Governance, risk and compliance (GRC) encompass a diverse range of functions and pro-cesses, and the fragmented market for software and services reflects that diversity. Some products are oriented mainly toward IT GRC, and others address the broader range of enterprise GRC issues. Large-scale products that are built on enterprise infrastructures integrate information from many systems, while others are niche solutions that document compliance in a single area such as environmental regulatory compliance. The market is large, estimated at $20 billion or more, depending on what components are included.
To an increasing extent, organizations are focusing on risk management as a central issue in the GRC equation. Enterprise risk management (ERM) is now a bigger driver for GRC than Sarbanes-Oxley or other compliance requirements, according to French Caldwell, analyst at Gartner. "Organizations want a top-down viewpoint on risk, whether it is resulting from non-compliance or operational issues, and want to know what is being done to mitigate it," he says. ERM is increasingly considered as a strategic tool to support governance and improve business performance.
Risk and the GPS
The global positioning system (GPS) is so pervasive that we usually take it for granted. As part of our everyday lives, the GPS supports our mobile phones, time stamps our business transactions, and helps to coordinate air and ground travel, to name just a few of its roles. The economic value of GPS for commercial applications is estimated at nearly $70 billion, and more than 3 million jobs depend on GPS technology. Although it has numerous civilian applications, the GPS program was developed by the Department of Defense (DOD) and is run by the U.S. Air Force (USAF).
Underlying the GPS is a complex set of programs and technology: Several dozen satellites controlled by a network of ground systems orbit the Earth, emitting navigation signals that are picked up by receivers on the ground. Fielding and maintaining the GPS system requires close cooperation between private contractors and the government. The network of organizations and systems requires equally sophisticated methods to identify and manage risks.
The Air Force selected Active Risk Manager (ARM) from Active Risk, and now can see each risk in a hierarchical structure that ranges from low-level tactical risks to high-level strategic risks, with each one linked. "The Air Force can track hundreds of risks at any given time and review each one individually," says Michael Lopez, senior associate at Booz Allen Hamilton, who served as risk manager for the GPS program from 2009 to 2011.
Some risks relate to system performance, while others are program management issues such as budget or schedule. "A typical risk might be having a system level test event take place later than planned," Lopez explains, "or having a receiver stop functioning."
Experts within the Air Force determine which risks are to be monitored and tracked based on goals and previous experience. The risk managers document the risk, its causes, the likelihood of its occurrence, severity, potential impacts, controls and any other relevant information directly in the system.
Each organization has a unique scoring system for risk based on its risk appetite, the goals of the program and other factors as a way to determine the potential severity of a risk and the probability that it will happen. The risks can then be ranked depending on which have the greatest potential to impact organizational goals. Root cause "triggers" indicate the conditions under which a risk can occur. The risks are then reviewed at specified points to make sure they are not changing condition.
Understanding the impact of each risk on other activities is an important value-added element of having a software product in place. "We need to be able to see not only the individual risks, but how each risk affects the others and what the impact is across programs," explains Lopez. "Because we are tracking them in Active Risk Manager, we can see how that event would impact other activities." A data field in Active Risk Manager allows users to enter a "risk relationship" using a unique ID number. Any time a risk is opened on the screen, the solution automatically shows other related risks.
Having a consistent structure for viewing risks is a big advantage, according to Lopez. "Risks tend to be captured in informal ways across programs," he says. "In one division, there might be a PowerPoint briefing showing the top 10 risks; in another, an Excel spreadsheet. Bringing them together is very helpful." Not only can managers see what risks are covered, but they can also more readily see what is missing.
Histograms of risks by type, (technology, budget or schedule) or by program (satellite, ground station or user equipment) show trends or gaps. "Usually, too much focus is placed on technical risk, such as what can go wrong during manufacture," Lopez says. "Not enough attention is paid to risks across related programs, or risks from behavioral and cultural factors."
As with compliance and governance, a software solution allows risks and outcomes to be documented. "We can see what worked in the past," says Lopez, "which informs future decisions." The ultimate goal is to prevent adverse outcomes. "We as a culture are better at corrective behavior than at preventive behavior," he adds. "If there is an actual problem, you can ‘fix' it, but if you are preventing a problem, the results are not visible. Yet, that is the real goal."
Risk is often seen as a negative factor, but in reality it is an integral part of achievement, according to Loren Padelford, executive VP and general manager of Active Risk. "Governance and compliance are essential business functions," he says, "but they do not add to either the top line or the bottom line. Companies that succeed are the ones that take risks. However, the risks need to be understood and managed." Risk management does not mean that every risk can be anticipated. "A company can't plan for a tsunami," adds Padelford, "but it can plan for the risk of supply chain disruption and have alternatives ready."
An integrated view of GRC
The global financial crisis and revelations of fraud have focused new attention on accountability with respect to governance, risk management and compliance. Yet economic pressures are mandating increasing attention on business performance. "At the C-level [highest level], managers know what their business strategy is," says Sid Sinha, senior director of GRC product management at Oracle. "That strategy should drive what is measured and monitored for both compliance and performance."
Oracle's GRC products provide a common risk framework and the advanced controls needed to detect suspicious activity based on data in business systems. Those products are pre-integrated with the Oracle E-Business Suite and Oracle's PeopleSoft applications, but they can be tailored for other business systems. "Organizations need a closed-loop environment for assessing business risks, documenting compliance and automating control monitors to sift through your business systems," Sinha says. Ideally, monitors that meet both compliance and performance requirements will be given high priority.