Gaining Control over Your GRC

Michael Vizard
Slide Show

The True Cost of Compliance

Survey reveals that doing the bare minimum is roughly the equivalent of an invitation to financial disaster.

There are two distinct sets of governance, risk management and compliance (GRC) technologies floating around the many enterprises these days. The first set focuses on the financial controls required for the business, while the second is generally a subset of those technologies focused on IT activities. Unfortunately, this bifurcation of GRC tends to result in a lot of redundant activity and acquisition of duplicate software.


The folks at SAP are arguing that in reality, the GRC activity being done within most IT organizations is really just an extension of the financial controls that companies need to put in place as part of any GRC strategy. As such, with the release this week of a coordinated set of updates to the SAP GRC portfolio, which includes new versions of SAP BusinessObjects Access Control, SAP BusinessObjects Risk Management and SAP BusinessObjects Process Control.


Beyond just trying to reduce the cost of GRC, Jim Dunham, SAP group vice president of GRC solutions, says the SAP suite of offerings includes embedded business intelligence software that will make it easier for a business to get more value out of GRC investments by streaming the data these applications gather into SAP analytic applications. The end result is a more unified approach to GRC that eliminates a lot of redundant activities.


Most IT folks are not big fans of GRC because it takes a lot of time away from their primary IT activities. Dunham says by unifying the GRC activities of the company, the people in charge of managing financial risk should be able to roll up many of the IT GRC activities as part of their larger mandate.


How long that may take is anybody's guess. But it's clear that a lot of the GRC activity within far too many companies is fragmented, resulting in a lot of duplicate work that wastes a lot of time. Whatever approach companies take to GRC, it would be a good idea to take a step back just to reconsider the overall strategy because you'll be surprised to find how much of your GRC activity is out of control, which is a great irony in itself when you think about it.



Add Comment      Leave a comment on this blog post
Mar 24, 2011 11:30 AM Nick Dordea Nick Dordea  says:

The Financial/Business own the data, so it is responsible for its correctness and integrity. The IT is servicing the data. It seems that the new solution is delegating some of Business/Financial services' responsibilities to IT.

But that does not means that the Financial/Business delegates their responsibilities.  Many times, for the sake of "simplification" ,  IT is made responsible for the data etc.  and this points to the root cause of the redundancies, etc The same happens with Disaster Recovery. IT is "empowered" to do it  without clear objective from Business/Financial.

This "ambiguity" might explain  why "Most IT folks are not big fans of GRC because it takes a lot of time away from their primary IT activities."

and why "unifying the GRC activities of the company, the people in charge of managing financial risk should be able to roll up many of the IT GRC activities as part of their larger mandate."  might not be the ideal solution.

The people managing the financial risk should remain the responsible part  not "rolling up" them to IT.

Tasks can be delegated; the responsibilities can not be delegated. It is not enough to know the "GRC buzzwords" .................   

Reply

Post a comment

 

 

 

 


(Maximum characters: 1200). You have 1200 characters left.

 

null
null

 

Subscribe to our Newsletters

Sign up now and get the best business technology insights direct to your inbox.