Posted by: David Schneier
assessment, Audit, compliance, GRC, HIPAA, PCI, regulations, regulatory, Regulatory Compliance, risk, risk assessment, SOX
In early 2004 I co-authored my first Sarbanes-Oxley (SOX) controls framework for a client. Just about the entire thing required manual testing that, if everything worked as planned would require a full-time resource to support. About thirty seconds after submitting the framework draft to the client my in-box started filling up with all sorts of ticklers from software vendors promoting automated SOX testing. Anxious to identify efficiency’s to shorten the testing cycle I eagerly read through all of the offerings. It didn’t take long to realize that most of the products were either regurgitated Y2K scanning solutions retooled to use SOX-oriented terms or flat out security scanning software that addressed a relatively minor fraction of the testing required. The promise of automated testing was but an illusion because in the end even the best of breed would only reduce the workload just so much, a full-time resource would still be needed.
Now we have GRC software solutions that oddly enough promise to automate GRC-related tasks.
The first problem with any such assertion is that GRC is too broad a spectrum of activities and disciplines – most solutions are focused on addressing subsets therein. On one end you have the security-centric solutions, on the other end you have the risk-centric platforms and somewhere in the middle is a crowd of offerings that try and touch on everything but none particularly deeply. So the first thing a stakeholder needs to understand is what they’re looking to accomplish before they set out to select a product. You can select ten different GRC vendors and discover ten different interpretations of the discipline. And within those ten solutions there are vastly different approaches. Some are similar to ERP packages where their approach is somewhat hard-coded and you have to do things their way (or spend big bucks to customize). Some are remarkably configurable and can be made to fit your processes like a glove (but that requires a steep learning curve and expanded time frames).
The second problem is that because most vendors selling to the GRC market tend to use common terms their internal definitions can be quite different. Some solutions pitch risk assessments which are little more than questionnaires (e.g. very little to no risk-related elements such as inherent and residual risk) whereas others provide questionnaires that are absolutely risk assessments but only appear as such upon inspection. If you’re looking for a true risk-oriented solution you might go with the former when it’s the latter you truly need. But the terminology is so similar it’s hard to differentiate and the only way you’ll get to realizing that is after you take the software out for a test drive, not something every vendor is willing to provide (and I’m not talking about a two hour demo, I’m talking about a true trial period). You think you’re comparing apples to apples and it may turn out that you were comparing apples to car batteries without knowing it.
The third problem is that after a while it’s easy to become snow-blind during the selection and evaluation process. Because of the common language, because of apparently similar functionality you start looking for factors unrelated to what you really need to focus on as a way to separate out the solutions from one another. You’ll consider solutions as prequalified because a competitor is using it thinking that their needs are similar to yours. But they may be focused on information security activities where your institution is looking for automated risk assessment capabilities. You’ll start shopping on price and contract terms thinking that competing solutions are so similar it really comes down to who offers the best deal. But software vendors usually know their market and the correct price points based on what their solutions offer – if two or more products appear evenly matched on functionality but one is much cheaper there’s usually a reason. The more expensive solution may come pre-loaded with all the related content you’ll need to effectively use it whereas the cheaper solution might require you to obtain your own licenses. It’s not intentionally misleading but that’s a detail easy to overlook during the vetting process.
GRC is an awesome concept working towards one day becoming an awesome discipline but it’s not quite there just yet (a point I routinely beat to death, I know). It’s spread out too far and wide and depending on who you’re talking to about it can get widely (if not wildly) varying definitions of what it is. So it’s no wonder that trying to find an automated GRC solution is equally challenging, the vendors are trying hard to figure out what nail to hammer as well. They all do some things remarkably well but at the expense of doing some things either partially or not at all. Thus the reason that it’s not uncommon in larger companies to find multiple GRC solutions installed; different business functions have unique needs and they purchase whichever is closest to meeting those needs. It’s an expensive approach but for the foreseeable future an necessary evil.
I think we’re getting closer to a point in time where a common dialogue will be accepted by the audit and compliance community. The OCEG folks have poured the foundation and it just needs a little more time to harden in terms of broad acceptance. When I see their content displayed prominently next to all the COBIT binders at my clients I’ll know that time has come. I predicted in 2007 that once we’re in the midst of a full-blown economic recovery GRC will quickly rise in prominence due to increasing regulatory pressures, almost identical to the way COBIT soared into the forefront of the industry fueled by SOX. I see no reason to alter that prediction, I’m just not sure when the recovery will officially begin.
In the meantime keep participating in the dialogue, keep trying to define what GRC means to you and to your organization and every now and again share those ideas with some of the decision makers who are shaping the discipline, they need to hear from everyone as they mature the thing. As long as we in the audit and compliance domain keep moving things forward we’ll get GRC to where we need it to be, I’m certain of it.