Top 10 Governance, Risk, Compliance Tech Spending Priorities - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IT Leadership // IT Strategy
06:00 AM
Susan Nunziata
Susan Nunziata

Top 10 Governance, Risk, Compliance Tech Spending Priorities

Does your IT strategy encompass all aspects of governance, risk, and compliance?

10 Powerful Facts About Big Data
10 Powerful Facts About Big Data
(Click image for larger view and slideshow.)

The top 10 IT spending priorities for governance, risk, and compliance could serve double duty as a list of the fears that keep IT executives awake at night. Yet most organizations still use 1990s technology to handle their GRC needs, according to a survey released in May by the nonprofit Open Compliance and Ethics Group (registration required).

More than half (53%) of the 237 respondents to the OCEG survey said their organizations use mainly spreadsheets, emails, and documents to handle GRC. The rest use an internally developed GRC application (17%), a single commercial GRC application (24%), or two or more commercial GRC applications (6%).

GRC is practically an industry unto itself. US federal agencies, for example, publish an average of 14.7 final rules and 9.4 proposed rules each workday, according to Osterman Research. Then there are industry-originated compliance programs such as PCI in retail. And every company needs to have quick access to data for e-discovery in the event of a lawsuit.

[If your company hasn't yet faced a software audit, it will. Here's how to prepare. Prepare To Be (Software) Audited.]

The OCEG survey reveals just how scattered GRC duties are across organizations, making it hard for IT to create a tech roadmap that serves all departments. Consider the roles and departments of survey respondents:

  • Risk management: 25%
  • Audit: 22%
  • Corporate compliance/ethics: 21%
  • Other GRC roles: 32%. This category alone includes IT (9%); centralized GRC group/architecture (5%); security (5%); business management/executive (5%); business operations/logistics (2%); finance/accounting (2%); and vendor/supplier management, research, corporate social responsibility, and legal (4%).

Slightly less than half the respondents (46%) said their GRC technology is well utilized, while 51% said it's underutilized, and 3% were unsure. The vast majority (81%) of GRC applications used by survey respondents are either focused on a single department's needs or designed to resolve a specific GRC issue. As such, they're generally not integrated with other GRC applications.

The OCEG offered a choice of 27 categories of GRC technologies and asked respondents to identify their priorities (multiple responses were allowed). The following categories topped the final list.

Table 1: Top 10 GRC Technology Spending Priorities
 GRC category   Percent respondents 
Risk management 33%
Compliance management 30%
Audit management 23%
Automated controls 21%
IT risk and security 21%
Policy and training management 19%
Business continuity 12%
Reporting and disclosure 12%
Third-party management 10%
Fraud and corruption 10%
Source: 2014 OCEG GRC Technology Strategy Survey

GRC technology decisions are made at an enterprise level and span departments, according to 44% of the respondents to the OCEG survey. Another 35% say those decisions span multiple departments but haven't quite reached the enterprise level. For 10% of respondents, GRC technology decision making is left to a single department, while 3% said it's a group decision focused on a specific issue, and 8% were unsure.

Spending on GRC technology will increase this year for the organizations of 64% of the survey respondents, while 22% said their spending will remain flat, and 14% plan to decrease their GRC spending.

So where does IT fit into this picture? The OCEG advises IT leaders to:

  • Find and bring together all the stakeholders in your company involved in GRC.
  • Form a leadership team that can identify all your company's needs based on its GRC objectives and obligations.
  • Examine the common processes that GRC stakeholders must execute, including risk assessment, control design, policy creation and dissemination, training, surveying, hotline/helpline intake, control monitoring, process assessment and audit, and case management.

IT should then work with this group to identify the following GRC needs.

  • Data and information: Who needs to know what and when? How should information be stored, backed up, and secured?
  • Process and transaction: Which specific GRC processes and transactions, such as filing reports and processing complaints, must be facilitated and streamlined? How can the company get rid of inefficient, ineffective, and error-prone manual processes?
  • Control and monitoring: Which preventive and detective controls should be put in place to address risks? Which of these controls should be automated? How can the company automatically monitor those controls? How can the company test those controls and document that the testing was completed?
  • Documentation and systems of record: Every organization needs a system of record for data and other evidence that demonstrates that it's doing the right thing, especially in the area of compliance.

