I dropped by the IDC Directions event today and saw two presentations. First up was Kathy Wilhide talking about Governance, Risk and Compliance or GRC as it is known. The GRC market has grown from a need for higher levels of confidence in financial and operational information. As compliance is not built into most existing operational systems and as it is too expensive to do manually a software market has been created.
This market has a focus on material weaknesses – significant deficiencies that make a real mistake likely – and increasingly on risk-based exception handling. Kathy sees a transition from compliance automation to the automation and management of high-risk operational processes to a GRC platform (or perhaps not, see below). The stage of compliant automation of operational processes is both where we are and an inflexion point – automation of high risk processes offers an operational benefit as well as a compliance one. I completely agree with this, indeed the ability of decision automation technologies to both improve a process and improve the demonstrability of its compliance is a key benefit. by controlling execution you get increased information integrity. No manual information gathering, integrated fraud detection, control of the key operational processes.
Auditors are driving many projects these days, identifying the controls and errors that lead to risks. Hand-offs and manual processes (manual decisions) are what lead to most risks. Existing systems are often not configured to block basic fraud, for instance, leaving holes and manual checks everywhere. This to me shows the problem with most coding approaches in that the business and audit professionals involved cannot really understand how the system works – something that could easily be addressed by the use of business rules technology to manage externalized decisions.
Anyway, Kathy went on to say that best practice is to ensure that systems of record automate repeatable processes and handle exceptions and demonstrate compliance/support audit. With this approach a single point of control (a single decision that is managed) can be used to show compliance with many directives and regulations. Clearly EDM, with its focus on the management and automation of operational decisions using rules and analytics is a great way to do this.
Kathy closed with some interesting points on the integration of performance management and risk (risk-adjusted performance management). All of this made me wonder if EDM could be a platform for GRC and the interesting points Kathy brought up means I will write a series of posts on GRC sometime in the next few weeks so stay tuned…