GRC is Dead
I have to admit, I don’t really understand greedy desperation. Or desperate greed. For example, although I enjoy having a decent income, I don’t obsess about the big score. Someday I’d like a moderate score for a little extra financial security, but I’m not about to compromise my lifestyle or values to get it. As a business I know who my customers are and I make every effort to provide them with as much value as possible.
That’s why I don’t grok this whole GRC obsession (Governance, Risk, and Compliance) among certain sectors in the vendor community. It reeks of unnecessary desperation like the happily married drunk at the bar seething at all the fun of the singles partying around him. He’s got it good, but that’s not enough.
One of the first things I covered over at Gartner was risk management, and I even started the internal risk research community. This was before SOX, and once that hit a few of us started adding in compliance coverage. Early on I started covering the predecessors to today’s GRC tools, and was even quoted in Fortune magazine saying there was almost no market for this stuff (some were predicting it would be billions). That, needless to say, pissed off a few vendors. Most of which are out of business or on life support.
Gunnar Peterson seems to feel the same. He sees GRC as letting your company become audit-driven, rather than business-driven. He is, needless to say, not betting his career on GRC.
Now I’m about to rant on GRC, but please don’t mistake this as criticism of governance, risk management, or compliance. All are important, and tightly related, but they are tools to achieve our business goals, not goals in and of themselves.
GRC however is a beast unto itself. GRC is now code for “selling stuff to the C-level”. It has little to do with real governance, risk, and compliance; and everything to do with selling under-performing products at inflated prices. When a vendor says “GRC” they are saying, “here’s our product to finally get us into the Board Room and the CEO’s office”. The problem is, there isn’t a market for GRC. Let’s look at the potential buyers:
- C-Level Executives (the CEO and CFO)
- Auditors (internal)
- Auditors (external)
- Business unit managers (including the CSO/security).
Before going any further let’s just knock off external auditors, since they aren’t about to spend on anything except their own internal tools, which GRC doesn’t target.
Now let’s talk about what GRC tools do. There is no consistent definition, but current tools evolved from the SOX compliance reporting tools that appeared when Sarbanes-Oxley hit. These tools evolved from a few places, but primarily a mix of risk documentation and document management. They then sprinkled in controls libraries licensed from the Final Four accounting firms. I was never enamored by these tools, since they did little more than help you document processes. That’s fine if you charge reasonable prices, but many of these things were overinflated, detached from operational realities unless you dedicated staff to them, and often just repurposed products which failed at their primary goal. Most of the tools now are focused on providing executives with a “dashboard” of risk and compliance. They can document controls, sometimes take live feeds from other applications, “soft-test” controls (e.g., send an email to someone to confirm they are doing what the tool thinks) and generate reports. Much of what we call GRC should really be features of your ERP and accounting software.
In the security world, most of what we call GRC tools are dashboard and reporting tools that survey or plug into the rest of our security architecture. Conceptually, this is fine, except we see the tools drifting away from being functional for those with operational responsibilities, and focusing more on genercising content for the “business” audience and auditors. It’s an additional, very highly priced, reporting layer.
That’s why I think this category is not only dead, it was never born. There is no one in an enterprise that will use a GRC tool on a day to day basis. The executives want their reports at the end of the quarter, and probably don’t mind a dashboard to glance at, but they’ll never drill down into all the minutiae of controls that probably aren’t what’s really being used in the first place. It’s not what they’re paid for. Internal auditors might also use reports and status checks, but they can almost always get this information from other sources. A GRC tool provides almost no value at the business unit level, since it doesn’t help them get their day to day jobs done.
The pretty dashboards and reports might be worth a certain investment, but not the six-figure plus fees most of them run for. No one really needs a GRC tool, since the tools don’t really perform productive work.
We’re seeing an onslaught of security (and other) vendors jumping on GRC because they think it will get them access to the CEO/CFO and bigger deals. But the CEO and CFO don’t give a rat’s ass how we do security, the just need to know if they are secure enough. That’s what they hire the CSO for- and it’s the CSO’s job to provide the right reports. These vendors would be better served by making great products and building in good reporting and management features to make the jobs of the security team easier.
