Enterprise GRC Solutions 2014: Time for GFRC? - Thomson Reuters Vendor Highlights

Conventional enterprise governance, risk, and compliance (GRC) processes have been a valuable tool for firms to manage risk through simple, structured controls and processes. However, traditional GRC is inadequate and, as a result of a focus on controls, has failed. Firms need to move beyond traditional GRC.

Traditional GRC has failed. GRC processes have failed to prevent serious compliance breaches and failures of governance, and to manage risk effectively. GRC processes failed to alert financial institutions to the risks that led to the financial crisis and to prevent the seemingly innumerable banking scandals since then. This is not simply a financial services problem, as energy firms and pharmaceuticals manufacturers, for example, have also faced failures and fines stemming from the inadequacies of GRC processes.

Traditional GRC is outdated. GRC is stuck in the 90s and trapped by its roots in IT security and the COSO framework. Too focused on business process, systems, frameworks, and controls, and too static, GRC neglects
the human factor and organizational psychology. In many cases, firms with seemingly robust GRC frameworks suffered failures because these frameworks and processes were bypassed or ignored by employees.
GRC needs a stronger focus on people and behavior. The LIBOR, London Whale, and PPI scandals, among others, have shown the crucial importance of behavior and conduct in avoiding governance, risk, and compliance failures. Any realistic GRC strategy needs to approach how employees are motivated and react to incentives.

GFRC – GRC linked to finance – is needed. To establish this, performance measurements and remuneration need to be brought into GRC. The scope of GRC will have to expand to include risk-adjusted financial metrics and combine quantitative and qualitative data. Chartis believes firms should replace ‘GRC’ as a concept with GFRC – Governance, Finance, Risk, and Compliance. This will incorporate areas currently missing from GRC, including conduct, model, economic and regulatory capital, and reputational risk management, as well as practices such as enterprise stress testing.

Next-generation GRC technology is required. Firms will need to invest in technologies such as flexible data access, social media monitoring, artificial intelligence, and high-performance computing. As no two firms will have the same GRC processes, firms need agile, component-based solutions that allow users to define requirements and use a business toolkit to design the solution.

This report covers the trends in enterprise GRC technology and the drivers in the market. It also uses Chartis’s RiskTech Quadrant® to explain the structure of the market. The RiskTech Quadrant® uses a comprehensive methodology of in-depth independent research and a clear scoring system to explain which technology solutions meet an organization’s needs. Chartis considers Thomson Reuters to be one of the leading vendors offering enterprise GRC solutions.

  • LinkedIn  
  • Save this article
  • Print this page  

Only users who have a paid subscription or are part of a corporate subscription are able to print or copy content.

To access these options, along with all other subscription benefits, please contact info@risk.net or view our subscription options here: http://subscriptions.risk.net/subscribe

You are currently unable to copy this content. Please contact info@chartis-research.com to find out more.

Sorry, our subscription options are not loading right now

Please try again later. Get in touch with our customer services team if this issue persists.

New to Chartis Research? View our subscription options

You need to sign in to use this feature. If you don’t have a Chartis account, please register for an account.

Sign in
You are currently on corporate access.

To use this feature you will need an individual account. If you have one already please sign in.

Sign in.

Alternatively you can request an individual account here.