What do you look for in a GRC provider?
Pike and Spencer: An excellent GRC provider should have a number of traits. It should be stable and sound – GRC is a relatively young practice that requires heavy investment and a long-term view of the market in order to succeed. This requires an established provider with the ability and resources to continually invest in its GRC offering so that it changes to meet your needs.
It needs to understand risk and compliance in all of their facets. Many GRC providers have arrived on the scene with an understanding of only one GRC area, such as audit or Sarbanes-Oxley compliance. To truly understand GRC, a provider must have clients and internal experts for all parts of GRC, and must be able to leverage those assets in the development and implementation of their solution.
It is also vital that your provider has a vision of GRC business practices and how they might be implemented. Although most clients have their own vision and approach, it is important that a provider’s products and services have a cogent methodology behind them. This does not mean that a system cannot be tailored to meet your requirements, merely that a provider should add value to your implementation.
Finally, a provider must understand your business. Risks are only relevant in the context of your business objectives. Pharmaceutical companies, for example, are concerned about different risks and regulations to those that banks are concerned about. Many GRC providers simply provide generic tools and have no clear understanding of their clients’ business. It is vital that your provider be focused on your industry so it can provide a solution that meets your needs.
Ridgway: When we looked at the market, we had some key considerations. Has the tool really been designed as a GRC system or is it just a number of different modules that a provider is trying to glue together? Is the provider able to articulate what GRC is and its potential benefits? And reflect this in tool design now and for the future? We need flexibility to enable us to configure a GRC system to reflect our business, and the system needs to reflect the fact that multiple control functions will need to use it and, therefore, needs a range of tools that can talk to one another. It needs to have a structure that allows each control function to do its job, but knits together at the top, and cost is a major consideration.
Kapoor: An effective GRC system must allow for seamless collaboration, easy decision-making and increased transparency between different business units and functional groups such as internal audit, operational risk, enterprise risk, regulatory compliance, financial and legal. The system should maintain the segregation and federation of functional processes. A flexible and extensible data model that enables design of multi-disciplinary and integrated GRC ecosystems spanning a range of control and assurance processes is a must. MetricStream is witnessing the rapid adoption of its GRC platform – considered one of the most flexible GRC software systems in the industry – which is particularly critical in financial services given the complex and global organisation structures with multiple business lines. The platform contains several core functionalities such as a built-in reporting engine, a data integration engine, a workflow engine, an advanced security model and enhanced accessibility to facilitate the integration of GRC programmes.
Many organisations are beginning to realise the benefits of replacing legacy and first-generation systems with an integrated GRC platform that allows them to run different GRC processes – such as maintaining control libraries; qualitative risk assessments and quantitative modelling engines; issues; loss management; Sarbanes-Oxley; audits; analytics; action plans; regulatory intelligence tracking; and relationships with regulators – on one common but federated information model. For example, one of our customers – a large global financial institution – replaced separate data repositories with a common library for risks, controls, regulations, audits, key risk indicators and losses across all of its product lines, thereby enabling different groups to share and leverage information and data from across the enterprise.