Focus on helping security teams do their jobs and getting the auditors off their backs, rather than selling to a new audience that doesn’t care. Stop trying to sell to an audience (the CEO) that doesn’t care about you, when you have plenty of prospects out there drooling over those rare, good, functional products. Plenty of products get a boost from compliance, but they aren’t dedicated to it.
Don’t believe me? Go look at what people are really buying. Go ask your own CEO if he wants the latest GRC tool and will pay for it. Ask him if he wants to talk to any more vendors. Ask the operational guys if it will help them get their jobs done.
GRC is a feature, not a product. It’s a reporting tool, not a new paradigm for doing business.
As for the “practice” of GRC? I wouldn’t bet my career on a buzzword created by a small group of vendors to sell more product and jump on the bandwagon of yet another buzzword (compliance).
Compliance is real. Risk management is real. Governance and security are real. GRC is an unrequited wet dream leaving a rash of vendor blueballs in its wake.
Allen Baranov May 14
Its amazing how companies have “what we tell the auditors to be compliant” and “what we also do but don’t want to tell the auditors because it would just generate red tape but what /really/ keeps us secure”.
On the other hand - it is nice to have something like GRC which can be used to get more money for security.
rybolov May 14
Wow, rmogull is channelling Steinnon for the past couple of weeks: Data classification is dead, GRC is dead, risk management is dead, being dead is dead, and death protection is dead.
Brain… hurts… must… write… own… post.
alan shimel May 14
Rich, I think you are mistaking the tip of the iceberg for the entire mountain of ice under the water. The dashboards and reports of GRC are the by-product, but not the actual work of the most GRC products. They are the checkbox, but the actual work of making sure you are compliant is what the work of GRC is about.
I have written more about this on my blog at http://www.stillsecureafteralltheseyears.com/ashimmy/2008/05/rich-mogull-doe.html
Carole Stern Switzer Jun 14
Luddites Live Again
As the President of the Open Compliance & Ethics Group (OCEG), the only non-profit think tank dedicated to helping organizations design and implement GRC systems (and by that we don’t just mean technologies), I have followed this thread of discussion with great interst. It seems to me that those who criticize the concept of GRC are just missing the point.
GRC is not a dashboard, a technology solution, or a buzzword for compliance at all cost. Nor is it just ERM on steroids, as some would say. Nor is it a fad - just another acronym to drive consulting engagements.
GRC represents a paradigm shift in approach to business management and governance of an enterprise. It is a philisophical and structural view of how an enterprise can use its resources (human, technological and financial)to ensure that the organization meets its objectives while staying with the boundaries set by both law and choice of the board and the C-suite.
GRC is about ensuring that the organization has clearly established objectives and the means to meet those objectives efficiently and effectively - identifying risk and ensuring compliance with both external requirements and internal policies and procedures. It is not just about ensuring compliance; it is about achieving what OCEG calls Principled Performance.™
The IT tools being created to help in that effort - the GRC solutions or parts thereof — are an essential piece of this puzzle but they are not the puzzle.
Having integrated GRC requires establishing the strategy, controls, policies/procedures, measures AND technologies to ensure that consistent and accurate information flows up, down and across the organization, enabling true governance.
Without an integrated approach to risk, consistency of approach to compliance efforts across silos, and an ability to gather and parse the same information for multiple purposes, its not “good governance”, its only guessing governance.
OCEG began to drive the discussion about integrated GRC and develop the process model that details GRC structure more than 5 years ago. This discussion and process predated any development of IT solutions for GRC management.
Since then, hundreds of experts (legal, audit, risk, compliance, ethics, finance, quality, IT, and others) have contributed to creation and ongoing refinement of the OCEG Framework and thousands more have reviewed it when in public exposure drafts and used it since it became final three years ago.
Next month, OCEG will be releasing Version 2.0 of its GRC Capability Model, which is at the heart of the OCEG Framework. Anyone register at oceg.org can download Version 1.0 of the Red Book and will be notified when Version 2.0 is available for review and comment.
