Governance, Risk and Software Compliance (GRC)

By June 21, 2018 No Comments

Governance, Risk and Software Compliance (GRC) & #8211; Current Needs & Business Trends

*By Umberto Rosti

GRC is the composition of the terms Governance, Risk & Compliance. An integration of Risk Management, Corporate Governance, auditing practices and controls enforcement knowledge areas to ensure compliance with laws, regulations and standards enforcement, centrally within the organization.

Having a holistic view of risk and compliance are real problems, and the difficulty of achieving it is often recognized as a weakness for many organizations.

As an organization advances in the development of risk management, internal audit and compliance practices, a new question is sought:

Have we invested in an automated GRC solution to further improve controls?

There is a real need for greater transparency when board and shareholders, and not investing in an automated solution leads to an approach that is “spread out” across the organization. Different governance, risk management and control practices often bring redundancy to the approach taken in other areas, which can lead to a loss of performance, productivity and even poor management of financial resources.

The need for greater efficiency will come sooner or later.

Tools for governance, risk and compliance functions

The primary goal of having GRC software is to automate much of the work associated with documentation, risk management reporting, and compliance activities that are most associated with corporate governance and business objectives.

Key end users include internal auditors and audit committees, risk and compliance managers, and responsible executives.

 The main functions of GRC software:

  • Audit management functions that support auditors in managing working documents and scheduling audit, time management and reporting tasks;
  • Policy management features that include a form of document management that enables a policy lifecycle from policy creation to policy review, change, and archiving; policy mapping for business mandates and objectives in one direction, and risks and controls in another, as well as the distribution and attestation of employees and business partners.
  • Compliance management functions that support compliance professionals with objective documentation, workflow, reporting and control visualization, associated controls and risks, surveys and self-assessments, testing, and remediation. At a minimum, compliance management not only includes compliance with financial reporting (eg SOX) but can also support other types of compliance such as industry specific regulation (eg ISO 9000) and compliance with internal policies.
  • Risk management functions that support risk management professionals with workflow documentation and assessment and risk analysis, visualization, and remediation reports (as defined in ISO31000). This component generally focuses on risk and incident tracking, but can also collect data from risk analysis tools (credit risk, market risk, etc.) and provides a consolidated view of risks.

The GRC Software Market: The Business Need

Most organizations are aware of the need for significant improvement in the way they manage their risk, internal audit and compliance functions through better data and information automation.

The need for a GRC technology solution is evident, but the question remains: which technology tool can provide the appropriate solution?

Among the key concerns addressed, perhaps the most important is the ability of organizations to easily upgrade or revise their risk technology systems, having the ability to adapt and change regulatory requirements, as well as the lack of flexibility to extend current systems. Related to this issue, the lack of integration between systems and problems with the inability to integrate risk analysis of multiple risk systems, ie many organizations maintain different information systems for specific products or geographies, sometimes due to past acquisitions. , and it can be difficult and expensive to combine or replace with a new system.

In addition, the pace of regulatory change has emphasized the ability of organizations to respond quickly to new requirements.

But the fastest business need relates to quality risk and data management. Creating consistent data standards is a challenge for organizations, which often generate data from multiple locations with incompatible data formats. Further, departments within an organization may not realize that they both have a relationship with the same counterparty because each can do business with a business unit or subsidiary.

The GRC Software Market: A Market Overview

The GRC market, as defined by the technology industry, is about 10 years old.

So far, from a technical perspective, organizations have generally opted for in-house installed risk management systems, but today some organizations prefer to opt for in-house third-party vendor applications or even fewer third-party vendor applications hosted by another vendor. .

Currently the GRC software market is dominated by a few major manufacturers: IBM, RSA Archer, MetricStream, Thomson Reuters, SAP or Oracle.

Key trends affecting the GRC software market:

GRC software functions are evolving based on a number of trends, including:

  • Increasing need for internal audit capabilities as organizations face increasing regulatory requirements, GRC oversight, and demands for more business performance audits.
  • Increasing need for regulatory content services and change management to address proliferation regulations. In the aftermath of the 2008 global financial crisis, GRC must support the regulators' transparent goals and decision-making by business leaders. Currently, the software's regulatory focus is on fighting corruption and bribery.
  • The development of risk analysis to support risk management integration and performance management.
  • The emergence of third party risk management to ensure that third parties are not unacceptable compliance and risk.
  • A focus on operational technology and critical infrastructure protection, which increases the range and volume of risk and control data (#8220; large data & #8221; management).

SAFEWAY Approach: A Holistic View of GRC Software

Safeway is positioned with the ultimate goal of being an advanced, comprehensive and reliable partner for GRC solutions, having an unbiased and agnostic opinion on today's technology market.

The main mission is to find the best solution for your customers.

The process of selecting and choosing the best solution covers a few phases, such as an in-depth analysis of customer business needs and contexts, clear insight into today's IT environment, pricing negotiations with the vendor, etc.

All aspects are evaluated in our approach, but integration is the main aspect that should be noted in the current and future situation of implementing GRC software, basically because there is a need to integrate decision making within organizations, ie Integration is the essence of GRC and SAFEWAY through its methodology makes the best indication for its customer.

* Umberto Rosti is CEO of Safeway.


THE [SAFEWAY] It is a company widely recognized as a provider of premium Information Security and CyberSecurity solutions. Its extensive portfolio includes several solutions, including platform-based ones:

● Archer da RSA Security, considered by the institutes Gartner and Forrester and by the market itself, the most complete process integration solution for Governance, Risk Management, Compliance and Business Continuity Management;

● [SAFEWAY] Security Tower, supported by IBM Qradar (Watson technology), tailored to each organization in its security and cyber defense management needs.

● And others, involving technologies ImpervaThalesBeyondTrust WatchGuard Technologies.

We await your contact: [email protected]

Leave a Reply