When Lamond Kearse became the New York Metropolitan Transit Authority's first-ever chief compliance officer in 2004, the 68,000-employee organization had no compliance system at all.
Today, information once buried in thick spreadsheets and Word docs is now just keystrokes away—or even pushed to Kearse's attention automatically. The MTA's experience is an example of an enterprise governance, risk, and compliance system beginning to realize the sort of potential the industry has been heralding for years. And the MTA isn't done yet, Kearse says. Their Oracle GRC implementation, which began in 2009, is still underway.
“This is a huge organization. The rollout has to be slow and strategic,” he says. “Technology can't replace the physical work to be done to understand processes and how they impact various parts of the organization and how to best capture them in the system.”
After years of industry consolidation (EMC bought Archer, IBM bought OpenPages, and Thomson Reuters bought Paisley, among others), integrated enterprise GRC systems are, as the MTA's case illustrates, ready for prime time. What's lagging now is the market, says John Wheeler, Gartner's research director for risk and security management programs.
Despite what he describes as “a lot of maturity and consolidation on the platform side,” potential buyers are just now starting to emerge from the low-spending years following the 2008 financial crisis. Gartner is getting more inquires and seeing an increase in requests for proposals, which Wheeler expects to continue. “I think people understand they need to get back to basics and get a more consistent picture across the enterprise,” Wheeler says.
For companies with point solutions in place, Wheeler says there's increasing interest in risk analytics to make use of the data those systems are collecting. Companies with and without existing GRC software are often looking to integrate risk assessment across the enterprise under a common framework and terminology, Wheeler adds.
Some industries are ahead of others. It's not often that, in New York, the transit authority has more sophisticated and integrated software systems than the financial industry. That's the case with enterprise GRC, though. John Soffronoff, president of the compliance practice at ICS Risk Advisors, says that, rather than enterprise GRC platforms, he still sees different systems in different departments at big financial-industry clients—and small- to mid-size firms are still working in spreadsheets.
“I've talked with vendors representing most of the largest institutions, and I'm not sure any of them have gotten to that point yet,” Soffronoff says. “I know they all want to be there.”
To a large extent, Kearse and the MTA are already “there.” The MTA's system provides an enterprise perspective on compliance risk. For example, the system can map regulations to the business processes those regulations affect, so Kearse can see the chain of effect when a regulation changes.
If an Environmental Protection Agency regulation changes, for example, Kearse can click on the regulation in the system and it lists the major business processes the change impacts—in this case construction, environmental compliance, and legal.
“A lot of companies fail to understand the importance of that inventory of internal processes. Without that brick, the entire wall will come down.”
The system automatically generates and e-mails him custom reports. As controls are being tested, he has a real-time view into how that testing is going. And if it looks like the control is failing, “I don't have to wait for somebody to tell me,” Kearse says. “I now have a better sense that I know some of the things I didn't know before,” he says. “It may not be great, but at least you know.”
The consolidated view enterprise GRC brings can save money in addition to lowering risk, says Colin Campbell, senior vice president of GRC product management at SAI Global. He gives the example of the interplay between hotline reporting and training programs. Do, for example, harassment-related hotline calls fall on the wake of harassment-related training? The answer can shed light on whether training is working or not, and what training should come next, he says.
These sorts of insights must be earned, though. Robin Basham, managing partner for EnterpriseGRC Solutions, stresses the importance of thoroughly understanding and cataloging internal processes, complete with “valid owners, valid systems, and valid vulnerabilities.”
Basham says she's consulted with companies who purport to have all this, but instead share with her a set of purchased templates. “A lot of companies fail to understand the importance of that inventory of internal processes. Without that brick, the entire wall will come down,” she says.
From a more technical perspective, Basham says a GRC platform's capacity to interact with other applications is vital. “The API [application program interface] and the API loader are the most important things if you're going to buy a product,” she says. If that's not a priority, then I recommend companies stick with what they have and prototype a GRC system for a few years with Sharepoint.”
Once a company decides to take the enterprise GRC plunge, implementation can be a battle. Getting support from the board wasn't the issue, Kearse says: They're on the legal hook and aren't much interested in perusing raw compliance assessments, either.
In the trenches, though, it can be hard to get people to let go of their spreadsheets— or in other cases the very way departments go about risk quantification. Internal auditors may assess risk on a 1-to-10 scale. Operations may use high-medium-low.
“Getting everybody to agree to a specific methodology is not easy,” Soffronoff says. “There are going to be turf wars.”
Hammering out truces involves making clear not only the organizational wins, but also personal ones. One area that often fits this bill is in eliminating redundant controls. In MTA's case, streamlining accounts payable risk assessments saved a lot of effort in the business units, he says.
“There's obvious benefit to the organization, but you have to spend the time doing the Fuller Brush routine: ‘This is why it's better for you. This is why it'll make it easier for you,'” Kearse says.
It's made things easier for Kearse, too.
“It helps me really understand what our vulnerabilities are. I f controls are in place and if we're responding adequately to the regulatory environment,” Kearse says. “I sleep at night.”