In the last few years, for instance, companies have had to pay attention to the risk of cyberattacks on corporate computer networks and the risk of security breaches that can result in significant losses.
technology also has its place in helping to manage risk. GRC (Governance, Risk & Compliance) technologies are one of the ways that companies can do this.
GRC software really came into its own with Sarbanes-Oxley, and many of the major Fortune 500 companies already have implemented GRC initiatives.
Interest in GRC technology is increasing now as a result of some recent risk management failures--the most obvious being the collapse of so many banks and the meltdown of the financial markets last year.
While the banks have certainly had their share of problems, there have been other industrywide risk management failures as well--from product recalls to corporate fraud and bribery cases--which have also put risk management questions in the spotlight.
Risk management is also attracting legislative attention. U.S. Sen. Senator Charles E. Schumer, D-N.Y., and Sen. Maria Cantwell, D-Wash., introduced legislation in May aimed at increasing accountability at public companies and curbing the types of excessive risk-taking and runaway executive compensation that contributed to the country's current economic problems.
The legislation, dubbed the Shareholder Bill of Rights Act of 2009, requires, among other things, that public companies create a board risk committee, rather than leaving the task to the audit committee.
In the meantime, compliance is also a growing concern. As companies expand into more markets and new jurisdictions, keeping track of regulations and managing compliance becomes an ever-growing challenge.
The question is whether any of these GRC programs really work?
For answers I turned to Chris McClean, an analyst at technology research firm Forrester Research. McClean is an expert on GRC software and, as it turns out, had just finished a detailed product evaluation rating some 14 vendors. A report on his findings was due by the time this column is published.
"There are great technologies out there," he said. "A lot of companies are doing very good things with it."
But, these technologies do not do everything. Forrester in an earlier report noted that vendors with software built for document management, controls testing, quality management and many other functions have made substantial progress in solidifying their GRC offerings. However, the market is still a long way off from a complete GRC package.
Enterprise GRC platforms come the closest, providing the core components needed for companies to define, coordinate and document the business processes necessary for comprehensive GRC.
The bottom line, McClean said, is that this software can do a good job helping companies manage and consolidate information. But it can't take the place of good policy and smart people. Relying too much on technology is definitely a pitfall, he said. Instead, companies need to be clear about their objectives and should set clear goals to be accomplished over a specific timeframe.
PATRICIA VOWINKEL has worked for national media outlets for more than 20 years.
August 1, 2009
Copyright 2009© LRP Publications