cfo.com

cfo tagline

A Defining Moment

Stung by charges that customers never saw risks coming, vendors of governance, risk, and compliance software are rebuilding their image.

John Edwards, CFO Magazine
January 1, 2009

Compliance cost reduction

Great points here, John. I agree with Forrester's Othersen. Risk and governance concerns were central to the global economic meltdown, but here's the thing: Compliance has been exacting a heavy financial toll on regulated companies for years. And going forward, companies that don't automate their compliance processes will continue to bear hefty compliance "taxes," e.g., an average of $4.36 million for SOX compliance. That's not to say that governance and risk are "flash in the pan" issues. It's just that year in and year out, companies get beat up and ground down on compliance, regardless of the state of the economy. Automating compliance reporting just makes it easier and less expensive to demonstrate compliance. John H. Capobianco Lumigent Technologies, Inc.

Posted by John Capobianco | January 14, 2009 10:48 am

Nobody Gets It

This entire article shows an almost complete misunderstanding of basic risk management and governance, but here are two quotes that I singled out: Forrester: "Some blame vendors for skimping on risk and governance software in favor of more easily salable compliance tools. The risk function is something software vendors didn't build out very well..." Note to Forrester: compliance tools are an easier sell precisely because that's where automation is the most appropriate! Any auditor will tell you that it's preferable to automate as many controls as possible (and where it makes sense), which falls under the Compliance "leg" of GRC. However it's a different thing entirely to say the same for Governance or Risk. These cannot be automated in the same way that Compliance can. I would like to know how the folks at Forrester would suggest that vendors do this though. It's really easy for someone at Forrester or Gartner to slam somebody for not doing this or that, yet when it comes to discussing alternatives they either offer vague ideas or simply remain silent, expecting the rest of us "unwashed masses" to take their word for it and wait for their next pontification. Author: "But the biggest question of all remains whether and to what degree software can automate and augment the many business processes that lie at the heart of governance, risk, and compliance." Note to author: you ask and answer your own question. This is exactly what software is supposed to do! Software tools automate and augment the business processes (and they have for years by the way). The process owners and other stakeholders then use the tools to manage enterprise risk and compliance, which in turn supports the overall state of governance. A better question would have been "How will vendors address the need to tie their solutions to the human-driven side of GRC?" Final thoughts: Risk management (like governance) is a human-driven activity that no software solution can provide; software can only facilitate risk management activities. After all, who is ultimately responsible for risk management? The vendor? Of course not! It's management. Every organization, using the tools at its disposal, is legally obligated to identify risks to the company and then decide whether to accept, avoid, control, or transfer those risks based on the company's risk tolerance. In other words, management owns the risk management process. It cannot be outsourced, nor can it be performed by a vendor. In case anyone is wondering, I spent almost seven years in the Big Four performing IT audit and security consulting work, and I've authored two books on the subject.

Posted by Mark Adams | January 12, 2009 02:39 pm

CFO Publishing Corporation 2009. All rights reserved.