As the governance, risk and compliance (GRC) market matures, users are struggling to make the case for GRC implementations. What is the business case for GRC in a modern organisation, and does it really pay off? Ben Rossi speaks to industry experts to answer these burning questions.
In recent years, the role of GRC as a business framework has evolved. What previously heavily revolved around compliance has now become something more.
GRC is now often spoken in more of a general sense when referring to the internal processes of a business and initiatives to create a more effective workplace.
Alaa Abdulnabi, regional pre-sales manager at RSA Turkey, Emerging Africa and Middle East, says the rise of GRC programs origionally came about to help companies in their attempts to comply with increasingly demanding regulatory requirements.
“GRC was vital and important to ease off the pain of compliance efforts and to bridge the gap with business. Interest in GRC was sparked by the need for design and implementation of suitable governance controls for regulatory compliance, but the focus of GRC has since shifted towards adding business value through improving operational decision making and strategic planning. It therefore has relevance beyond the compliance world,” Abdulnabi says.
The start of operational risk management can be traced back to the time when banks were rushing to comply with strict rules and regulations, according to Klaus Kristensen, head of risk practice at SAS Institute EMEA.
“It was during this period that banks realised that they did not have an integrated view of their respective risk exposure. Because of this, banks had demonstrated a new found awareness on compliance risk, which along with internal policy compliance, also included statutory aspects and regulatory compliance,” he says.
“Banks were also faced with non-financial impacts such as reputational risk. With this in mind, not only did the concept of risk management come about but also the concept of properly handling governance and compliance, which in turn gave banks a total view of the management of all risks,” he adds.
Abdulnabi lays out how RSA believes GRC has changed beyond the role of compliance as the main driver of such initiatives.
“In 2010 we saw a shift from compliance to risk evaluation and visibility as a major driver.  Not to say that compliance is still not an issue and a catalyst for projects, but risk has definitely come in to the forefront.  We then see some very mature GRC programs now just to further leverage the valuable information being maintained in GRC platforms,” he says.
“This is driving companies to utilise GRC for measuring business performance in relation to their strategic objectives. This maturity cycle will bring with it some very critical expectations of a company’s GRC platform.  We question an organisation’s ability to have a successful mature GRC platform without some fundamental critical capabilities,” he adds.
The economic downturn had a major influence in the maturity of GRC implementations, according to Nima Saraf, team leader technical, advanced networking and information security at FVC MEA.
“In recent years, especially during the economic downturn, many organisations shifted from a basic interest in GRC as a means to meet compliance regulations to a position that leverages GRC solutions to improve overall internal processes, build more productive workplaces, and enhance business value,” he says.
“GRC used to be maintained as separate disciplines for each of its components. As market needs have changed, GRC in today’s enterprises has been converged to reduce overlapping job requirements, save money and time, gaining efficiency.  It is now designed and implemented to make business run smoother and become more cost effective,” he adds.
Dr Angelika Plate, director of strategic services at help AG Middle East, believes that, whilst compliance is an important part of GRC, the over-emphasis on it misses the important element of governance.
“Governance, if implemented correctly, ensures that top management directions and decisions are integrated into the organisation, and that top management receives sufficient information for well informed decision making,” she says.
Making a case
However, whatever the definition and evolution of GRC involves, it remains that many users have recently struggled to make a case for its implementations.
A major reason for this falls down to the challenge of demonstrating return on investment.
This is due to the lack of certain parameters when defining essential elements related to costs, benefits, flexibility and risks, according to Hadi Jaafaraw, sales director at I(TS)2.
“The cost of GRC implementation can be quite significant and highlighting the benefits can be difficult. Such benefits could be related to efficiency like decreased audit costs, risk reduction benefits like fewer regulatory penalties or performance benefits like better strategic decisions using risk information and compliance,” Jaafaraw says.
Saraf thinks users have struggled to find a case for GRC because of its tendency to be a heavy project to oversee.
“There is a large amount of corporate information, data, regulations, policies, controls and groups involved across an enterprise. Both vendors and IT managers have struggled to show credible ROI figures or build a business case to justify the expense of a software and hardware platform. This is certainly not due to a lack of value, but rather a lack of parameters to work with when defining essential elements relating to cost, benefit, flexibility and risk,” he says.
