Page 1 of 2
By Dan Wilhelms, SymSoft Corp.
Sometimes, it takes a painful event for us to do what’s good for us. For example, many of us talk about eating better, exercising more and generally getting healthier. But that’s all it is -- until we have a heart attack. After that wake-up call, we’re forced into doing the things we always knew we should, and after we get past that first painful period of adjustment, we find we’re the better for it.
Compliance is the business world’s version of the heart attack. After the accounting scandals of the early 21st century, enterprises were forced to put in controls over their business processes, mostly in the area of Segregation of Duties (SOD), to meet compliance laws. The first-generation tools they had were adequate, like a worn-out treadmill or an old pamphlet on eating healthy. But the process was still painstaking and painful.
Looking ahead to 2010, though, it appears we’re coming out of the painful “adjusting to the new life realities” phase, and moving into the part where enterprises will see real gains in the area of Governance, Risk and Compliance (GRC). Much of this can be attributed to second-generation tools that make GRC more affordable, especially for small and mid-size enterprises. They also embed compliance into business processes, and ultimately help executives do a better job of managing their businesses.
While it might seem odd for someone in my position to perform that riskiest feat of all -- making bold predictions -- here’s where GRC is headed in 2010:
• Less C, More G & R -- In the rush to meet compliance after Sarbanes-Oxley (SOX) took effect, enterprises focused on getting reports done by any means possible. Some adopted painful, manual processes, while others purchased expensive “first generation” software. The work was often haphazard and sloppy because there was no roadmap or prior experience. Organizations ended up exerting a lot of manual effort to make compliance happen.
Now, though, there has been an epiphany in the business world -- GRC is really about business process engineering and vice-versa. The best-run enterprises have a passion for improving business operations, and are looking for ways to streamline and automate their approaches. Making GRC a part of the way they do business every day -- instead of a special effort on top of the normal course of business -- is a part of that.
In 2010 they won’t be looking just to comply -- they will be looking to second-generation GRC tools to help them run better.
• Move to Best-of-Breed -- When the big ERP systems such as SAP and Oracle were introduced, organizations tried to leverage them to do everything. What they found is that large ERP systems do some things very well, and in other areas they struggle. GRC, quite frankly, is one of those areas where they struggle.
In 2010, these enterprises will be more open to taking a best-of-breed approach, bolting better, faster, and/or cheaper solutions onto their ERP systems as necessary, which will allow them to be both more efficient and more nimble.
• Talking about Second Generation -- Let’s be honest: While there are a lot of benefits to be derived from GRC, the first generation software tools that came out in the wake of the SOX legislation were expensive, difficult to implement, and cumbersome to use. Now that enterprises have been through it a few times, however, they’re looking for ways to bring those costs down – especially the time and personnel costs, as well as reducing on-going support costs (annual software maintenance fees and IT infrastructure costs).
Second-generation GRC tools allow them to reduce their total cost of compliance (TCC) while getting more benefits out of their GRC efforts. That, incidentally, also makes GRC more attractive to privately held companies that are not covered under SOX but want to improve their business processes as well.