The True Cost of Compliance
Survey reveals that doing the bare minimum is roughly the equivalent of an invitation to financial disaster.
There are two distinct sets of governance, risk management and compliance (GRC) technologies floating around the many enterprises these days. The first set focuses on the financial controls required for the business, while the second is generally a subset of those technologies focused on IT activities. Unfortunately, this bifurcation of GRC tends to result in a lot of redundant activity and acquisition of duplicate software.
The folks at SAP are arguing that in reality, the GRC activity being done within most IT organizations is really just an extension of the financial controls that companies need to put in place as part of any GRC strategy. As such, with the release this week of a coordinated set of updates to the SAP GRC portfolio, which includes new versions of SAP BusinessObjects Access Control, SAP BusinessObjects Risk Management and SAP BusinessObjects Process Control.
Beyond just trying to reduce the cost of GRC, Jim Dunham, SAP group vice president of GRC solutions, says the SAP suite of offerings includes embedded business intelligence software that will make it easier for a business to get more value out of GRC investments by streaming the data these applications gather into SAP analytic applications. The end result is a more unified approach to GRC that eliminates a lot of redundant activities.
Most IT folks are not big fans of GRC because it takes a lot of time away from their primary IT activities. Dunham says by unifying the GRC activities of the company, the people in charge of managing financial risk should be able to roll up many of the IT GRC activities as part of their larger mandate.
How long that may take is anybody's guess. But it's clear that a lot of the GRC activity within far too many companies is fragmented, resulting in a lot of duplicate work that wastes a lot of time. Whatever approach companies take to GRC, it would be a good idea to take a step back just to reconsider the overall strategy because you'll be surprised to find how much of your GRC activity is out of control, which is a great irony in itself when you think about it.