Integrated platforms help financial firms: with governance, risk and compliance efforts:The big picture
There are literally dozens of vendors with viable GRC platforms, and several large companies such as EMC and IBM entered the market through acquisition in recent years, McClean says.
EthicsPoint, which started 10 years ago with a Web-based whistleblower hotline solution to help firms meet Sarbanes-Oxley provisions, has expanded its offerings to include a broader range of GRC initiatives. "We are seeing customers take more of an enterprise approach," says Bill Piwonka, VP of marketing. "The really sophisticated financial firms with enterprise compliance and risk systems are still in the minority, but more are waking up to the fact that they need this functionality."
EthicsPoint's customers are starting to put report collection processes in place using a central repository. "That allows people to analyze it for trends," Piwonka says. EthicsPoint offers customers a Visualization Manager tool that brings together governance, risk and compliance-related data points from across an organization and displays them on a dashboard. "You might see that in terms of financial risk, your Chinese subsidiary holds the most risk, and you could put more effective controls in place there," Piwonka explains. "This helps you get in front of the issue."
Vendors in this space still have some work to do. "A lot of users are growing uneasy with these tools," Wheeler says. Big software players got involved with Sarbanes-Oxley in 2004 and 2005 but then didn't mature products rapidly enough, according to Wheeler. "The software isn't intuitive enough or built into workflows," he says. "It is seen as a bureaucratic add-on and not part of their jobs. It needs to be better integrated with the applications they use to do their jobs every day."
Forrester's McClean says the systems must be adaptable in order to be acceptable to customers in this field. "When we ask what they like and don't like about these systems, flexibility is always the first thing mentioned," he says. "If they like it, it is because it is flexible with internal systems, workflows and specific reporting requirements. When they hate it, it is not flexible enough."
One mistake Wheeler sees executives make is leading with the software as a focal point and then painting themselves into a corner with it. "The software is a tool, an enabler," he says. "The real work is in developing dialog and communications."
The new regulatory requirements of legislation such as Dodd-Frank bring attention to GRC and that is good, but focusing just on regulatory compliance may not be the best approach. "GRC should not be reactive," McClean says. "It should focus on the benefits of streamlining processes."