from Forrester Research as saying, "Some blame vendors for skimping on risk and governance software in favor of more easily salable compliance tools. The risk function is something software vendors didn't build out very well…" Later on we see another statement: "But the biggest question of all remains whether and to what degree software can automate and augment the many business processes that lie at the heart of governance, risk, and compliance." What really gets me is how both of these seem to show a basic misunderstanding of risk. Risk management (like governance) is a human-driven activity that no software solution can provide; software can only facilitate risk management activities. After all, who is ultimately responsible for risk management? The vendor? Of course not! It's management. Every organization, using the tools at its disposal, is obligated to identify risks to the company and then decide whether to accept, avoid, control, or transfer those risks based on the company's risk tolerance. In other words, management owns the risk management process. It cannot be outsourced, nor can it be performed by a vendor.
I also want to address the statement about how vendors are focusing on selling compliance solutions simply because they are an easier sell. Note to Forrester: they're easier precisely because that's where automation is the most appropriate! Any auditor will tell you that it's preferable to automate as many controls as possible (and where it makes sense), which falls under the Compliance "leg" of GRC. However it's a different thing entirely to say the same for Governance or Risk. These cannot be automated in the same way that Compliance can. I would like to know how the folks at Forrester would suggest that vendors do this though. It's really easy for someone at Forrester or Gartner to slam somebody for not doing this or that, yet when it comes to discussing alternatives they either offer vague ideas or simply remain silent, expecting the rest of us "unwashed masses" to take their word for it and wait for their next pontification.
Regarding the second statement, it answers its own supposed question about whether software can automate and augment the many business processes that lie at the heart of governance, risk, and compliance. Note to John Edwards, the author of the article: this is exactly what software is supposed to do! Software tools automate and augment the business processes. The process owners and other stakeholders then use the tools to manage enterprise risk and compliance, which in turn supports the overall state of governance.
Finally, the fact that no one has really defined what exactly "GRC" means doesn't help matters much either, so how about we start with that? It should be fun to watch.
No related articles.
