Managing enterprise-wide, operational, and IT-related risk has surpassed regulatory compliance as the top governance, risk management and compliance (GRC) priority at most organizations, according to a new report from AMR Research.
No longer just a U.S.-centric concern tied to compliance with 2002's Sarbanes-Oxley Act (SOX) and other specific regulations, GRC has evolved into a set of practices to manage and mitigate the full array of risks organizations face, according to John Hagerty, the report's author and research fellow at the Boston-based research firm. Driven both by regulatory concerns and inter-company policy initiatives, GRC affects organizations in all industries in all corners of the world.
"GRC really sprang up from people's approach to managing some of the concerns around Sarbanes-Oxley," Hagerty said. "Organizations that didn't have to deal with that, which was any private firm in the United States as well as any firm that didn't trade on U.S. exchanges -- the rest of the world, pretty much -- didn't care about it." But times have changed, he said.
Regulatory compliance is still a concern, but today companies are also focused on protecting their corporate image. Avoiding a high-profile data breach, like the breach at TJX in 2006, and media pressure to be a responsible corporate citizen have given risk management a higher profile within many organizations.
"Let's use the example of emissions. No one wants to be tagged a polluter, so there could be either laws in a specific domain [that restrict emissions] or there could be a mandate from the executives saying, 'We will reduce our emissions,' " Hagerty said. "This is where risk comes in because what you're doing is determining a course of action to best protect your brand."
GRC spending expected to grow
Worldwide, GRC-related technology and services spending is expected to increase by 7.4% in 2008 to $32 billion, according to the report, which surveyed 420 companies in the U.S., Germany and Japan. Demand for GRC services and consultants will rise nearly 22% as companies look for outside help in crafting their risk management strategies.
With the emergence of risk management as a top priority, companies are starting to understand that technology investments have a direct relationship to brand risk, Hagerty said.
Hagerty divides risk management into three separate but related categories: Enterprise risk management covers high-level issues such as brand reputation and earnings vulnerability; operational risk management focuses on risks specific to certain parts of a business, including choice of suppliers and vendors; and IT risk management, which Hagerty said is fundamental to the previous two, concerns managing an organization's infrastructure to protect against technology-related risks.
Without a comprehensive IT risk management strategy, companies leave themselves vulnerable to both enterprise-level and operational-level risks. And the key to IT risk management, Hagerty said, is data security and data management.
Data management key to risk management
First, and most obvious, companies need to invest in technologies that keep data secure to prevent either accidental or intentional breaches. But they must also implement effective data governance and data quality practices to assure that data used to make critical business decisions is accurate and valid.
The direct effects of a poor business decision based on wrong or outdated data -- a failed project, a late product release -- are bad enough, but the long-term consequences are often worse. Companies that don't maintain a sound data management foundation put themselves at risk of lawsuits, government censure and, worst of all for some, corporate embarrassment.
In this way, risk management has much in common with business intelligence (BI), Hagerty said. Gaining an accurate picture of a company's assets and information is the basis of both, he said, but companies employ the former to mitigate risk and the latter to improve performance.
"Risk is all about visibility and having people really understand what's going on, and performance management and BI are all about that as well," Hagerty said. "They're two sides of the same coin, as far as I'm concerned, except they look at [the data] from a completely different perspective."