VideoThree years ago, when managers at SunTrust Banks Inc. began searching for software that might help them cope with new regulatory requirements, they kept their demands to a minimum. Although the financial-services company had just endured a tough first year of Sarbanes-Oxley compliance, no one expected software to solve all the problems. "Sarbox was killing us," says John Wheeler, the company's senior vice president of financial-reporting risk management, "but we went in with very defined — and low — expectations. We wanted a basic, bare-bones program."
SunTrust purchased a financial controls management application from OpenPages, one that Wheeler says was limited in scope, but flexible. And OpenPages claimed that, in subsequent releases, the program would link up with its other compliance and risk-management programs. "That integration wasn't quite there when we first implemented the software," says Wheeler. "We were going on faith regarding the vendor's promises."
SunTrust hasn't been disappointed. Since 2005, OpenPages has extended the capabilities of its product, allowing SunTrust to better assess risks stemming from Basel II and the Patriot Act, not to mention a variety of operational and credit risks. More recently, SunTrust purchased a general-compliance module from OpenPages, which the bank's compliance group uses to catalog regulatory mandates and related controls for each line of business. Next, says Wheeler, SunTrust plans to integrate the two compliance modules into a single platform.
Join the club. Increasingly, corporate executives are ratcheting up their expectations for software that can capture a wide range of governance, risk, and compliance (GRC) information. Those functions can overlap, sometimes in unexpected ways. In 2005, when the California State Automobile Association purchased a program called Leaders4 (from vendor 80-20), the goal was to use it as a board information-management system. But as Bob Flax, assistant general counsel at the automobile association, soon learned, "The software had functionality I didn't even know about."
That hidden functionality came in handy the next year, when Flax was asked to devise an automated system that would ensure that the motor club franchise could pass AAA's rigorous certification process. An annual ritual has evolved, says Flax, in which a different vice president would be plucked from management to spearhead the painful process. "We had no central view of compliance," he notes. "We started from scratch every year."
That meant poring through a thick quality-control manual that contains what Flax describes as "probably 10,000 things" that the California club's 7,500 employees need to address.
To Flax's relief, it turned out the 80-20 software includes features ideally suited to the task. The program's electronic questionnaire function, for example, allowed Flax to send out questions about procedures and policies to employees, who then responded. The data was then certified, and Flax used the software to produce published reports for board members. "The software took what had been a four-month process down to two weeks," he says.
Beyond Scut Work
This urge to converge is largely a post-Sarbox quest for greater efficiency. As John Hagerty, vice president and research fellow at AMR Research, points out, companies have spent substantial sums attempting to cope with the many burdens of Sarbanes-Oxley. Spending on Sarbox peaked in 2006, with publicly traded companies forking out about $2 billion on technology and consulting to help them assess internal controls and material weaknesses. With much of the Section 404 scut work now automated, customers want to leverage that initial investment and create a foundation for future compliance needs.
Rather than inquire about Sarbox-only software, vendors say clients now routinely issue RFPs for programs that can handle an array of mandates, including Basel II and sustainability reporting. In addition, prospective buyers appear to be zeroing in on software that offers a range of functions (such as risk modeling and survey publishing). "The Sarbanes-Oxley market has almost disappeared," confirms Luc Brandts, chief technology officer at compliance-software publisher BWise. "But convergence is hot."
Application vendors, who cling to marketing hooks the way cats cling to curtains, have been only too happy to cater to this desire, probably motivated by the fact that since 2003 the average price for such applications has more than tripled, to $400,000. At last count, Corporate Integrity president Michael Rasmussen found 114 software vendors that claim to offer GRC platforms. The hijacking of a three-letter acronym is standard practice in the software world, of course, and makes life difficult for would-be GRC customers. "Convergence is about processes, about getting different roles to talk to each other, and working toward a common goal," Rasmussen says. Most sales pitches don't acknowledge the nuances, or difficulty, of such efforts.
If the need to bridge various divisions and departments within an enterprise in order to achieve a holistic view of compliance and risk issues sounds familiar, it is. Remember enterprise risk management(ERM? Highly touted by insurance companies (and the business press), it emphasized the need for managers to address risk in a systematic rather than a compartmentalized fashion. Approached in this way, responsibility for risk management fans out across functions and operating units and becomes a part of many people's jobs.
Reader Comments» Post a comment