In this blog, I would like to go back to the origin of Governance, Risk and Compliance (GRC) software and its evolution. In the upcoming blogs, I will share my 15 years of experience delivering GRC projects and will dive into the Best Practice Solution concept that can be a game changer in delivering successful projects.
The Origin of GRC Software
There are some anniversaries that business may not want to remember, for example December 2, 2011 or July 19, 2012. Those dates signify the ten-year anniversaries of the fall of Enron and WorldCom respectively. The Enron scandal also led to the dissolution of Arthur Andersen, which was one of the five largest audit and accountancy partnerships in the world and cited as the biggest audit failure in recent history. Many executives at these companies were indicted for a variety of charges and some were later sentenced to prison.
SOX – The Game Changer?
In order to cut down on the incidence of corporate fraud, Senator Paul Sarbanes and Representative Michael Oxley drafted the Sarbanes-Oxley (SOX) Act. The two key provisions of the act require management to certify accuracy of the reported financial statement, establish internal controls and reporting methods, and confirm accuracy of the controls over financial risk within the organization.
Given the development of the initial SOX legislation, it became necessary for all publicly traded companies in the US to categorize and test financial controls in the first and second lines of defense. There was a clear need to support these processes beyond the functionalities of traditional document management or spreadsheet-based solutions. A new software market originated and more innovative vendors started to use their software solutions to support additional processes in the area of risk management and compliance. This was the beginning of a new market called ‘Risk Management’ or ‘Governance Risk and Compliance (GRC)’ software.
Customized versus Configured
As a result of an increase in supported use-cases, including Operational Risk Management, Internal Audit, Business Continuity Management, Information Security and Policy Management, the complexity of GRC projects has vastly developed. The more use-cases one single software platform supports, the more it needs to harmonize approaches and methodologies and align on a corporate level. Vendors who chose the path of customized code based implementations are now struggling with the maintenance of their platforms and vendors who failed to innovate are now competing in the point solutions segment. The current GRC space is dominated by vendors who embraced a holistic view of GRC and created a flexible, configurable architecture to support any use-case imaginable, while remaining on a single code-base for all clients. If you are interested in technology behind the scenes of GRC software, you should check out the blog entry on this topic from Anton Lissone, Chief Technology Officer at Nasdaq BWise.
Keys to Successful GRC Projects
We’ve been working hard over the last decade to find the perfect way to implement off-the-shelf GRC software. While there is no such thing as ‘one best way to Rome’ when it comes down to implementing GRC software, there are definitely approaches and tactics which are more successful than others. Successful GRC projects find the balance between respecting the cultural and organizational context in combination with selecting the right implementation approach, while also taking into account the essential project success factors.
While this balance is essential for reaching success, well-designed technology can significantly contribute to project success as well. More and more companies are embracing the ‘Best Practice Solution’ approach, which is a quick and effective way to ensure high-quality delivery. This approach optimizes the balance between the traditional project management variables quality, effectiveness and budget.
In the coming posts, I will take a deeper dive into the best practice implementation approach and other elements to consider to help ensure successful implementations. For more information, please contact us .
Tom Passon is the Head of the Product Innovation and Global Standards Group at Nasdaq BWise, a department staffed with experienced BWise professionals responsible for delivering the complete portfolio of activities in relation to BWise product/solution releases, training, quality assurance and pre-sales support. He was one of the early joiners of the (former) BWise organization and contributed in the roles of Consultant, Project Manager, Professional Services Manager and various commercial roles to the growth and success of the company. He has devoted his professional career to GRC software, beginning with one of the Big Four consulting firms. He graduated from Radboud University in Nijmegen with a Masters in Information Management.
The views and opinions expressed herein are the views and opinions of the author and do not necessarily reflect those of Nasdaq, Inc.