To close, I have to note that OCEG, through the work of our Technology Council, has been developing an IT for GRC Blueprint that indicates over 80 categories of solutions that support various aspects of GRC. Those who refuse to see that an integrated GRC approach is a positive maturation in business management and governance that must and will be served by ever evolving technologies are simply the Luddites of our day.
Lurker Jun 23
Isn’t “paradigm shift” just another word for “fad”?
rmogull Jun 23
@Lurker…
I had this whole big argument planned to respond to that once i got back to the office, but you beat me to it with on short sentence.
Well done.
Carole,
I’m intimately familiar with GRC. It’s not even close to a paradigm shift. It’s a business fad that will fade like many others. The core principles of good governance, risk management, and compliance are all solid, but tossing them together under a new acronym and calling it a paradigm shift is ridiculous.
But it might make some consultants and similar organizations a lot of money…
Dan Wilder Jul 30
Wow, it sure seems like many people have varying thoughts on this topic. I’d like to interject some reality here.
The ISO, ITIL & ISACA organizations have all developed frameworks and guidance on the general topic known as GRC. Now I am not advocating for the GRC term or what vendors have mistaken it to mean.
The point is that organizations need to install controls to manage their business. This is a requirement of SOX eDiscovery, Basel II as well as other regulations. These controls cannot be successful without some level of understanding the operational functions of the organization they are installed.
I believe that the term GRC is misunderstood to mean a software solution. It is not. It is a process based solution that collects and analyzes data to a set of operational guidelines that determine if the control is in compliance. If not, then the risk of being out of compliance must be measured and quantified into a financial value. From a governance side of the term, internal audits (dashboards display this) evaluate as part of the checks and balance process.
If all this is engrained into the operational facets of the organization, then it provides the “C” level transparency needed for continued funding, the operational transparency for quick remediation and the functional usefulness of the day to day control of the business and IT operations.
My view of GRC is it is an acronym used to sell the service of providing a set of tools used to assist the function of the organization in meeting its objectives to grow and prosper in today’s market place.
To review this definition of what GRC really is simply read the British Standards Institutes BS25999 standard. This standard is at the forefront of the above organizations frameworks providing the guidance needed to enable organizations to become resilient through process management with continual improvement.
This was further emphasized during the recent Seminar on GRC hosted by NASDAQ in March 2008 (http://www.nasdaq.net/PublicPages/GRC%20Web%20Seminar%20-%20March%202008%20presentation.pdf ). One of the seminars speakers was Scott Mitchell, Chairman & CEO, OCEG who clarified the GRC term to the meaning stated above when he stated “GRC is the Backbone” of a harmonized approach to governance, risk and compliance through a foundation of People, Processes & Technology”.
I’m sorry but blatantly calling GRC dead just because a few vendors misused the term is a disservice to businesses. I have developed and deployed a model in a global logistics and transportation company utilizing these principles which reduced fiscal risk by 17%; drop the IT run rate by 50% and improved service delivery availability by 40% over the period of 14 months. All of which exceeded the requirements of the external auditors, which got them off the backs of those tasked with the day to day operations.
I am a believer in the true meaning of GRC… It is not dead, just beginning to be understood!
Lurker Jul 30
OK - I’ll be a little less glib and sarcastic this time. I have to agree with Dan Wilder on the subject of controls being more process oriented than software. In fact, a partner I worked for at PwC maintained that there is no such thing as computer controls. The control only happens when a PERSON views the edit list / exception report / error log and DOES SOMETHING ABOUT IT.
At the time we were looking at the internal audit reports of a bank which made a big deal about a case of beer being found in the data center but just glossed over a log showing a huge number of failed login attempts. In our minds, the auditor had his priorities reversed.
When looking at systems, I have seen software that produced a small book of system documentation that was basically ignored along with a one page overview flowchart created by a human to demonstrate a glaring weakness. Which would you read / act on?
Martin Kuppinger Jul 31
You’re right in the viewpoint of GRC as a one-way-road isn’t sufficient. GRC isn’t only about audit. If you focus on this part of GRC, then it is - to cite Paul Heiden of BHOLD Company - dealing with FUD (fear, uncertainty, doubt). Then it is about avoiding penalties, but it doesn’t deliver a real business value.
