A summary of my recently completed research into the governance, risk and compliance (GRC) offerings of leading software suppliers and what users think about the subject is available on IT Business Edge here.
It's my kick-off deliverable to the ITBE contributors group as an analyst on enterprise software and related IT trends, following three months of very enjoyable ITBE blogging. I hope the summary and other forthcoming ITBE articles generate the same kind of user-centric comments and e-mails that the blog has already sent my way. We really want to hear from you, enterprise software suppliers and users alike.
My major finding with GRC as of July 2008 probably isn't surprising to those of you already using GRC software: one size does not fit all. Think of it as G and R and C as well as thinking of all the functions combined. That the three have to be looked at separately implies that a good amount of in-house effort or outside consulting is needed if IT management and staff want to pull the three together for better control. So it wasn't surprising that before the "ink was dry" on my summary, Microsoft and Bearing Point announced another GRC "solution" running on top of Microsoft SharePoint. The two companies' joint press release said:
The new risk-based compliance solution will address the unique needs of clients across all industries as they work to keep pace with today's increasingly complex regulations. Initially, the companies will aggressively market to pharmaceutical, energy and financial services companies as well as government agencies.
This concentration on three particular industries possibly signals a way to pull G and R and C together most easily, albeit still with systems integration help from someone like BearingPoint required (so it really isn't a "packaged solution").
Or you could lead the effort in your industry through an open source or other collaborative investment. One of the major themes in my enterprise software blogging is that IT has to stop re-inventing and re-inventing and re-re-inventing the wheel. Software has to be dragged out of its cottage-industry stage kicking and screaming.
My secondary finding in the GRC research is that not that many IT managers and staff are thinking about GRC or "G and R and C" yet. That could be a problem because the interest of shareholders, stakeholders, customers, suppliers and your own management in the subject is becoming intense. That means IT is in peril of losing control of the resources for which it is responsible in a way similar to what happened during the PC revolution of the 1980s and 1990s. Don't let that happen in your shop.