VideoThe Sarbanes-Oxley Act has long had a digital doppelgänger. Almost from the day it was announced, and certainly since its Section 404 emerged as a major corporate headache, IT companies have hawked products that promise to ease the regulatory burden. Often these have been hastily retooled versions of applications that were originally designed to do something else — manage documents and workflows, for example, or provide a repository or database for business rules.
If these software vendors were hoping for a bonanza, they were soon disappointed. While many companies have, over time, come to see automation as a part of the Sarbox solution, for most it has been ancillary to retooled processes and other activities. And with recent guidance from the Securities and Exchange Commission shifting the focus of Section 404 compliance to an assessment of material risk, instead of an exhaustive cataloging of every facet of every control that organizations rely on, the need to document the minutiae of corporate life may soon abate.
But when it comes to opportunity knocking, software companies and IT consultants have a sense of hearing that a dog might envy. Even before the Section 404 playbook was being altered, vendors were altering their Sarbox applications, morphing them into more-complex and more broadly focused products that could address two related areas heavily affected by Sarbox: corporate governance and risk management.
Thus governance, risk, and compliance (GRC) software was born. At its core it remains a tracking system, capturing data on various compliance requirements as they affect a specific company and chronicling how the company does (or does not) satisfy those requirements.
But the software is now more than an automated checklist. Increasingly it aims to provide more-sophisticated decision-support capabilities. That's in large part because even as the growing list of regulatory requirements creates a new level of risk (namely, the risk that a company won't meet a requirement and will thus face penalties), other forms of risk are also receiving more attention in Corporate America. In fact, the field of enterprise risk management (ERM) is nearly synonymous with GRC, and many GRC products are touted for their ability to help companies monitor and analyze a wide range of business risks, of which regulatory compliance is merely one.
If you find this both compelling and confusing, join the club. Even companies that have embraced GRC admit that they aren't always sure exactly what it means or how far it can extend. Despite the advancing capabilities of the technology, some companies say they prefer GRC software that is limited in scope, and others are pursuing a GRC strategy that focuses on organizational structure and processes rather than IT.
Overlapping Efforts
Despite those differing approaches, however, many companies agree on two key points: there is a degree of overlap between governance, compliance, and risk-management efforts; and a failure to bring some order to bear in addressing those needs often leads to duplication of effort and higher costs.
"Companies now spend about 8.5 percent of their IT budgets on compliance needs," says French Caldwell, an analyst at Gartner. "The next step is to leverage the investments they've made in systems that simply capture data for compliance purposes, and use that data to aid decision making on operational risk and corporate performance."
But while "next step" implies a logical progression, that's not how things play out at most companies. Often, Caldwell says, companies have already purchased more than one software package to address different facets of GRC. That happens for many reasons. One, different groups are often responsible for different aspects of GRC management. Not only might the compliance staff and the risk-management staff be separate, but employees responsible for, say, financial compliance under Sarbox may have no interaction with employees responsible for health and safety compliance under the Occupational Safety and Health Administration, the Environmental Protection Agency, or some other federal regulatory body. Each group often buys a software package that meets its needs. "This often leads to companies paying for several licenses for similar products," Caldwell says. "If they bought an enterprise license for one, they could save a lot of money."
Oracle and SAP have both entered the GRC arena, offering a range of products designed around what Oracle's Chris Leone, group vice president of applications strategy, calls "an orchestration piece that documents and monitors all GRC efforts." As Gartner's Caldwell sees it, "The entrance of ERP companies indicates that the GRC market is real, and for companies that put an emphasis on operations risk management, adopting a single technology platform can be extremely useful."
Many companies prefer to start small — and stay there. At transportation services firm YRC Worldwide, general counsel Dan Churay says that while there are some potential synergies between governance, risk, and compliance, "the degree of overlap is overemphasized, both by vendors and consultants and also by people within companies who may be new to risk or compliance."
Reader Comments» Post a comment