GRC is Dead

Written by rmogull | Filed under Non-Geek, Risk, Tools | 12 comments



I have to admit, I don’t really understand greedy desperation. Or desperate greed. For example, although I enjoy having a decent income, I don’t obsess about the big score. Someday I’d like a moderate score for a little extra financial security, but I’m not about to compromise my lifestyle or values to get it. As a business I know who my customers are and I make every effort to provide them with as much value as possible.

That’s why I don’t grok this whole GRC obsession (Governance, Risk, and Compliance) among certain sectors in the vendor community. It reeks of unnecessary desperation like the happily married drunk at the bar seething at all the fun of the singles partying around him. He’s got it good, but that’s not enough.

One of the first things I covered over at Gartner was risk management, and I even started the internal risk research community. This was before SOX, and once that hit a few of us started adding in compliance coverage. Early on I started covering the predecessors to today’s GRC tools, and was even quoted in Fortune magazine saying there was almost no market for this stuff (some were predicting it would be billions). That, needless to say, pissed off a few vendors. Most of which are out of business or on life support.

Gunnar Peterson seems to feel the same. He sees GRC as letting your company become audit-driven, rather than business-driven. He is, needless to say, not betting his career on GRC.

Now I’m about to rant on GRC, but please don’t mistake this as criticism of governance, risk management, or compliance. All are important, and tightly related, but they are tools to achieve our business goals, not goals in and of themselves.

GRC however is a beast unto itself. GRC is now code for “selling stuff to the C-level”. It has little to do with real governance, risk, and compliance; and everything to do with selling under-performing products at inflated prices. When a vendor says “GRC” they are saying, “here’s our product to finally get us into the Board Room and the CEO’s office”. The problem is, there isn’t a market for GRC. Let’s look at the potential buyers:

  1. C-Level Executives (the CEO and CFO)
  2. Auditors (internal)
  3. Auditors (external)
  4. Business unit managers (including the CSO/security).

Before going any further let’s just knock off external auditors, since they aren’t about to spend on anything except their own internal tools, which GRC doesn’t target.

Now let’s talk about what GRC tools do. There is no consistent definition, but current tools evolved from the SOX compliance reporting tools that appeared when Sarbanes-Oxley hit. These tools evolved from a few places, but primarily a mix of risk documentation and document management. They then sprinkled in controls libraries licensed from the Final Four accounting firms. I was never enamored by these tools, since they did little more than help you document processes. That’s fine if you charge reasonable prices, but many of these things were overinflated, detached from operational realities unless you dedicated staff to them, and often just repurposed products which failed at their primary goal. Most of the tools now are focused on providing executives with a “dashboard” of risk and compliance. They can document controls, sometimes take live feeds from other applications, “soft-test” controls (e.g., send an email to someone to confirm they are doing what the tool thinks) and generate reports. Much of what we call GRC should really be features of your ERP and accounting software.

In the security world, most of what we call GRC tools are dashboard and reporting tools that survey or plug into the rest of our security architecture. Conceptually, this is fine, except we see the tools drifting away from being functional for those with operational responsibilities, and focusing more on genercising content for the “business” audience and auditors. It’s an additional, very highly priced, reporting layer.

That’s why I think this category is not only dead, it was never born. There is no one in an enterprise that will use a GRC tool on a day to day basis. The executives want their reports at the end of the quarter, and probably don’t mind a dashboard to glance at, but they’ll never drill down into all the minutiae of controls that probably aren’t what’s really being used in the first place. It’s not what they’re paid for. Internal auditors might also use reports and status checks, but they can almost always get this information from other sources. A GRC tool provides almost no value at the business unit level, since it doesn’t help them get their day to day jobs done.

The pretty dashboards and reports might be worth a certain investment, but not the six-figure plus fees most of them run for. No one really needs a GRC tool, since the tools don’t really perform productive work.

We’re seeing an onslaught of security (and other) vendors jumping on GRC because they think it will get them access to the CEO/CFO and bigger deals. But the CEO and CFO don’t give a rat’s ass how we do security, the just need to know if they are secure enough. That’s what they hire the CSO for- and it’s the CSO’s job to provide the right reports. These vendors would be better served by making great products and building in good reporting and management features to make the jobs of the security team easier.

Focus on helping security teams do their jobs and getting the auditors off their backs, rather than selling to a new audience that doesn’t care. Stop trying to sell to an audience (the CEO) that doesn’t care about you, when you have plenty of prospects out there drooling over those rare, good, functional products. Plenty of products get a boost from compliance, but they aren’t dedicated to it.

Don’t believe me? Go look at what people are really buying. Go ask your own CEO if he wants the latest GRC tool and will pay for it. Ask him if he wants to talk to any more vendors. Ask the operational guys if it will help them get their jobs done.

GRC is a feature, not a product. It’s a reporting tool, not a new paradigm for doing business.

As for the “practice” of GRC? I wouldn’t bet my career on a buzzword created by a small group of vendors to sell more product and jump on the bandwagon of yet another buzzword (compliance).

