jump to navigation

A Little somethin’ about GRC May 5, 2007

Posted by Amit Chatterjee in GRC.

Thank you to everyone who bothered to read the first blog.  To those readers that gave me some great insight on how to blog properly, like including my picture etc —  good news, I finally have been put in touch with a real pro team that will help me manage my blog.  Karl Perron, the head of Global Deployment and Operations for SAP GRC is promising that my work will look much slicker in 4 weeks.  So until then, please focus on content.

 I wanted to start by testing a concept — can the availability of software assist in the transformation of an organizational structure?

I ask this because recently I have run into companies where we are actually are having discussions with people who have “GRC” on their business card.  6 months ago, this would not have happened.  It has been less than 12 months, and business has been booming for us.  Just a spectacular run.   Yet, even with that run, I never thought I would sit across a “GRC” person.

So I did a little research, and surprisingly, Mike Rasmussen from Forrester Research (Mike is really prolific), has also noticed this massive change.  He attributes it to political battles between different stakeholders.  While the root cause of political battles are interesting to those within organizations, watching this from a vendor’s standpoint left me a bit speechless. 

So while quiet, I did some thinking.  Here’s what i came up with:  when CRM came out, there was no political battle, nor as far as I could tell between indirect procurement and direct procurement when SRM was released.  However, marketplaces, e-commerce, shared services, BPO, emerged, politics became a mainstay. 

I was left with the notion that while traditional software that refine the viscosity of doing business with slipstream effectiveness, shows tremendous bottom-line impact, the software is not truly disruptive.

However, when the software impacts an organization in such a way that you can redefine its importance to the organization, or begin to document financial or material business impact, suddenly organizations are quick to capture the change management.  Simply put, if the software enables the business to improve or provide better transparency for an organization, the organization might adjust how that software can be deployed. 

For instance, basic fundamentals for GRC ensure that most companies use them on traditional applications to prevent financial fraud (Compliance, right?).  However, the moment you start thinking about controls from a business standpoint, and not an audit standpoint, you change the business flow. 

To give you an example, I was in China earlier this year and met with a few customers.  Sicne most were not listed on NYSE or NASDAQ, they did not care about SarbOX.  In fact, I did not think we could make an impact.  Then we asked a simple question about control in the business, preventing fraud, and ensuring that they as managers knew what was going on.  Suddenly they converted from skeptics to buyers.  Controls and insight into the business had immense value, adhering to regulators did not. 

I tell this story because that disruption is at the core of what is going inside organizations.  IT, Security, Corporate Secretary, Internal audit, Compliance management, Risk management are all departments that within specific companies and industries will by default be the lead consolidator to take advantage of bringing G, R and C into a single leadership. 

Here is how it could play out:  in process industries Compliance will define the GRC organization.  For Financial services, I bet it will be Risk Management that rules the day.  I could see that for high tech a combination of Compliance and Risk management leaders could define the integrated group.  People intensive industries will have Security dominate the front-lines (Privacy in retail, physical security in mines). 

Most interesting change will be for the internal audit teams.  Their role changes as integrating with these various groups will mean greater transparency, but with that comes uncertainty along determining what is materially relevant to manage and control. [h’m, if only I had software that could help me manage these risks and controls…]

The disruption is inherent in these orgs.  If you really want to read why this software transformation will give organizations a chance to change, dust off a copy of James March’s  A Garbage Can Model of Organizational Choice.  I read that in college at some-point in a political science class (I never thought it would be much use).  Here is the summary:

Organizations are a collection of :

  • Choices looking for problems
  • Issues and feelings looking for decision situations where they might be aired
  • Solutions looking for issues for which they might be the answer
  • Decision makers looking for work

Why “garbage cans”?  It was suggested that organizations tend to produce many “solutions” which are discarded due to a lack of appropriate problems.  However, problems may eventually arise for which a search of the garbage might yield fitting solutions.

For those risk managers reading this, it screams risk management.  An afterthought at one point risk management done right has the potential to be the driver of transformation within a company. 

Business change driven by software that drives organizational change which advances the need of this software.  I really think GRC is a space meant for synergy between technology and business disruption.  

I would like to hear from the blogosphere.  Is GRC the Ultimate garbage can?