Involvement of more departments in setting GRC vision and strategy seen as evidence of high levels of oversight of GRC programs
Governance, risk and compliance programs that companies originally established to address urgent regulatory demands such as those under Sarbanes-Oxley are now being applied to help achieve companies’ business goals. Companies with more mature GRC programs are getting more value from them and are better able to articulate how their programs are helping improve business performance, reduce risk, and increase overall efficiency and effectiveness.
That was a key point made during an April 23 webinar, ‘Financial justification of your GRC journey,’ hosted by BWise, a NASDAQ OMX company, and Forrester Research, which focused on expanding the uses of GRC systems to support companies’ business performance. BWise was one of six vendors Forrester highlighted as having leading GRC platforms in a research report released in January. The rankings were based on an online survey of 66 individuals who are clients of vendors included in the Forrester Wave evaluation.
Forrester found that more departments across companies have begun to participate in GRC programs beyond the five that historically have been most active: internal audit, risk management, IT, corporate compliance and information risk security.
'Even more optimistic is you’ll see more people involved in setting the vision and strategy of GRC,’ which attests to a high level of management and oversight of GRC within companies, Christopher McClean, principal analyst and research director at Forrester, said during the webinar. He is one of the authors of Forrester’s GRC research report.
Not surprisingly, nearly two-thirds of companies polled said their internal audit and risk management departments help set GRC vision and strategy. But now 30 percent of companies said their boards of directors are involved in setting GRC vision and strategy of GRC - ‘good numbers,’ according to McClean.
Another encouraging sign is that the discrepancy between departments that use the GRC system at least once per quarter and other departments using it less frequently is getting smaller, he said. The sales department is a frequent user at 35 percent of the companies polled, while human resources is one at almost one-third of companies and legal at nearly 25 percent of companies.
Companies are also starting to expand their GRC investment into other aspects of their business such as supply chain management.
‘What we’re not seeing a lot of yet is applying GRC to the top line of your business like marketing, which have similar objectives like customer satisfaction,’ he said. For example, the business continuity functionality that enables IT to minimize downtime could also help marketing lose fewer customers during holiday season.
‘You should be thinking about how do I take the basics of GRC and think about how it can affect marketing, customer service and sales -- the things that are going to help your business grow,’ said McClean.
He cited a large contractor that applied its risk management program to its sales pipeline, concluded it could tolerate additional risk and decided to go after bigger deals. ‘They lost deals more frequently, but the deals they won were much much larger, so they increased their sales pipeline because they applied the GRC program to their top lines of business.’
He urges companies to set specific business goals that their GRC programs can support over the next one, three and five years, stressing the long term because of how long it may take to put applications in place. ‘[Clarify] what kind of benefits GRC is going to offer the business,’ he said.
Companies should also do an honest assessment of their GRC maturity and consider, as they develop that maturity, how they are supporting their business. He suggests thinking in terms of ‘business transformation beyond risk assessments and control documentation,’ which are areas where companies are more likely to derive immediate value from GRC implementation.
‘Don’t spend a lot of time and effort and investment just to get a good policy management system,’ he advised. ‘Think about solving the policy management program right away and then taking that policy management program and moving it into marketing, HR, sales, and so forth. There’s a lot of functionality that can help those groups as well.’