Robert Kugel's Analyst Perspectives

Companies Are Lagging in GRC Maturity

Posted by Robert Kugel on Jun 7, 2012 10:51:48 AM

Ventana Research recently completed benchmark research on governance, risk and compliance (GRC), three business activities that are naturally linked. Although managing them requires separate and sometimes very different processes, on the whole these activities affect each other: Effective corporate governance ensures compliances with laws, regulations and company policies, and without governance, there’s no way to control risk. Separately or considered together, managing governance, risk and compliance is increasingly important.

Risk is part of any business undertaking and comes in many forms. Managing it involves anticipating negative events, understanding their costs, determining whether potential benefits outweigh the risks, and applying controls to prevent risk events or mitigate their impacts if they occur. Managing risk intelligently is a hallmark of successful companies.

Similarly, compliance with existing laws and regulations is essential. Governance ensures that processes are in place to perform legally mandated tasks (such as filing forms or performing tests) in ways that reduce or eliminate the risks and consequences of failing to meet requirements.

Automating tasks in governance, risk and compliance can enable organizations to complete them regularly and quickly while avoiding both errors that mean having to redo the tasks and the costs of mismanaged risks or inadequate compliance. Software that automates aspects of GRC management processes, from collecting data to analyzing it to submitting status updates or reports, can monitor risks and alert people when thresholds are passed. It likewise can manage the steps required for compliance approval.

Yet it seems that most organizations don’t deal effectively with GRC. Our research finds a solid majority of companies (63%) in the bottom half of our maturity distribution in their management of governance, risk and compliance. Our analysis, which assesses maturity in four organizational categories, found that companies are more mature in People and Process and less mature in Technology and Information. In both the last two categories, more than 70 percent of research participants ranked at the two lowest maturity levels. Regarding Information, the research uncovered what we view as a lack of engagement in the core issue of access to and use of the data necessary to measure and assess risk. One barrier that many companies face is their use of spreadsheets in GRC processes, which by themselves can introduce unacceptable levels of risk and errors.

Among the factors holding companies back here is that, like so many purely administrative tasks, corporations (especially those that are not heavily regulated) look to satisfice their compliance obligations, not optimize them. Investments that could improve the efficiency of these processes have a low priority. Another factor is that while risk management is a well-understood business requirement in financial services, with centuries of established practices and metrics, it’s much less well developed in most other industries. Companies typically consider risk in business decisions, but they do so more informally and in an inconsistent fashion. Thus, critical information needed for formal risk measurement and assessment is either not captured by a company’s IT systems or captured in a form that it is not useful for this purpose.

It’s certainly true that governance, risk and compliance activities do not generate revenue and rarely confer a strategic advantage. Nonetheless, organizations should not treat these activities lightly. Most companies do not need to make wholesale changes to their business priorities to add GRC processes, and they don’t need to make major investments to achieve measurable improvements in how they execute these processes or manage risks. Simply automating the processes as much as possible lets companies meet requirements while cutting the time and effort to manage them.

At present there are no software tools that address GRC as a package, as we’ve noted before. Our benchmark research shows that as organizations begin to consider options for each facet of their GRC compliance – whether financial, operational or IT – they must look for practical qualities in software, particularly usability and functionality, that will help them complete tasks more easily.

We expect to see a market developing to handle GRC as a platform as vendors build more unified and coherent arrays of offerings. I expect the driver of this to be a desire by large consulting partners with broad GRC practices to work with a limited set of vendors. Since many GRC projects require a heavy dose of intellectual property and expertise, I believe customers will find value in working with one or possibly two vendors, blending their intellectual property with packaged software. Organizations that take these steps will be more confident that they handle GRC well and turn their attention to other activities that directly impact their success.


Robert Kugel – SVP Research

Topics: Big Data, Customer Experience, Governance, GRC, Operational Performance Management (OPM), Management, Business Analytics, Business Collaboration, Governance, Risk & Compliance (GRC), Business Performance Management (BPM), compliance, Financial Performance Management (FPM), Information Management (IM), IT Performance Management (ITPM), Risk, Workforce Performance Management (WPM), financial risk management

Robert Kugel

Written by Robert Kugel

Rob heads up the CFO and business research focusing on the intersection of information technology with the finance organization and business. The financial performance management (FPM) research agenda includes the application of IT to financial process optimization and collaborative systems; control systems and analytics; and advanced budgeting and planning. Prior to joining Ventana Research he was an equity research analyst at several firms including First Albany Corporation, Morgan Stanley, and Drexel Burnham, and a consultant with McKinsey and Company. Rob was an Institutional Investor All-American Team member and on the Wall Street Journal All-Star list. Rob has experience in aerospace and defense, banking, manufacturing and retail and consumer services. Rob earned his BA in Economics/Finance at Hampshire College, an MBA in Finance/Accounting at Columbia University, and is a CFA charter holder.