The metamorphosis of GRC (Governance, Risk and Compliance) solutions
OCEG (Open Compliance and Ethics Group) coined the term GRC (Governance, Risk and Compliance) to collectively refer to process and people performing the activities related to risk monitoring and management, internal audits, compliance etc., within an organization. The term GRC was coined in early 2000.
OCEG defines GRC as,
GRC is the integrated collection of capabilities that enable an organization to reliably achieve objectives, address uncertainty and act with integrity.
GRC has evolved from its first version in 2002, which is GRC 1.0 to the version that we have today, which is GRC 5.0. Before we look at the journey let us quickly get an insight into what G, R and C imply in GRC solutions.
- Governance (G): Governance describes the processes, rules, and policies that are created or in place for ethically performing activities, which are aligned to support the business goals.
- Risk management (R): Risk management involves identifying, monitoring, remediating, and managing risks that has the potential to hinder business or cause unexpected damage to business operations.
- Compliance (C ): Compliance is an organization’s ability to adhere to the standards, regulations and best practices mandated by the business and by relevant governing bodies and laws. Failing to comply can result in huge penalties, litigations, brand damage, and fines. There are different flavors to compliance standards and regulations, these can be dictated by the organization itself, by the industry in which the business operates or by the governing laws of the country in which the business operates.
For any organization to perform and manage their activities around the requirements of G, R and C can be daunting, especially with the evolving nature of technology in business and prevalent digitization and changing regulatory landscape. Out-of-the-box solutions that can provide the necessary tools and solutions to efficiently implement GRC within an organization is key. This has led to lot of vendors coming up with their GRC solutions and GRC platforms. These solutions and platforms have evolved in their capabilities based on the changing needs leading to the evolution of GRC standards itself. With this context, let us see how GRC has evolved and where it is today and what is its promise for the future.
GRC 1.0
GRC 1.0 took form at the time the Sarbanes-Oxley Act (SOX) came into effect, where it was necessary for organizations to ensure transparency and auditability of their internal controls and financial reporting. GRC 1.0 mainly contained the policies, processes, tools and guidelines to help with compliance to SOX. The GRC 1.0 period was between 2002–2007.
GRC 2.0
GRC 2.0 took shape between 2007–2012, this was when organizations had got around to successfully implement processes and policies to comply with SOX. Enterprises now needed a common solution that can be used by all their business units in a synergistic manner such that they define and implement rules, processes and policies that help them with governance, risk management and compliance requirements. It was during this period that enterprise GRC solutions and platforms started becoming a need and also started surfacing as a solution for enterprises.
GRC 3.0
GRC 3.0 came into effect between the period of 2012–2017, the GRC solutions from GRC 2.0 was proving to be useful but was disintegrated and chaotic for an enterprise with multiple business units. There was an increasing need to talk to disparate systems, bring in information, monitor or manage multiple siloed systems and applications and do all this in a consistent manner within an organization across all its departments. This paved the way for a better, and a much more integrated GRC standard and solution that offered the best of breed risk, compliance, and control solutions.
GRC also started to evolve where it was no longer just about the back office of GRC processes (what some would refer to as the second and third lines of defense), but it was also about the front lines of the organization (first line) that are making risk and compliance decisions that impact objectives every day.- Source: A History of Technology for GRC
GRC 4.0
GRC 4.0 era started in 2017 and was relevant until 2021. GRC solutions leveraged some of the technology shifts to offer solutions that offered:
- Less need for customizations
- No code or less code or development using configurations on GRC solutions or platforms
- Intuitive and interactive dashboarding and UI experiences
- Enabling of citizen development and use of GRC solutions
- Single pane view for front and back offices within an organization
- Agility
Though GRC 4.0 is still current and a viable GRC standard, yet the advancements in the arena of artificial intelligence paved way for the next wave or GRC standard.
GRC 5.0
GRC 5.0 was born in 2021 and is the most recent GRC version. GRC 5.0 mainly explores the role and impact of cognitive/artificial intelligence technologies on GRC. Use of machine learning, natural language processing, and predictive analytics in GRC solutions and how they help address some of the evolving risk and compliance monitoring and management requirements will be the focus for GRC 5.0. GRC 5.0 solutions and their adopters are in early stages. The effectiveness and success of GRC 5.0 solutions is something that we will need to wait for.
4CRisk.ai and IBM with IBM OpenPages with Watson offer GRC 5.0 solutions , which may play a significant role in the adoption and shaping of GRC 5.0.
