Conventional enterprise governance, risk, and compliance (GRC) processes have been a valuable tool for firms to manage risk through simple, structured controls and processes. However, traditional GRC is inadequate and, as a result of a focus on controls, has failed. Firms need to move beyond traditional GRC.
Traditional GRC has failed. GRC processes have failed to prevent serious compliance breaches and failures of governance, and to manage risk effectively. GRC processes failed to alert financial institutions to the risks that led to the financial crisis and to prevent the seemingly innumerable banking scandals since then. This is not simply a financial services problem, as energy firms and pharmaceuticals manufacturers, for example, have also faced failures and fines stemming from the inadequacies of GRC processes.
Traditional GRC is outdated. GRC is stuck in the 90s and trapped by its roots in IT security and the COSO framework. Too focused on business process, systems, frameworks, and controls, and too static, GRC neglects
the human factor and organizational psychology. In many cases, firms with seemingly robust GRC frameworks suffered failures because these frameworks and processes were bypassed or ignored by employees.
GRC needs a stronger focus on people and behavior. The LIBOR, London Whale, and PPI scandals, among others, have shown the crucial importance of behavior and conduct in avoiding governance, risk, and compliance failures. Any realistic GRC strategy needs to approach how employees are motivated and react to incentives.
GFRC – GRC linked to finance – is needed. To establish this, performance measurements and remuneration need to be brought into GRC. The scope of GRC will have to expand to include risk-adjusted financial metrics and combine quantitative and qualitative data. Chartis believes firms should replace ‘GRC’ as a concept with GFRC – Governance, Finance, Risk, and Compliance. This will incorporate areas currently missing from GRC, including conduct, model, economic and regulatory capital, and reputational risk management, as well as practices such as enterprise stress testing.
Next-generation GRC technology is required. Firms will need to invest in technologies such as flexible data access, social media monitoring, artificial intelligence, and high-performance computing. As no two firms will have the same GRC processes, firms need agile, component-based solutions that allow users to define requirements and use a business toolkit to design the solution.
This report covers the trends in enterprise GRC technology and the drivers in the market. It also uses Chartis’s RiskTech Quadrant® to explain the structure of the market. The RiskTech Quadrant® uses a comprehensive methodology of in-depth independent research and a clear scoring system to explain which technology solutions meet an organization’s needs. Chartis considers Thomson Reuters to be one of the leading vendors offering enterprise GRC solutions.