GRC Predictions for 2009

Published: January 6, 2009 | (1) Comment

By: Sumner Blount

What can you expect for GRC in 2009? Sumner Blount shares his thoughts on four key trends he anticipates will drive the GRC market this year.

Now that most of us have recovered from our New Year’s hangovers, and we are all still recovering from our 2008 financial hangovers, it’s a good time to look into the old GRC crystal ball for some 2009 predictions.  Hopefully, these predictions will turn out to be much more accurate than the 2008 stock market predictions that were issued a year ago.

Your crystal ball may have more clarity than mine….if so, please offer your own thoughts on this topic either as a comment to this posting, or if you prefer, a direct email to me.

As I mentioned in my previous post on the GRC trends we saw in 2008, this was an exciting year for GRC.  As the financial crisis continues and companies adapt their governance efforts to attempt to reduce their overall enterprise risk, we expect the importance of GRC to increase in the coming year.  Specifically, I can envision the following general trends over the next twelve months:

1.  Risk will continue to grow in importance. 

This will be due partly to the likely continued occurrence of major security breaches that significantly impact corporate reputation.  In addition, most companies are obviously putting increased emphasis on risk management activities as a result of the impact of the current financial crisis.  But, another driving factor is the increasing emphasis on risk management within Standard & Poor’s corporate evaluations (check out a recent blog post on this topic here).  Companies feel, rightly or wrongly, that an improved S&P rating can have important financial benefits for them, and improved risk management is a good way to improve their ratings.

As part of this effort, companies will likely begin to adopt the new Information Security Risk Assessment Guidelines in ISO 27005:2008, which will encourage them to integrate IT risk into existing regulatory & control frameworks.

In addition to putting more emphasis on risk management, most companies will begin to make it more strategic, and less purely tactical.  Risk management activities will shift from after-the-fact (what do we do to mitigate the risk of the decision we just made) to an integral strategy component that is evaluated up front.

2.  Risk and compliance initiatives will continue to be consolidated. 

Many companies have focused on compliance over the past two or so years.  The current environment will, as discussed above, cause an increased emphasis on risk management.  But, the trend towards consolidation of risk management and compliance activities will continue, as companies start to reap the benefits of a unified approach to GRC, and their success stories start to be communicated to similar companies across industries.  It’s way too early to declare the “end of silos,” but I think integration of these efforts will continue during 2009.

3.  A shift in how risk is perceived and categorized. 

There have been many different taxonomies of “risk” by various analysts and industry groups, many of which define categories of risk that are markedly different from each other.  Over time, this somewhat artificial delineation of risk will tend to decrease, especially as the interdependency of risk becomes more apparent.  I believe that the risk categories of credit, market and operational risk will start to dissolve as businesses start (or continue) to view their business risk more transparently and holistically across their presently “siloed” risk management approaches.

4.  Continued regulatory requirements.

This is probably the most “no-brainer” of all these predictions.  There are always literally thousands of rules and regulations in the US government pipeline, and nobody expects this trend to significantly diminish over the short term.  I don’t see any in the pipeline that will have the same dramatic impact as SOX did, but over the short term, the Red Flag Rules might cause some significant effort, and over the long-term the IFRS accounting change is expected to have a dramatic impact on the internal processes of most companies (see CFO Magazine’s resource page on IFRS here).

So, what are your thoughts on this?  We’re anticipating another exciting year in the world of GRC and are interested in hearing your take…

*Photo courtesy of kevinzhengli.

Tags: Compliance, consolidation, GRC, predictions, Red Flag Rules, regulations, Risk, Risk Management, SOX

Read Post & Comments

By: Sumner Blount
Sumner Blount has spent his 25-year career focused on the development and marketing of software products for a range of top-tier enterprise IT firms. Currently, he’s the Senior Principal Product Marketing Manager for GRC at CA. Previously he managed the large computer operating system development group at Digital Equipment and Prime Computer, and managed... Read More...