jump to navigation

A Little somethin’ about GRC May 5, 2007

Posted by Amit Chatterjee in GRC.

Thank you to everyone who bothered to read the first blog.  To those readers that gave me some great insight on how to blog properly, like including my picture etc —  good news, I finally have been put in touch with a real pro team that will help me manage my blog.  Karl Perron, the head of Global Deployment and Operations for SAP GRC is promising that my work will look much slicker in 4 weeks.  So until then, please focus on content.

 I wanted to start by testing a concept — can the availability of software assist in the transformation of an organizational structure?

I ask this because recently I have run into companies where we are actually are having discussions with people who have “GRC” on their business card.  6 months ago, this would not have happened.  It has been less than 12 months, and business has been booming for us.  Just a spectacular run.   Yet, even with that run, I never thought I would sit across a “GRC” person.

So I did a little research, and surprisingly, Mike Rasmussen from Forrester Research (Mike is really prolific), has also noticed this massive change.  He attributes it to political battles between different stakeholders.  While the root cause of political battles are interesting to those within organizations, watching this from a vendor’s standpoint left me a bit speechless. 

So while quiet, I did some thinking.  Here’s what i came up with:  when CRM came out, there was no political battle, nor as far as I could tell between indirect procurement and direct procurement when SRM was released.  However, marketplaces, e-commerce, shared services, BPO, emerged, politics became a mainstay. 

I was left with the notion that while traditional software that refine the viscosity of doing business with slipstream effectiveness, shows tremendous bottom-line impact, the software is not truly disruptive.

However, when the software impacts an organization in such a way that you can redefine its importance to the organization, or begin to document financial or material business impact, suddenly organizations are quick to capture the change management.  Simply put, if the software enables the business to improve or provide better transparency for an organization, the organization might adjust how that software can be deployed. 

For instance, basic fundamentals for GRC ensure that most companies use them on traditional applications to prevent financial fraud (Compliance, right?).  However, the moment you start thinking about controls from a business standpoint, and not an audit standpoint, you change the business flow. 

To give you an example, I was in China earlier this year and met with a few customers.  Sicne most were not listed on NYSE or NASDAQ, they did not care about SarbOX.  In fact, I did not think we could make an impact.  Then we asked a simple question about control in the business, preventing fraud, and ensuring that they as managers knew what was going on.  Suddenly they converted from skeptics to buyers.  Controls and insight into the business had immense value, adhering to regulators did not. 

I tell this story because that disruption is at the core of what is going inside organizations.  IT, Security, Corporate Secretary, Internal audit, Compliance management, Risk management are all departments that within specific companies and industries will by default be the lead consolidator to take advantage of bringing G, R and C into a single leadership. 

Here is how it could play out:  in process industries Compliance will define the GRC organization.  For Financial services, I bet it will be Risk Management that rules the day.  I could see that for high tech a combination of Compliance and Risk management leaders could define the integrated group.  People intensive industries will have Security dominate the front-lines (Privacy in retail, physical security in mines). 

Most interesting change will be for the internal audit teams.  Their role changes as integrating with these various groups will mean greater transparency, but with that comes uncertainty along determining what is materially relevant to manage and control. [h’m, if only I had software that could help me manage these risks and controls…]

The disruption is inherent in these orgs.  If you really want to read why this software transformation will give organizations a chance to change, dust off a copy of James March’s  A Garbage Can Model of Organizational Choice.  I read that in college at some-point in a political science class (I never thought it would be much use).  Here is the summary:

Organizations are a collection of :

  • Choices looking for problems
  • Issues and feelings looking for decision situations where they might be aired
  • Solutions looking for issues for which they might be the answer
  • Decision makers looking for work

Why “garbage cans”?  It was suggested that organizations tend to produce many “solutions” which are discarded due to a lack of appropriate problems.  However, problems may eventually arise for which a search of the garbage might yield fitting solutions.

For those risk managers reading this, it screams risk management.  An afterthought at one point risk management done right has the potential to be the driver of transformation within a company. 

Business change driven by software that drives organizational change which advances the need of this software.  I really think GRC is a space meant for synergy between technology and business disruption.  

I would like to hear from the blogosphere.  Is GRC the Ultimate garbage can?



1. theotherthomasotter - May 7, 2007

(In terms of useful tools, make sure you have a look at the microsoft livewriter. It makes writing posts a whole lot easier.)

It is time for the folks who think that GRC is just a neat way for software vendors to make money out of SOX to move on. SOX may acted as the spark, but I’m convinced that the G and R will be more significant in the longer term.

I’d be interested to hear your views on Governance, especially about CSR.
I believe we could be doing more in CSR, both as a company and from a product perspective.

2. Karl Perron - May 7, 2007

Thanks Thomas; we’re rebuilding using MoveableType with all the bells and whistles (tag clouds, feeds, etc.) and plan to edit with Windows Live Writer (we want to give Amit ‘Blog This’ extensions so he can link to your posts, etc.).

3. amitgrc - May 7, 2007


Stay tuned. I am definitely talking about CSR later this week.

4. theotherthomasotter - May 7, 2007

Where is your blog…!-)

5. SudhanShanGRC - May 9, 2007

A very good intro to GRC…

Can you talk about the GRC landscape?

6. Jonathan - May 16, 2007


A belated welcome to the blogosphere. We have a very similar look and feel at the moment, but it sounds like Karl will quickly change that.

7. Grit - May 24, 2007


Good start on your blog. I think it might be a helpful, or at least encouraging, read for me.

A little background…I work for a LARGE international company. We recently put together a team for doing regulatory research. I’m sure it’s common that most large companies have a hard time keeping up with all of the laws and regulations that apply to them; not to mention determination of compliance.

We started our team with the intention of building a repository of such laws and regulations. We wanted to make all of the information actionable by applying perspective to the information from a legal, technical, and business angle as well as making the information highly searchable; including alerts, reporting, etc..

Our journey through the various solutions “out there” has led us into the realm of GRC. While the two concepts don’t seem to be precisely the same, there is a relationship.

One problem we find, though, is that most GRC solutions seem to be geared toward measuring compliance and managing risk to a small number of governances; usually U.S. Federal in nature. SOX, GLBA, HIPAA would be examples of what I am talking about. However, does it seem possible to be measuring compliance to governances all the way down to municipal levels and on a global scale (I said we were LARGE)? What are your thoughts? Is it feasible to work at this level? Could make for an interesting blog entry?

8. Ian Achterkirch - May 25, 2007

Amit – great message. I especially like the China story. It demonstates how global and wide GRC is. It goes beyond Sarbox, or financial controls. For example, the enviromental impacts that global companies are having today and our awareness of them are driving global standards for performance. It will cost companies millions and could also damage their global brands unless they find ways of efficiently and transparently managing compliance in this area alone. GRC solutions will have an impact in this equation.

Looking forward to reading more.

9. Manoj Ranaweera - May 26, 2007
10. Kishore Balakrishnan’s Blog » Blog Archive » GRC and Das Leben der Anderen - August 15, 2007

[…] Amit Chatterjee is the senior vice president for SAP’s Governance, Risk and Compliance (GRC) business unit asks “Is GRC the Ultimate garbage can?” […]

11. alain123 - April 11, 2008

This story sounds convincingly! I agree with you in this case.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: