I attended a panel discussion moderated by James Roeske of Savera yesterday, Jumpstart Day of GRC 2010. James led into the panel with an explanation of where he sees the GRC space today, based on his work at more than 160 companies.
As does almost anyone who works in GRC, James noted that companies are at varying levels -- some still simply working on compliance, others who have their controls and roles in order and are spend their time focusing on continuous compliance and optimizing their processes.
One interesting point he brought up was a downfall that many companies face: an unwillingness to change business processes. He explained how companies are used to inefficient processes and try to spend lots of time -- and money -- ensuring that these processes are compliant with a given regulation or are not producing segregation of duties issues. But if they'd just be willing to reconsider the way the company works and who is involved in each process, they might not have quite so many problems in the first place.
The panel -- featuring representatives from Philips, REPSOL, Petrobras, and Sara Lee -- was also enlightening in seeing how real companies were using their systems. The focus was on the components of SAP BusinessObjects Access Control, and even though the people in attendance were at various stages -- most used RAR and SPM, about 1/3 used CUP, but fewer used ERM -- the insights from real companies were helpful. Of particular note was making the business case for the implementation in the first place -- one company was so insistent on getting compliant that no case was needed at all, while the others had varying degrees of meetings and reports to convince the C-level of its necessity.