However, Ollie Hart, head of public sector at Sophos, believes it is the users with an “apathetic and ‘it will never happen to me’ attitude” that struggle to make the case for GRC implementations.
“The best GRC implementation is one where employees are all aware and the behaviour required to meet the policy becomes natural, so that people say a policy and framework is not required.  Across security, the role of a SIRO/CISO has evolved so that much of the GRC falls within this role and the previous owner may now find his roles and responsibilities lie with other people,” Hart says.
Return on investment
Abdulnabi is adamant that there is a significant ROI when deploying GRC programs and tools.
He refers to recent research published by Forrester that interviewed a large number of enterprise customers from different verticals who implemented and deployed GRC programs.
“The research quantified the ROI achieved from GRC and concluded a 572% ROI within a three year period. The ROI varies from one environment to the other, and depends on what the GRC program is automating, enhancing or maybe replacing. In all cases, the return on investment from GRC is tangible and of a significant magnitude,” he says.
Whilst acknowledging that GRC implementation costs can be high, Saraf agrees with the ROI benefits.
“There is one more important factor that needs to be considered when building a case for GRC implementation and that is it provides businesses the flexibility to respond to opportunities and threats. A well-thought out GRC program supports business growth and agility, and is an important consideration when calculating ROI,” she says.
With the maturation and adaption of GRC’s role in the enterprise, ultimately the business case has changed with it.
“Originally, the business case for a GRC solution was simple, comply at any cost or face significant penalties, negative market impact or even jail time for the CFO or CEO. The implementation of GRC solutions was suffering from conflicting information and terminology, disparate technologies and a lack of connection to business strategy,” says Jaafaraw.
“Nowadays, GRC professionals’ focus is more concentrated on educating the board of directors, developing and communicating basic business values and committing to deliver higher level value over time. That includes reduced business risks, provides greater control and improves oversight and a holistic view of business objectives,” he adds.
Dr. Plate says there is a growing awareness of different disciplines that help organisations to operate in a more controlled and effective way – and GRC is one of them.
“With the growing understanding of these concepts, organisations start to realise the benefit that these frameworks can bring.  It is nevertheless still a journey that only just begun, and more understanding of these concepts and how to apply them in an organisation is necessary to make this a successful business case,” she says.
Jaafaraw gives his view on the role and importance of GRC if implemented successfully in a modern organisation.
“It would lead to a strong connection between governance, risk and compliance functions themselves and their interaction with their relevant organisational silos. It would also provide better efficiency of corporate efforts with a unified approach to managing the same or similar risks and controls, and consistency within the governance, risk and compliance frameworks themselves. Finally it can achieve transparency in approach across the frameworks and organisation, and reduce risk of unidentified gaps in these frameworks and controls,” he says.
Proper management of a GRC framework will identify strategies to address the business and security challenges an organisation faces, according to Dr. Plate.
“By strengthening the governance processes and risk culture, organisations can gain more control over their situation.   Another positive aspect of this business intelligence is a better forecast of new risks and the appropriate reaction to them, as well as the identification of new opportunities,” she says.
The future of GRC implementations does look strong, according to the industry experts quizzed.
Jaafaraw believes in the coming years more and more integration of internal GRC functions are going to work together more effectively.
“GRC implementations will not be viewed as a technology alone, but as one important piece of the organisation’s strategy, processes, technology and people that will enable organisations to effectively manage their business more efficiently. The integration of GRC functions across different departments will allow executives, managers and supervisors to have a more holistic view about the critical functions of the organisation and reduce risks to meet the company’s business goals and objectives,” he says.
Kristensen refers to the present high demand for the integration of more data sources, along with the ability to automate the GRC management process, as a positive indicator of the future of GRC.
“This would also include the ability to automate the measurement of KRI through rules engines, which utilises business data while rules are run in batch and issues are created in an automated way combined with the ability to manage the implementation of action plans to rectify or implement controls,” he says.
“Further to this, the ability to integrate with more extensive case management systems allows for the extensive investigation of incidents or control failures. This can be provided as part of the SAS capability as well as the integration of fraud events or as part of the risk management capability, thereby allowing for the control of the process to rectify broken controls and allow for the measurement of fraudulent activity in the risk management process,” he adds.