Using our research, best practices and expertise, we help you understand how to optimize your business processes using applications, information and technology. We provide advisory, education, and assessment services to rapidly identify and prioritize areas for improvement and perform vendor selection
We provide guidance using our market research and expertise to significantly improve your marketing, sales and product efforts. We offer a portfolio of advisory, research, thought leadership and digital education services to help optimize market strategy, planning and execution.
Services for Technology Vendors
We provide guidance using our market research and expertise to significantly improve your marketing, sales and product efforts. We offer a portfolio of advisory, research, thought leadership and digital education services to help optimize market strategy, planning and execution.
I recently attended Vision 2012, IBM’s conference for users of its financial governance, risk management and performance optimization software. I reviewed the finance portion of the program in a previous blog. I’ve been commenting on governance, risk and compliance (GRC) for several years, often with the caveat that GRC is a catch-all term invented by industry analysts initially to cover a broad set of individual software applications. Each of these was designed to address specific requirements across a spectrum of users in operations, IT and Finance within a company, often to meet the needs for a specific industry such as financial services or pharmaceuticals. Vision 2012 covered a lot of ground under the GRC heading, confirming the breadth of both this software category and IBM’s offerings in it. I want to focus on two areas: automation of IT governance activities and effective management of GRC-related data.
The event coincided with the final stages of our own GRC benchmark research, which finds that most organizations are immature in how they manage governance, risk and compliance. Our Maturity Index analysis places nearly two-thirds (63%) of participating organizations in the bottom two of the four levels that comprise the framework of our maturity assessment. Just 8 percent reached the highest Innovative level. Our assessments examine the people, process, information (mainly data) and technology (mainly software) aspects of a given business area. Software is important because it can enable more automated processes, which, in turn, can improve the efficiency with which they are performed. As well, data accessibility, consistency and accuracy can be significant issues within most governance, risk and compliance processes.
Using software effectively and safely for governance and risk management requires IT system controls. Today, most of the core activities in midsize and larger organizations depend on IT systems. Strong IT controls therefore limit the potential for financial fraud, operational disruption or theft of intellectual property, among the most significant areas of vulnerability.
Effective IT controls in turn require the ability to execute periodic mapping of risk. This involves identifying and assessing risks, tracking their incidence, reporting on these events as they occur, developing methods to mitigate the negative consequences when risk events occur and managing the mitigation process. Risk mapping is a collaborative, repetitive process that, done properly, improves the quality and consistency of risk identification and assessment. Using dedicated software to manage the risk mapping process promotes consistency, completeness and the use of a common language and metrics. It also increases the efficiency of IT governance and reduces the incidence of risk management failures.
To illustrate the value of this sort of automation, IBM demonstrated its OpenPages application performing periodic IT mapping. OpenPages, which IBM acquired in 2011, is designed to automate and support the IT risk assessment process. IBM has confirmed that clearly and consistently assessing the probability and potential severity of the impact of individual IT risks and identifying the necessary controls makes it possible to establish a prioritized plan for managing IT risks. An application such as OpenPages is well-suited to the task because it facilitates process management (through automated workflows), collaboration (by facilitating communication) and documentation (information is collected in a structured and consistent fashion). But this capability is apparently ahead of the curve, as our GRC benchmark research shows that only 14 percent of participants have adopted an application similar to OpenPages. Most manage these sort of IT risk management efforts in a partially automated fashion, using email, desktop word processing software and spreadsheets. Especially for larger companies, we believe this approach is far more labor-intensive, less adaptable to changing requirements and less effective in managing risk.
From my perspective, a second important point that came out of the conference is the need for a dedicated store of risk data that serves the needs of multiple sets of users. Managing GRC-related data is a pressing need for a majority of companies. Fewer than one-third (29%) of the participants in our benchmark research scored in the upper half of our maturity assessment for information. Data itself can be a serious impediment to effective GRC. Data availability and accessibility issues often contribute to excessive use of spreadsheets, which in turn create accuracy and consistency problems and promote inefficiencies. This applies to many regulated industries but most certainly to banks and other financial services companies.
Issues in availability and consistency of data necessary for managing a variety of compliance and risk management requirements arise in financial services companies that create the information needed for risk management and compliance in multiple systems. The problem is acute not only in, say, banks that have evolved organically, it’s made worse by those that have grown through acquisitions. This is because typically the data originates in systems that were provisioned to address the needs of one constituency but now has to be used by a variety of risk management and compliance groups, each with different requirements. Standard extract, transform and load (ETL) methods don’t work well enough for these users. The transformations have to be made at a more granular level to permit the variety of reporting and risk analysis and measurement requirements. A successful risk data store therefore must not only manage the information technology challenge but also accommodate each of the multiple constituencies that need to be part of the process, including all regulatory and operational risk groups.
This data management issue was a tangential point in a broader presentation on coping with the Dodd–Frank Wall Street Reform and Consumer Protection Act. This connection indicates why I think CIOs in financial services should make having a risk data store a priority. Financial services companies almost certainly will have to continue adapting to rapidly changing and growing regulatory requirements in the coming years. The return on the investment is likely to be higher than many assume because the pervasive use of spreadsheets creates multiple hidden pockets of inefficiency. A properly configured risk data store makes adapting far easier.
Proper use of information technology to support GRC processes and requirements is important because it increases the efficiency with which companies execute what are usually administrative functions that have little or no direct economic value to the corporation. Improving IT control and governance is crucial because effective IT systems can be the most efficient and effective means of controlling operational processes. (For example, IT access controls combined with IT process controls offer the best protection against many types of financial fraud.) Investments in IT controls therefore can generate attractive returns. Similarly, improving GRC-related data accessibility and data quality can also be a worthwhile investment. I recommend that companies have an ongoing process for assessing technology and data gaps in how they execute their governance, risk management and compliance-related processes to address opportunities to enhance efficiency.
Regards,
Robert Kugel – SVP Research
Robert Kugel leads business software research for ISG Software Research. His team covers technology and applications spanning front- and back-office enterprise functions, and he runs the Office of Finance area of expertise. Rob is a CFA charter holder and a published author and thought leader on integrated business planning (IBP).
Ventana Research’s Analyst Perspectives are fact-based analysis and guidance on business,
Each is prepared and reviewed in accordance with Ventana Research’s strict standards for accuracy and objectivity and reviewed to ensure it delivers reliable and actionable insights. It is reviewed and edited by research management and is approved by the Chief Research Officer; no individual or organization outside of Ventana Research reviews any Analyst Perspective before it is published. If you have any issue with an Analyst Perspective, please email them to ChiefResearchOfficer@isg-research.net