The OCEG advises organizations to then take an inventory of the people, processes, and technology currently in place, as well as the vendors being used, and identify GRC needs that aren't being met.

    Then, IT and [other GRC stakeholders] can work together to enhance the enterprise architecture to address these needs. These changes could include using existing technology differently to turn available data into GRC-ready information, as well as building or buying new GRC-specific components, such as risk and control-mapping software.

How does your IT organization handle (or avoid) GRC management challenges? How involved are you in making GRC technology decisions for your company? Which, if any, of the steps outlined above is your company already taking? What other advice do you have for IT pros dealing with GRC? Tell us all about it in the comment section below.

IT leaders who don't embrace public cloud concepts will find their business partners looking elsewhere for computing capabilities. Get the new Frictionless IT issue of InformationWeek Tech Digest today (free registration required).

Susan Nunziata leads the site's content team and contributors to guide topics, direct strategies, and pursue new ideas, all in the interest of sharing practicable insights with our community.Nunziata was most recently Director of Editorial for, a UBM ... View Full Bio
We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Strategist
6/25/2014 | 3:47:10 PM
Re: Those Pesky Stakeholders
@Curt: Ah, yes, in an ideal world...

I"m sure you've nailed exactly why the CIO probably keeps his or her distance when it comes to helping make technology decisions that can improve GRC management in an organization. Thing is, GRC really extends to every corner of the organization, and at the moment most organizations handle it on a dept. by dept. basis. The CIO does have a role to play in helping to shape a more strategic, holistic approach, and would probably do well to start by convincing the CEO that this is needed, rather than trying to work the problem from the ground up.
User Rank: Strategist
6/25/2014 | 3:44:20 PM
Re: The role of the CIO
@Scott: Figuring out where the CIO fits in is exactly the challenge here. As the survey results show, only 9% of respondents were CIOs, yet we're talking about technology decisions that could dramatically improve a company's GRC position. While the CIO alone cannot make these decisions, the CIO can and should, in my opinon, take a moer active role in helping guide GRC purchasing decisions and help figure out better ways to manage GRC needs. Letting GRC stakeholders rely on spreadsheets and word documents is downright dangerous and could be extremely costly for an organization.
User Rank: Strategist
6/20/2014 | 11:08:03 AM
The role of the CIO
Susan: I read your article but I didn't see where someone like the CIO fits in? Should an issue like compliance be the responsibility of the CIO, is that the best use of his or her time? How much of the legal department should be involved? Or do you need a team of tech, legal, and other major stake holders to get this to work? Should you hire a consultant instead who has expertise in this field?
Curt Franklin
Curt Franklin,
User Rank: Strategist
6/20/2014 | 10:53:37 AM
Those Pesky Stakeholders
It seems to me that the hardest part of the suggested practice is figuring out precisely who "all the stakeholders" are. In an organization of any size, about the time you have your third meeting someone's going to pop up and say, "Wait -- I play a vital role in this process and what you're doing is all wrong!" I have to believe that some sort of formal notification and comment process should be internally published: If a stakeholder ignores the announcements about the process and doesn't deliver comments during the proper period, then they get to adapt what they're doing to the new process, regardless of their caterwauling.

Yeah, no politics wrapped up in that, at all.
InformationWeek Is Getting an Upgrade!

Find out more about our plans to improve the look, functionality, and performance of the InformationWeek site in the coming months.

Becoming a Self-Taught Cybersecurity Pro
Jessica Davis, Senior Editor, Enterprise Apps,  6/9/2021
Ancestry's DevOps Strategy to Control Its CI/CD Pipeline
Joao-Pierre S. Ruth, Senior Writer,  6/4/2021
IT Leadership: 10 Ways to Unleash Enterprise Innovation
Lisa Morgan, Freelance Writer,  6/8/2021
White Papers
Register for InformationWeek Newsletters
Current Issue
Planning Your Digital Transformation Roadmap
Download this report to learn about the latest technologies and best practices or ensuring a successful transition from outdated business transformation tactics.
Flash Poll