Compliance is real. Risk management is real. Governance and security are real. GRC is an unrequited wet dream leaving a rash of vendor blueballs in its wake.

Posted on May 13

12 comments

  1. Allen Baranov May 14

    Its amazing how companies have “what we tell the auditors to be compliant” and “what we also do but don’t want to tell the auditors because it would just generate red tape but what /really/ keeps us secure”.

    On the other hand - it is nice to have something like GRC which can be used to get more money for security.

  2. rybolov May 14

    Wow, rmogull is channelling Steinnon for the past couple of weeks: Data classification is dead, GRC is dead, risk management is dead, being dead is dead, and death protection is dead.

    Brain… hurts… must… write… own… post.

  3. alan shimel May 14

    Rich, I think you are mistaking the tip of the iceberg for the entire mountain of ice under the water. The dashboards and reports of GRC are the by-product, but not the actual work of the most GRC products. They are the checkbox, but the actual work of making sure you are compliant is what the work of GRC is about.
    I have written more about this on my blog at http://www.stillsecureafteralltheseyears.com/ashimmy/2008/05/rich-mogull-doe.html

  4. Carole Stern Switzer Jun 14

    Luddites Live Again
    As the President of the Open Compliance & Ethics Group (OCEG), the only non-profit think tank dedicated to helping organizations design and implement GRC systems (and by that we don’t just mean technologies), I have followed this thread of discussion with great interst. It seems to me that those who criticize the concept of GRC are just missing the point.

    GRC is not a dashboard, a technology solution, or a buzzword for compliance at all cost. Nor is it just ERM on steroids, as some would say. Nor is it a fad - just another acronym to drive consulting engagements.

    GRC represents a paradigm shift in approach to business management and governance of an enterprise. It is a philisophical and structural view of how an enterprise can use its resources (human, technological and financial)to ensure that the organization meets its objectives while staying with the boundaries set by both law and choice of the board and the C-suite.

    GRC is about ensuring that the organization has clearly established objectives and the means to meet those objectives efficiently and effectively - identifying risk and ensuring compliance with both external requirements and internal policies and procedures. It is not just about ensuring compliance; it is about achieving what OCEG calls Principled Performance.™

    The IT tools being created to help in that effort - the GRC solutions or parts thereof — are an essential piece of this puzzle but they are not the puzzle.

    Having integrated GRC requires establishing the strategy, controls, policies/procedures, measures AND technologies to ensure that consistent and accurate information flows up, down and across the organization, enabling true governance.

    Without an integrated approach to risk, consistency of approach to compliance efforts across silos, and an ability to gather and parse the same information for multiple purposes, its not “good governance”, its only guessing governance.

    OCEG began to drive the discussion about integrated GRC and develop the process model that details GRC structure more than 5 years ago. This discussion and process predated any development of IT solutions for GRC management.

    Since then, hundreds of experts (legal, audit, risk, compliance, ethics, finance, quality, IT, and others) have contributed to creation and ongoing refinement of the OCEG Framework and thousands more have reviewed it when in public exposure drafts and used it since it became final three years ago.

    Next month, OCEG will be releasing Version 2.0 of its GRC Capability Model, which is at the heart of the OCEG Framework. Anyone register at oceg.org can download Version 1.0 of the Red Book and will be notified when Version 2.0 is available for review and comment.

    To close, I have to note that OCEG, through the work of our Technology Council, has been developing an IT for GRC Blueprint that indicates over 80 categories of solutions that support various aspects of GRC. Those who refuse to see that an integrated GRC approach is a positive maturation in business management and governance that must and will be served by ever evolving technologies are simply the Luddites of our day.

  5. Lurker Jun 23

    Isn’t “paradigm shift” just another word for “fad”?

  6. rmogull Jun 23

    @Lurker…

    I had this whole big argument planned to respond to that once i got back to the office, but you beat me to it with on short sentence.

    Well done.

    Carole,

    I’m intimately familiar with GRC. It’s not even close to a paradigm shift. It’s a business fad that will fade like many others. The core principles of good governance, risk management, and compliance are all solid, but tossing them together under a new acronym and calling it a paradigm shift is ridiculous.

    But it might make some consultants and similar organizations a lot of money…

  1. Let’s Face it, Half the Security Industry is a Pyramid Scheme | The Guerilla CISO
  2. GRC, Average Deal Size, And The Dangers Of Venture Capital | securosis.com
  3. Shimel Wants To Sell You A Dead Parrot. On An Iceberg. Slathered In GRC | securosis.com
  4. GRC - Why It’s of LIMITED Interest to Me « Mark Curphey - SecurityBuddha.com
  5. Audit Trail Blog Archive » The GRC Dogpile
  6. Bludgeoning GRC « Netweaver Identity Manager Weblog

Leave a reply

Related Posts

E-voting: Democracy is Dead. Dead and Rotted. Unless we Stop this Insanity
Capital One Wants to Give My Dead Business a Credit Card
Data Classification Is Dead