Top 10 Governance, Risk, Compliance Tech Spending Priorities

Does your IT strategy encompass all aspects of governance, risk, and compliance?

Susan Nunziata, Editorial Director

June 19, 2014

4 Min Read

10 Powerful Facts About Big Data

10 Powerful Facts About Big Data

10 Powerful Facts About Big Data (Click image for larger view and slideshow.)

The top 10 IT spending priorities for governance, risk, and compliance could serve double duty as a list of the fears that keep IT executives awake at night. Yet most organizations still use 1990s technology to handle their GRC needs, according to a survey released in May by the nonprofit Open Compliance and Ethics Group (registration required).

More than half (53%) of the 237 respondents to the OCEG survey said their organizations use mainly spreadsheets, emails, and documents to handle GRC. The rest use an internally developed GRC application (17%), a single commercial GRC application (24%), or two or more commercial GRC applications (6%).

GRC is practically an industry unto itself. US federal agencies, for example, publish an average of 14.7 final rules and 9.4 proposed rules each workday, according to Osterman Research. Then there are industry-originated compliance programs such as PCI in retail. And every company needs to have quick access to data for e-discovery in the event of a lawsuit.

[If your company hasn't yet faced a software audit, it will. Here's how to prepare. Prepare To Be (Software) Audited.]

The OCEG survey reveals just how scattered GRC duties are across organizations, making it hard for IT to create a tech roadmap that serves all departments. Consider the roles and departments of survey respondents:

  • Risk management: 25%

  • Audit: 22%

  • Corporate compliance/ethics: 21%

  • Other GRC roles: 32%. This category alone includes IT (9%); centralized GRC group/architecture (5%); security (5%); business management/executive (5%); business operations/logistics (2%); finance/accounting (2%); and vendor/supplier management, research, corporate social responsibility, and legal (4%).

Slightly less than half the respondents (46%) said their GRC technology is well utilized, while 51% said it's underutilized, and 3% were unsure. The vast majority (81%) of GRC applications used by survey respondents are either focused on a single department's needs or designed to resolve a specific GRC issue. As such, they're generally not integrated with other GRC applications.

The OCEG offered a choice of 27 categories of GRC technologies and asked respondents to identify their priorities (multiple responses were allowed). The following categories topped the final list.

{Table 1}

GRC technology decisions are made at an enterprise level and span departments, according to 44% of the respondents to the OCEG survey. Another 35% say those decisions span multiple departments but haven't quite reached the enterprise level. For 10% of respondents, GRC technology decision making is left to a single department, while 3% said it's a group decision focused on a specific issue, and 8% were unsure.

Spending on GRC technology will increase this year for the organizations of 64% of the survey respondents, while 22% said their spending will remain flat, and 14% plan to decrease their GRC spending.

So where does IT fit into this picture? The OCEG advises IT leaders to:

  • Find and bring together all the stakeholders in your company involved in GRC.

  • Form a leadership team that can identify all your company's needs based on its GRC objectives and obligations.

  • Examine the common processes that GRC stakeholders must execute, including risk assessment, control design, policy creation and dissemination, training, surveying, hotline/helpline intake, control monitoring, process assessment and audit, and case management.

IT should then work with this group to identify the following GRC needs.

  • Data and information: Who needs to know what and when? How should information be stored, backed up, and secured?

  • Process and transaction: Which specific GRC processes and transactions, such as filing reports and processing complaints, must be facilitated and streamlined? How can the company get rid of inefficient, ineffective, and error-prone manual processes?

  • Control and monitoring: Which preventive and detective controls should be put in place to address risks? Which of these controls should be automated? How can the company automatically monitor those controls? How can the company test those controls and document that the testing was completed?

  • Documentation and systems of record: Every organization needs a system of record for data and other evidence that demonstrates that it's doing the right thing, especially in the area of compliance.

The OCEG advises organizations to then take an inventory of the people, processes, and technology currently in place, as well as the vendors being used, and identify GRC needs that aren't being met.

  • Then, IT and [other GRC stakeholders] can work together to enhance the enterprise architecture to address these needs. These changes could include using existing technology differently to turn available data into GRC-ready information, as well as building or buying new GRC-specific components, such as risk and control-mapping software.

How does your IT organization handle (or avoid) GRC management challenges? How involved are you in making GRC technology decisions for your company? Which, if any, of the steps outlined above is your company already taking? What other advice do you have for IT pros dealing with GRC? Tell us all about it in the comment section below.

IT leaders who don't embrace public cloud concepts will find their business partners looking elsewhere for computing capabilities. Get the new Frictionless IT issue of InformationWeek Tech Digest today (free registration required).

About the Author(s)

Susan Nunziata

Editorial Director

Susan Nunziata leads the site's content team and contributors to guide topics, direct strategies, and pursue new ideas, all in the interest of sharing practicable insights with our community.
Nunziata was most recently Director of Editorial for, a UBM Tech community. Prior to joining UBM Tech, Nunziata was Editorial Director for the Ziff Davis Enterprise portfolio of Websites, which includes eWEEK, Baseline, and CIO Insight. From 2010-2012, she also served as Editor in Chief of CIO Insight. Prior to joining Ziff Davis Enterprise, she served as Editor in Chief of Mobile Enterprise from 2007 to 2010. A frequent public speaker, Nunziata has entertained audiences with compelling topics such as "Enterprise Mobility" and "The Multigenerational Workforce." She even managed to snag invitations to speak at the MIT Sloan CIO Symposium – not once, but twice (and those folks are smart). In a past life, she worked as a lead editor for entertainment and marketing publications, including Billboard, Music Business International, and Entertainment Marketing Letter.A native New Yorker, in August 2011 Nunziata inexplicably picked up stakes and relocated to the only place in the country with a higher cost of living: The San Francisco Bay Area. A telecommuter, her office mates are two dogs and two extremely well fed cats. She holds a Bachelor's degree in Journalism from St. John's University in Jamaica, N.Y. (and she doesn't even watch basketball).

Never Miss a Beat: Get a snapshot of the issues affecting the IT industry straight to your inbox.

You May Also Like

More Insights