Today, Governance, Risk and Compliance (GRC) covers the full breadth of stringent boundaries organizations must operate within to achieve their business objectives, both by ensuring they are compliant and by performing at their optimum. But what are its origins, and what does the future hold for GRC?

GRC policy was first introduced in the wake of the Enron and WorldCom scandals. Poor accounting practices and cynical bookkeeping to hide debt acted to breach investor trust and led to the collapse of these two US juggernauts in the energy and telecom sectors, respectively. 

In the wake of the scandal, new legislation was passed in Congress to prevent financial crime from similar incidents from happening again in the future. The Sarbanes-Oxley Act mandated certain practices in financial record keeping and reporting, and this spawned the concept of Governance, Risk and Compliance as a business need. 

Failure to adhere to the terms of the Act included severe financial repercussions. In fact, according to LexisNexis’ Global True Cost of Compliance 2022 report, the total projected cost of financial crime compliance across financial institutions worldwide last year was $213.9 billion, which was up from $180.9 billion in the previous year.

Companies found themselves under increasingly intense scrutiny to meet regulations or face huge fines, and so there grew a need for innovative solutions that could help them manage their compliance as effectively as possible. 

Compliance-focused tools

The first GRC products on the market were point solutions, focusing specifically on financial controls and compliance with the Sarbanes-Oxley Act. At this time, GRC represented a completely new market with no ‘best practices’ or ‘blueprint’ to follow.

The lack of standardization and methodologies meant GRC tools were primarily focused on just the compliance element, and not with individual outcomes made specific to each organization. In this sense, these point solutions were limited as they were not able to accommodate all three pillars of Governance, Risk and Compliance in equal measures.

These limitations highlighted a gap in the market for enterprise-grade solutions that could instead provide GRC assistance right across a business with more bespoke services. 

Having a point solution that focuses specifically on compliance and financial controls wouldn’t meet the needs of other spreadsheet-driven processes. 

Product-focused tools

As organizations grew, they needed a GRC solution that matched the increasing complexity of their work. There was a requirement for bigger, better GRC platforms that had low-code configuration tooling. This would be useful for managing policies, assessing risk, and streamlining compliance.

The technology was predominantly used by big companies, typically publicly listed organizations. However, the focus on process implementation continued to take precedence over outcomes.

As organizations continued to expand and become more complex, GRC implementation projects were renowned for never being seen through to completion. And what is the point of implementing a GRC programme if the end goal is never realized?

There was a need to standardize approaches to guide organizations in what best practice actually was.

By attempting to create a solution that matched the complexity of large organizations, the product-focused approach of GRC providers at this time resulted in project failures, leading to both customer dissatisfaction and vendor frustration.

There was also a tendency of imperfect alignment of software and expertise as part of the delivery process, resulting in outcomes never being fulfilled. This inefficient way of implementation highlighted sub-optimal processes where client provisions were not linked with the software solution, ultimately making consulting engagements redundant.

Today’s solution: a capabilities-focused approach

Due to the complexity of GRC, there is a need for an agile methodology that uses software and domain expertise to target outcomes. This is called a ‘Capability’, and it is driving the future of GRC solutions. 

There is a clear shift from project-based thinking to a longer-term mindset that is focused on outcomes instead of process. Software and domain expertise should not be siloed and can instead work together to make decisions that equate to continued value. 

Capabilities directly underpin outcomes

This type of approach is required for the longer-term adoption and embedding of GRC solutions. It’s in an organization’s best interests to understand requirements, objectives and outcomes upfront when implementing any enterprise GRC solution. 

In order to successfully deliver unique business outcomes, software and domain expertise need to be fully aligned. Without these two elements working in harmony, you could be faced with poorly adopted software and isolated consulting engagements, exposing your organization to substandard risk management processes and the possibility of GRC and cybersecurity program failure.

By taking a capabilities-focused approach to GRC, however, organizations are enjoying a multitude of benefits. A far cry from ticking a box for compliance, these businesses begin to see reductions in all types of risk across their organization, and this directly reduces costs. They are protected from unfavourable internal audits, financial penalties and litigation. They are also able to improve the overall effectiveness of leadership through good governance that is informed by their GRC strategy.