Best Practices from the IT Compliance Institute

GRC Solutions: Tips for Tipping False Idols

New platforms and tools promise to solve companies’ governance, risk, and compliance (GRC) challenges, but managers should beware the hype. Ad hoc frameworks, narrow solution scopes, and too-tactical functionality often characterize so-called enterprise solutions. Experts offer insights to help you navigate the GRC hype.

By Mathew Schwartz

What is GRC?

Vendors are rushing to offer so-called governance, risk and compliance (GRC) platforms. This software purports to link three related yet somewhat disconnected corporate initiatives: governance of management, business and IT decisions; managing financial, business, and technology risks to the business; and ensuring compliance with various business, finance, privacy, and IT regulations.

The GRC software and services market is hot: AMR Research predicts that companies’ GRC-related spending will near $30 billion this year. Yet many industry experts argue that technological approaches—dubbed GRC or otherwise—are not actually the frontline solution for solving governance, risk, or compliance challenges.

In other words, don’t define GRC as technology. Rather, "GRC is multiple roles working together in a common framework, collaboration, and architecture to bring an enterprise view across governance, risk, and compliance activities throughout the organization," says Michael Rasmussen, a Forrester Research analyst who focuses on governance, risk, and compliance.

Thus how you define GRC, and design a framework for managing GRC, necessarily depends on which particular governance, risk, and compliance issues you need to address.

Risk: The New Compliance

If the very definition of GRC is largely relative, where does that leave so-called GRC products? Indeed, given the sheer number of products and consulting services labeled as GRC-related, one might believe plug-and-play solutions existed to solve everything from operational and credit risk, to all regulatory compliance and IT governance requirements.

Don’t believe the marketing hype. "Before, certainly everyone was attaching ‘compliance’ to their products," says Scott Crawford, research director at Enterprise Management Associates (EMA). "Now it’s risk, and we’re seeing compliance get attached to that sometimes too."

As with "compliance software," remember that a given product’s ability to directly solve a GRC-related issue may be tenuous. "Three to four years ago, all the technology vendors were starting to say compliance, compliance, compliance—my solution helps you comply with HIPAA, or GLBA, or SOX, or whatever it was," says Security Innovation’s Michael Gavin, formerly a security industry analyst with Forrester. Many buyers, he cautions, discovered such products addressed only "a tiny piece of the compliance puzzle they were solving." Furthermore many organizations selected technology to address an IT compliance problem, without first fixing underlying business practices—an inefficient approach, at best.

Fast-forward to today: "A lot of those vendors have found that governance and risk management is the new buzz phrase that they need to use to get the attention of the buyer’s ear," he says. "Hopefully, buyers learned their lesson."

IT Culture Shock

IT personnel may need to adjust their thinking accordingly. Indeed, GRC may come as a shock to technologists used to remediating every last technology vulnerability or critical software risk as rapidly as possible. As an example, Crawford cites a large company which recently commissioned a vulnerability assessment. When presented with a list of the specific vulnerabilities, the CIO said he wasn’t going to fix them, because the likelihood of his getting penalized for not fixing them was so low.

"To say that a certain amount of IT risk is acceptable, relative to the business? That’s a new concept," he says.

Welcome to the new GRC world order.