The GRC Market has noticeably matured in the past 2 years. The UK’s leading User Awareness, Risk and Policy Management Software solutions provider Metacompliance was recently ranked in first place in The Hypatia Research report on the Global GRC Market, “Best Practices & Drill Down GRC Q1 2012: Data Access & Security”. The report looked at 48 global GRC vendors and 440 companies GRC in their future business strategies, if not already doing so.
The report concluded that vendors and customers alike agree that government and industry regulation show no signs of abating. If anything, the recent fall out from lack of regulation in the Financial Services sector, has added to general acceptance that compliance needs to become a “business as usual” issue. The FSA lists a staggering £66 million in fines handed out to financial organisations in 2011, a sure sign that regulation continues to become more stringent.
For me, two of the major determinants of success for an organisation’s Governance, Risk and Compliance (GRC) Strategy are organisational culture, and people. By the latter I do not mean all of the people in an organisation (these are indeed important but not at the strategic level of GRC planning), but rather that particular group of people that are required to be in place for a successful GRC strategy to be possible. These people must have seniority within the organisation, and have the relevant expertise, experience, personal standing and persistence that is required to drive organisational change and strategic success.
The Information Assurance Maturity Model (IAMM) is an excellent method of determining where an organisation sits in relation to its compliance obligations. The model allows an organisation to get an idea of what should be in place by way of process, policy, technology and people, and provides a solid baseline for a GRC strategy. However; this brings me back to the people and culture issue. In order to develop and embed a successful GRC programme, the organisation needs to have executives and management who recognise firstly that compliance is a business imperative, and secondly, have a realistic understanding of where their organisation sits on the IAMM. The question for them is how close are we to making governance, risk and compliance part of their businesses norms?
The greatest challenge for this team of people will be to look at the core issue of honestly determining their company’s culture of compliance and security. Unlike other business functions, such as sales for example, compliance and risk have no natural origin within most companies. Meaning that those norms have to be created, nurtured, developed and managed for the long term. Other industries have had to undertake similar evolutions, for example the requirement for safety within the oil and gas industry. It took at least a number of decades for safety to become part of their culture, to become embedded in the “organisational DNA”, and it will take time for GRC to become business as usual. I feel that Success means beginning the process now.
In their report, Hypatia researched the top reasons for organisations to invest in GRC Software and Consulting Services.. “When asked for the top three reasons organisations invested in GRC tools, survey results spanned a wide range of motivations. The highest percentage of respondents (43.5%) cited “industry regulations require it”, while 28.7% said “Our CEO insisted upon it” and 23.1% said “Our lawyers insisted on it”.Sometimes the CEO has to be the executive sponsor of the team of people who are tasked with changing the company’s culture. Often, nothing short of this type of emphasis is required to cut through the interdepartmental politics that get in the way of necessary change. For a GRC Project to be successful there has to be an alignment of the irrefutable driver of regulation, the resourcefulness of a capable management team and the backing of a “C” Level Executive. Would you agree?