Analyst Insight

Legal, government and regulatory issues encompass governance, risk management, and compliance. As a term, GRC has been bandied about for a few years, with nearly all emphasis to date on the C-"compliance." This past year, risk management has emerged as a powerful force stemming from board-level discussions to mitigate the highest priority financial, regulatory, reputation, and operation exposures in order to protect the firm, its managers, and all its assets.
-John Hagerty, vice president and research fellow at AMR Research

Business and IT executives continue to place great emphasis on governance, risk management, and compliance (GRC) activities, with spending on technology, external services, and internal manpower expected to exceed $30bn in 2008. What has been a series of disconnected compliance initiatives-each with its own project plans and budget-is now maturing into a holistic strategy to better manage overall business and operational risks throughout the business. With that much spending on tap, it gets the attention of sellers and buyer alike.  But like any program, there are some obvious priorities.

The "big four" GRC priorities today, plus the upstart which portends significant change, are:

• Financial governance, aka Sarbanes-Oxley, makes up about 20 percent of total GRC spending, and remains an area of ongoing investment as companies strive for repeatability and cost-effectiveness. 

• Security and privacy concerns, stemming from a heightened awareness to protect all corporate assets and keep private all sensitive information about customers, employees, etc.  Publicly reported breaches in security have been front-page news for the last year.

• Risk management, be it operational, financial, IT, and/or enterprise-wide, has hit the mainstream as firms of all stripes now assess risk as part of ongoing business planning and execution. 

• Document and records retention, largely driven by regulation and judicial rulings for applicability of information as evidence in a court of law.  Legal risk around paper and electronic records and correspondence fosters standardized policy and enforcement across the enterprise.

• Looming large on the horizon, sustainability concerns are bringing green issues front and center in many companies to meet local, national, and customer-centered goals for environmental impact.

The Outlook

From Tactical to Holistic. Expected budget increases reflect a growing realization that GRC is not a flash in the pan, but a systemic change to how companies in all geographies manage, monitor, and control business activities. Suffice it to say, compliance concerns have been on the agenda for a long time. But the specter of increasing regulations-legislative-, customer-, or policy-driven-has forced a broader perspective on how best to master these requirements and not be a slave to them. The more mature a firm's approach is to GRC, the more risk-aware it becomes and the quicker it can incorporate new requirements cost effectively into standard operating procedures.