Sometimes, it takes a painful event for us to do what’s good for us. For example, many of us talk about eating better, exercising more, and generally getting healthier, but that’s all it is—until we have a heart attack. After that wake-up call, we’re forced into doing the things we always knew we should, and after we get past that first painful period of adjustment, we find we’re the better for it.
Compliance is the business world’s version of the heart attack. After the accounting scandals of the early 21st century, enterprises were forced to put in controls over their business processes, mostly in the area of Segregation of Duties (SOD), to meet compliance laws. The first-generation tools they had were adequate, like a worn-out treadmill or an old pamphlet on eating healthily, but the process was still painstaking and painful.
Looking ahead to 2010, though, it appears we’re coming out of the painful “adjusting to the new life realities” phase and moving into the part where enterprises will see real gains in the area of governance, risk, and compliance (GRC). Much of this can be attributed to second-generation tools that make GRC more affordable, especially for small and midsized enterprises. They also embed compliance into business processes and, ultimately, help executives do a better job of managing their businesses.
While it might seem odd for someone in my position to perform that riskiest feat of all—making bold predictions—here’s where GRC is headed in 2010:
• Less C, More G&R—In the rush to meet compliance after Sarbanes-Oxley (SOX) took effect, enterprises focused on getting reports done by any means possible. Some adopted painful, manual processes, while others purchased expensive “first generation” software. The work was often haphazard and sloppy because there was no roadmap or prior experience. Organizations ended up exerting a lot of manual effort to make compliance happen.
Now, though, there has been an epiphany in the business world—GRC is really about business process engineering and vice-versa. The best-run enterprises have a passion for improving business operations, and are looking for ways to streamline and automate their approaches. Making GRC a part of the way they do business every day—instead of a special effort on top of the normal course of business--is a part of that.
In 2010 they won’t be looking just to comply--they will be looking to second-generation GRC tools to help them run better.
• Move to Best-of-Breed—When the big ERP systems such as SAP and Oracle were introduced, organizations tried to leverage them to do everything. What they found is that large ERP systems do some things very well, and in other areas they struggle. GRC, quite frankly, is one of those areas where they struggle.
In 2010, these enterprises will be more open to taking a best-of-breed approach, bolting better, faster, and/or cheaper solutions onto their ERP systems as necessary, which will allow them to be both more efficient and more nimble.
• Talking about Second Generation—Let’s be honest: While there are a lot of benefits to be derived from GRC, the first generation software tools that came out in the wake of the SOX legislation were expensive, difficult to implement, and cumbersome to use. Now that enterprises have been through it a few times, however, they’re looking for ways to bring those costs down—especially the time and personnel costs, as well as reducing on-going support costs (annual software maintenance fees and IT infrastructure costs).
Second-generation GRC tools allow them to reduce their total cost of compliance (TCC) while getting more benefits out of their GRC efforts. That, incidentally, also makes GRC more attractive to privately held companies that are not covered under SOX but want to improve their business processes as well.
• Lean Staffing is the New Normal—As the recession took hold, enterprises went into survival mode, paring down staff in all areas (including IT). The mantra to the remaining personnel was “do more with less.” The early indications are that the economy will begin to recover in 2010, but rather than restaffing at old levels, enterprises will focus on improving productivity of current staff, only hiring where there is an absolute need; and they will do it in a patient, strategic manner.
To make that work, enterprises will seek technologies to help them restructure and automate business processes so one person can realistically do the work that used to require two people in the pre-recession world. Rather than thinking about returning staffing levels to pre-2009 norms, they will find this leaner approach is the new normal.
• How Lean is Too Lean?—Organizations are coming to realize they may have overshot the mark in terms of cutting staff, deferring on technology refreshes, and other decisions to meet the challenges of the economic downturn. As a result, they are living with an increased risk of a critical operational meltdown. It’s the sword of Damocles hanging over their heads. There is a dire need to institute controls to detect and avoid a catastrophe, especially since they won’t have the IT staff to recover from it.
• Change Management Is Mission-Critical—I firmly believe 2010 will be the year that change management finally becomes mission-critical.
For a long time, far too many organizations have been lobbing changes into their Production ERP systems without a lot of governance. Unapproved or undertested configuration and programming changes can and do cause outages and errors. This is exasperated by teams working in silos, not knowing (or caring) how their changes might impact other operations.
In 2010, it will be critical for senior executives to look at the business as a whole, and make sure the controls are in place to promote--not restrict--growth. Second-generation GRC tools facilitate the smooth execution of implementing changes into Production ERP systems. Instituting automating processes to track changes being developed not only reduce the risk of problems, but actually increase the speed and precision of implementing change, resulting in increased nimbleness and competitive advantage.
• GRC’s Trickle-Down Effect—There aren’t any pending government requirements for GRC in privately held companies at the moment, but there is certainly pressure being exerted on those organizations by public companies that are their customers.
Since the public companies can be held accountable (to some extent) for the quality of their suppliers, they want to ensure their partners have strong controls as well. Fortunately, smaller public as well as privately held companies now have access to second-generation GRC tools, which make achieving those controls much more realistic and affordable for smaller organizations.
• GRC’s Destiny as a Change Agent – While it started as a way to comply with government regulations, GRC has proven itself as an outstanding agent for change in an enterprise. It allows organizations to create well-defined business processes and controls, tweak their operations, and give management visibility into what’s happening throughout the enterprise via a very precise dashboard.
Many executives are nervous as to whether they have the resources in place to handle the business when things ramp up again. Second-generation GRC tools will help them bridge that gap.
Any time there’s a life-changing event, there’s bound to be some pain, but it’s the good kind of pain that can lead to some real, tangible gains. Second-generation GRC tools can help enterprises of any size reengineer and optimize their business processes while reducing the risks that got them into their current fix in the first place.
And in the end, the organization will continue to reap the benefits long after the pain of getting there becomes a distant memory.