But GRC, from our perspective, is two-way - it is about business control in the full sense of the word, e.g. managing and auditing. The Enterprise Authorization Management part of GRC is about control. And Risk Management done right provides the ability for a more efficient management, by focusing on exceptions.
But when you limit GRC to some analysis and dashboard functionality, then it isn’t sufficient - fully agreed. GRC as the business layer above many core parts of IT like Identity and Access Management is definitely valuable.
I’ll add some thoughts to this in my blog http://blogs.kuppingercole.de/kuppinger today.
Sumner Blount Aug 1
As an employee of a “GRC vendor”, I suggest that although there is some truth in your points, you may be throwing the baby out with the bathwater.
First, I agree that GRC has become an overused term, something that some vendors have attached to their positioning to be able to take advantage of the interest in this area. One of the problems, in my view, is that “G”, “R”, and “C” have been seemingly merged into a single concept as if they were interchangeable pieces of the puzzle. Anybody who is familiar with compliance and risk management is well aware that these concepts are different, though obviously related. They have different target buyers and different pain points. And, of course, Governance is a different type of concept itself. So, the continual and widespread use of GRC as a single concept is a somewhat unfortunate and possibly confusing artifact of the way that this market has emerged.
Still, what is new about this market area is the centralization and simplification of risk and compliance information and initiatives across the enterprise. When a variety of different tools are used, and when compliance and risk information is dispersed (and usually duplicated) around the organization, it’s obvious that redundancies, inefficiencies, and inconsistencies result. This is one of the more important problems that these “GRC tools” are intended to solve, and one that they generally do very well on.
And, I agree that GRC is not a paragidm shift. It’s what I would call the “next step” in managing risk and compliance initiatives, but we’re not talking about a revolutionery step for most organizations. It’s an effective way of harmonizing these efforts, and maximizing the use of people and processes. But, the fact that an occasional vendor pitches it as a paradigm shift shouldn’t detract from the important benefits that these products can provide.
I disagree with your notion that GRC is simply a way to sell to the C-level. C-level people, in my experience, don’t pick up a mouse when they want to find out what’s happening with compliance – they pick up the phone. But, the people who receive that call do need to have complete visibility into their risk and compliance activities, and that’s where a GRC Manager-type product can really help out.
I also was intrigued by your statement that: There is no one in an enterprise that will use a GRC tool on a day to day basis. So, I called up our Senior VP of IT Compliance who is leading a team that has deployed our GRC Manager product throughout the company. His experience was quite different. He has reduced the number of controls that had been implemented by roughly 50%, and his response was: “we’re in there every day – all day documenting controls, test work, remediation plans, as well as progress and time.” He concluded that either you weren’t familiar with the type of activities that a compliance executive was involved in, or you had unpleasant experience with a bad product.
In any event, I think we can agree that “GRC” can be an overused and misunderstood term. It’s not a paradigm shift. But, it IS a unifying and simplying principle that can have significant cost and automation benefits to any company that is facing complex compliance challenges.
Jeremy Wilde Sep 25
Unbelievable if I had’nt heard it all before.
The imposition of legal and regulatory obligations requiring adequate information security controls to protect personal data and against fraud is risk, a threat that information security does not generally seem to be able to answer and that is why ‘GRC’ as you define it has happened - because someone had to answer it because it is a big and expensive threat!
Allen Baranov Sep 25
I got a negative finding from our auditors because the “password history” setting was documented differently in our standards. I then spent hours going through the documentation looking for this setting in all the standards, altering it and now I have made a new standard (a daddy standard) that says that if you set “password history” to anything it must be “x”.
I then had to rush around getting all of the standards signed.
I then had to sit with the auditors explaining the new standards and justifying the changes.
If you know what the “password history” setting is then you’ll know that it is really there just to stop users from changing their passwords a number of times until the old password is usable again. It is a very arbitrary setting.
In the mean time I could have been working on something important.
Jeremy Wilde Sep 27
Allen, I had to laugh at that one - it sounds like sox but you know you got to take the rough with the smooth…