Expand +



Governance, Risk, Compliance — and Reward

by Joshua Greenbaum

July 1, 2008

One of GRC’s most dramatic benef?its comes from measuring and monetizing the risk profile of companies as they work to manage risk in increasingly complex business environments.

I’ve always been suspicious of three-letter acronyms or (what else?) TLAs. These abbreviations are simply a shortcut to market confusion. The more that vendors hang their hats on ERP, CRM, SCM, and the like, the more analysts are left to unravel the confusion behind their meaning — and grasp the reality of what vendors are delivering and customers are actually deploying. While that unraveling can be financially rewarding for some analysts, there are better ways to spend their time than translating confusing TLAs into reality.

I finally found a TLA that I liked, though, when governance, risk, and compliance (GRC) showed up.

Regulation and Compliance Before GRC

I had struggled for years to categorize a slew of solutions, all dedicated to finding and fixing problems in the enterprise — problems that cost companies money and put partnerships and customer satisfaction at risk. Most problems were “analytical” in nature, but that moniker did little to define the value that these new applications were delivering to the enterprise.

I also found financial compliance solution rollouts deathly boring, particularly those targeted at meeting the regulatory requirements of the Sarbanes-Oxley Act. In addition to the somewhat suffocating nature of that compliance regime, companies found not much financial gain to be had from Sarbox compliance.

So, just as things were getting dull for compliance, GRC showed up on the heels of SAP’s acquisition of Virsa, and the enterprise software market hasn’t been the same since. Not only has SAP’s own GRC growth vastly outstripped overall market growth, but the industry as a whole has benefited from a new kind of thinking about the role of enterprise software in the time-honored process of keeping revenue from leaking out the back door — or ending up in someone else’s quarterly report.

The Payoff of Risk Management

What I like about GRC is the potential for a real upside, above and beyond the “keep your CEO out of jail” benefits of compliance. That upside comes not just from battening down the hatches, but from creating new ways to take good risk management and governance to the bank (literally, in some cases).

The most dramatically different upside that GRC offers comes from monetizing changes in the risk profile of companies as they work in increasingly complex and risky business environments. Take manufacturing, for example. In today’s global market, companies face a dual challenge in balancing the needs of just-in-time and lean manufacturing against an increasingly extended and fragile supply chain. On one hand, these needs demand extremely close coordination among various stakeholders (manufacturers, suppliers, logistics providers, and retailers). On the other hand, these stakeholders must also function efficiently and effectively despite time zone differences, weather, geo-political upheaval, acts of nature, and, yes, acts of human incompetence.

Against this complexity and uncertainty, companies across this extended supply chain are exposed daily to high levels of risk: New product introductions can literally break a company if production cannot meet demand, contaminated supplies can destroy a company’s brand, and delays in shipments can entail penalties up and down the supply chain.

Putting a Dollar Value on Lowering Risk

What if a comprehensive GRC system were put in place, along with strong risk management practices, so that the system could identify risk (before it has an impact), and suggest remedial solutions that minimize supply chain interruptions? What if someone could help better guarantee on-time fulfillment and on-time production, as well as improved quality and customer satisfaction?

I asked several large high-tech manufacturers these questions recently, and the answers I heard showed that GRC is ultimately headed in a very interesting direction indeed.

The manufacturers I talked with all told me that if they could guarantee a stronger supply chain — with better second sourcing and other means to correct supply interruptions — they could lower the amount of insurance that they are required to carry on their supply chain operations.

The equation was simple: If the risk profile of the supply chain was demonstrably lower, the manufacturers could go to their insurers and demand (and receive) lower premiums, as well as reduce their overall operational costs, improve their time to market, and increase customer satisfaction.

The Competitive Advantage

Global trade logistics is another area where there are direct revenue benefits to be had. Manufacturers in developing countries often take out loans to pay for the production runs that fulfill the demand of their large customers — the global retailers and OEMs who increasingly outsource manufacturing to developing countries. The outsourced manufacturers that are supplying customers could use a GRC-aware logistics service to demonstrate that they can fulfill their orders more quickly and with less risk than competitors who cannot effectively manage the risks as they ship products to a retailer’s shelf in North America.

A company applying GRC to logistics can take the results right to the bank: Armed with proof that the risk of not meeting their contract’s terms and conditions is significantly lower, a manufacturer could get more favorable terms on the loans needed to pay production costs. Those better loan terms go straight to the bottom line, adding to the impact of GRC on business operations.

Don’t Miss the Big Returns of GRC

These are but two examples of what will become a huge aftermarket for GRC, defined by monetizing the effects of having a lower risk profile. All sorts of monetary interactions that include a risk “premium” — service level agreements, supplier contracts, and many aspects of business-to-business relations — will benefit from GRC in this way.

Direct monetary gain, as well as the harder-to-quantify benefits, like improved customer satisfaction and better time to market, will become prime reasons for implementing GRC.

Right now, the main barrier to achieving the benefits of GRC comes from the scope of the typical GRC project: local, departmental, and specific to an individual risk. These smaller projects have their own ROI, but those gains don’t compare to the overall return that can come from implementing a broad-based GRC solution. A GRC vision that looks at risk management as a multi-level process will truly maximize this aftermarket effect.

And while it makes sense to start GRC projects where the greatest pain lies, it’s important to plan for realizing the greatest gain. GRC shouldn’t just be about keeping the company out of trouble — it can support an upside whose scope is only just now being understood. It’s nice to have a TLA that means something positive, for a change.

Joshua Greenbaum is a market research analyst and consultant specializing in the intersection of enterprise applications and e-business. Greenbaum has more than 15 years of experience in the industry as a computer programmer, systems analyst, author, and consultant. Before starting his own firm, Enterprise Applications Consulting (, he was the founding director of the Packaged Software Strategies Service for Hurwitz Group. You can reach him at

An email has been sent to:

More from SAPinsider


Please log in to post a comment.

No comments have been submitted on this article. Be the first to comment!