Risk Management & Reporting For Enterprises
Governance, risk, and compliance (GRC) solutions evolved in response to growing information and process complexity of compliance and risk management. Initially launched in large part by Sarbanes-Oxley requirements, GRC has evolved into a full enterprise application for compliance and risk management. While the GRC vendor landscape remains fragmented, the space has largely evolved toward the development of “enterprise GRC,” or the cross-organization and cross-functional management of governance, assurance, risk, and compliance activities. These expansions have brought a variety of stakeholders into GRC, creating demand for tailored insight and workflow for diverse users, while maintaining a centralized information architecture.
GRC providers have responded, to greater and lesser degrees, by developing capabilities and refining their architecture to balance individual user productivity and insight with cross-enterprise information and process management. This report explores four major areas of differentiation that have emerged as a result: (1) use-case sensitive work environments, (2) the incorporation of analytics, (3) data visualization capabilities, and (4) configurable workflows. This report, and subsequent blog reports in the series, explores the dynamics of each differentiator and identifies potential market needs in light of growing demands for cross-enterprise insight into compliance and risk.
THE RISK MANAGEMENT & REPORTING STUDY AT A GLANCE
As GRC evolves from a functionally orientated solution to a true enterprise risk management platform, the number and diversity of enterprise stakeholders that provide or apply enterprise risk management data has expanded significantly. This has created new needs and new areas of differentiation for GRC.
This report draws from Blue Hill Resarch analysis and research interviews with fifteen senior risk management executives to identify and profile four key differentiators in the maturing enterprise GRC landscape:
- Tailoring to use- case contexts
- Incorporation of business intelligence analytics
- Data visualization
- Configurability of workflows
The Core Functionality and Value of GRC
Compliance and risk management professionals are responsible for identifying issues, maintaining corporate tolerances and standards, responding to incidents, and reporting to other business leaders as well as external stakeholders and authorities. GRC solutions are largely aimed at these functions, often with permutations adapted to particular industries, risks, or roles. The most common specializations of GRC relate to financial, IT, legal, and compliance functions, while enterprise GRC combines these views into a comprehensive vision of corporate risk and compliance efforts.
As a matter of product functionality, the core components of GRC generally involve the following capabilities:
- Centralized data management
- Process and incident management
- Workflow management
- Automated monitoring and alerting
- Automated reporting
Depending on the scope of an implementation, these capabilities may be deployed in support of a single unit, a full compliance or risk department, or as a comprehensive enterprise solution.
Figure 1: Core Functionality Supported by GRC
Source: Blue Hill Research, February 2015
In keeping these capabilities, GRC’s first source of value manifests in terms of operational efficiency. In the absence of GRC, organizations often rely on manual and spreadsheet-based processes, which often results in significant time demands related to information collection, aggregation, analysis, and reporting. This has an impact on the compliance and risk staff tasked with these processes, as well as other business units that must respond to requests or wait on compliance and risk management staff approval to execute processes. As such, the most basic applications of GRC primarily contribute value in terms of staff productivity. In this light, organizations participating in Blue Hill research generally report that GRC contributes between 25% to 30% reductions in time required to execute compliance and risk tasks.
The most basic applications of GRC primarily contribute value in terms of staff productivity, with Blue Hill research interviews typically revealing between 25% to 30% reductions in staff time required to execute compliance and risk tasks.
However, these gains largely represent table stakes, with the larger value contributed by improved speed and quality of insight into changing compliance and risk status.
GRC’s second source of value emerges from the central collection, management, and analysis of data related to compliance and risk. In this light, GRC increases an organization’s ability to monitor performance, rapidly identify risks, and obtain insight into historical trends and changes. This improved compliance and risk visibility can, in turn, help to control an organization’s exposure, as well as mitigate the harm of adverse events. Advanced GRC capabilities, such as automated monitoring, alerting, and analytics capabilities, tend to benefit this area. The reach of GRC to the various risk owners distributed across the organization, as well as their acceptance and ability to effectively use GRC, are also factors that impact how accurately data within GRC represents the actual exposures and performance of the organization.
The first source of value (efficiency) represents table stakes for GRC investments, and has a clear impact on the operational effectiveness and overhead associated with compliance and risk. This second area impacts the speed and quality of insight into changing risk and compliance status, as well as the effectiveness of the organization’s ability to respond. Because the business value of this insight generally manifests in reduced risk or avoided incidents or costs, rather than direct contributions to overhead, it can be difficult for organizations to quantify the impact of this aspect of GRC, even where they report substantial improvement. Nonetheless, organizations participating in Blue Hill research interviews uniformly reported that increased visibility into enterprise risks and operational performance constituted the most valuable benefit of GRC.
Table 1 summarizes the impact of core GRC functionality and related benefits as reported by research participants.