The Transformation of GRC Technologies: The Age of Capabilities

The GRC industry is changing

Today, Governance, Risk and Compliance (GRC) covers the full breadth of stringent boundaries organizations must operate within to achieve their business objectives, both by ensuring they are compliant and performing at their optimum. As a result, GRC strategies must accommodate more than just compliance, and popular GRC software solutions now only form part of a comprehensive GRC approach.

But what are its origins, and what does the future hold for GRC? 

GRC policy was first introduced in the wake of the Enron and WorldCom scandals. Poor accounting practices and cynical bookkeeping to hide debt breached investor trust and led to the collapse of these two US juggernauts in the energy and telecom sectors, respectively.

In the wake of the scandal, Congress passed new legislation to prevent financial crime from similar incidents from happening again. The Sarbanes-Oxley Act mandated certain practices in financial record keeping and reporting, and this spawned the concept of Governance, Risk and Compliance as a business need.

Failure to adhere to the terms of the Act included severe financial repercussions. In fact, according to LexisNexis’ Global True Cost of Compliance 2022 report, the total projected cost of financial crime compliance across financial institutions worldwide last year was $213.9 billion, which was up from $180.9 billion in the previous year.

Companies found themselves under increasingly intense scrutiny to meet regulations, with the threat of huge fines, and so there grew a need for innovative solutions to help them manage their compliance as effectively as possible.

Compliance-focused tools

The first GRC products on the market were point solutions, focusing specifically on financial controls and compliance with the Sarbanes-Oxley Act. At this time, GRC represented a completely new market with no ‘best practices’ or ‘blueprint’ to follow.

The lack of standardization and methodologies meant GRC tools focused primarily on the compliance element, and without individual outcomes made specific to each organization. In this sense, these point solutions were limited. They could not accommodate all three pillars of Governance, Risk and Compliance in equal measures.

These limitations highlighted a gap in the market for enterprise-grade solutions that could instead provide GRC assistance right across a business with more bespoke services. 

A point solution focusing specifically on compliance and financial controls wouldn’t meet the needs of other spreadsheet-driven processes.

Product-focused tools

As organizations grew, they needed a GRC solution that matched the increasing complexity of their work.

There was a requirement for bigger, better GRC platforms that had low-code configuration tooling. This would be useful for managing policies, assessing risk, and streamlining compliance. Big companies predominantly used the technology, typically publicly listed organizations. However, the focus on process implementation continued to take precedence over outcomes.

As organizations continued to expand and become more complex, GRC implementation projects were renowned for never being seen through to completion. And what is the point of implementing a GRC programme if the end goal is never realized?

There was a need to standardize approaches to guide organizations in what ‘best practice’ actually was.

By attempting to create a solution that matched the complexity of large organizations, the product-focused approach of GRC providers at this time resulted in project failures, leading to both customer dissatisfaction and vendor frustration.

There was also a tendency for imperfect alignment of GRC software and expertise as part of the delivery process, resulting in unfulfilled outcomes. Inefficient implementation highlighted sub-optimal processes, where client provisions were not linked with the GRC software solution, ultimately making consulting engagements redundant.

Today’s solution: a capabilities-focused approach

Due to the complexity of GRC, there is a need for an agile methodology that uses software and domain expertise to target outcomes. We call this a ‘Capability’; it is driving the future of GRC solutions.

There is a clear shift from project-based thinking to a longer-term mindset: focusing on outcomes instead of processes. Software and domain expertise should not be siloed; instead, they can work together to make decisions that equate to continued value.

Capabilities directly underpin outcomes.

This type of approach promotes longer-term adoption and embedding of GRC solutions. It’s in an organization’s best interests to understand requirements, objectives, and outcomes upfront when implementing any enterprise GRC solution.

To successfully deliver unique business outcomes, software and domain expertise must be fully aligned. With these two elements working in harmony, you could avoid poorly adopted software and isolated consulting engagements, which may result in exposing your organization to substandard risk management processes and the possibility of GRC and cybersecurity program failure.

By taking a capabilities-focused approach to GRC, however, organizations are enjoying a multitude of benefits.

A far cry from ticking a box for compliance, these businesses begin to see reductions in all types of risk across their organization, directly reducing costs. They are protected from unfavorable internal audits, financial penalties, and litigation. They can also improve the overall effectiveness of leadership through good governance informed by their GRC strategy.

SureCloud’s GRC Capabilities

SureCloud’s range of GRC Capabilities integrates robust GRC software with industry-leading expertise and services. We provide our clients with the flexibility, ease of configuration, and reliability needed to navigate today’s Governance, Risk, and Compliance challenges. 

Please get in touch via the form below to learn more about how your organization can benefit from incorporating a Capability-based GRC model.