Three years ago, when managers at SunTrust Banks Inc. began searching for software that might help them cope with new regulatory requirements, they kept their demands to a minimum. Although the financial-services company had just endured a tough first year of Sarbanes-Oxley compliance, no one expected software to solve all the problems. "Sarbox was killing us," says John Wheeler, the company's senior vice president of financial-reporting risk management, "but we went in with very defined — and low — expectations. We wanted a basic, bare-bones program."
SunTrust purchased a financial controls management application from OpenPages, one that Wheeler says was limited in scope, but flexible. And OpenPages claimed that, in subsequent releases, the program would link up with its other compliance and risk-management programs. "That integration wasn't quite there when we first implemented the software," says Wheeler. "We were going on faith regarding the vendor's promises."
SunTrust hasn't been disappointed. Since 2005, OpenPages has extended the capabilities of its product, allowing SunTrust to better assess risks stemming from Basel II and the Patriot Act, not to mention a variety of operational and credit risks. More recently, SunTrust purchased a general-compliance module from OpenPages, which the bank's compliance group uses to catalog regulatory mandates and related controls for each line of business. Next, says Wheeler, SunTrust plans to integrate the two compliance modules into a single platform.
Join the club. Increasingly, corporate executives are ratcheting up their expectations for software that can capture a wide range of governance, risk, and compliance (GRC) information. Those functions can overlap, sometimes in unexpected ways. In 2005, when the California State Automobile Association purchased a program called Leaders4 (from vendor 80-20), the goal was to use it as a board information-management system. But as Bob Flax, assistant general counsel at the automobile association, soon learned, "The software had functionality I didn't even know about."
That hidden functionality came in handy the next year, when Flax was asked to devise an automated system that would ensure that the motor club franchise could pass AAA's rigorous certification process. An annual ritual has evolved, says Flax, in which a different vice president would be plucked from management to spearhead the painful process. "We had no central view of compliance," he notes. "We started from scratch every year."
That meant poring through a thick quality-control manual that contains what Flax describes as "probably 10,000 things" that the California club's 7,500 employees need to address.
To Flax's relief, it turned out the 80-20 software includes features ideally suited to the task. The program's electronic questionnaire function, for example, allowed Flax to send out questions about procedures and policies to employees, who then responded. The data was then certified, and Flax used the software to produce published reports for board members. "The software took what had been a four-month process down to two weeks," he says.
Beyond Scut Work
This urge to converge is largely a post-Sarbox quest for greater efficiency. As John Hagerty, vice president and research fellow at AMR Research, points out, companies have spent substantial sums attempting to cope with the many burdens of Sarbanes-Oxley. Spending on Sarbox peaked in 2006, with publicly traded companies forking out about $2 billion on technology and consulting to help them assess internal controls and material weaknesses. With much of the Section 404 scut work now automated, customers want to leverage that initial investment and create a foundation for future compliance needs.
Rather than inquire about Sarbox-only software, vendors say clients now routinely issue RFPs for programs that can handle an array of mandates, including Basel II and sustainability reporting. In addition, prospective buyers appear to be zeroing in on software that offers a range of functions (such as risk modeling and survey publishing). "The Sarbanes-Oxley market has almost disappeared," confirms Luc Brandts, chief technology officer at compliance-software publisher BWise. "But convergence is hot."
Application vendors, who cling to marketing hooks the way cats cling to curtains, have been only too happy to cater to this desire, probably motivated by the fact that since 2003 the average price for such applications has more than tripled, to $400,000. At last count, Corporate Integrity president Michael Rasmussen found 114 software vendors that claim to offer GRC platforms. The hijacking of a three-letter acronym is standard practice in the software world, of course, and makes life difficult for would-be GRC customers. "Convergence is about processes, about getting different roles to talk to each other, and working toward a common goal," Rasmussen says. Most sales pitches don't acknowledge the nuances, or difficulty, of such efforts.
If the need to bridge various divisions and departments within an enterprise in order to achieve a holistic view of compliance and risk issues sounds familiar, it is. Remember enterprise risk management(ERM? Highly touted by insurance companies (and the business press), it emphasized the need for managers to address risk in a systematic rather than a compartmentalized fashion. Approached in this way, responsibility for risk management fans out across functions and operating units and becomes a part of many people's jobs.
The concept has merit, but when software companies rushed in to the nascent ERM space with elaborate — and expensive — applications, corporate interest seemed to wane. While credit-rating agencies remain keen on the concept, the proliferation of ERM applications seems to have led some managers to view enterprise risk as a technology problem rather than a business-process issue.
Ahead of the Curve?
Will GRC follow a similar path? Hagerty believes that, five years from now, GRC will be as common a business term as ERP. The pace of regulatory reform seems to be quickening, and consumers now appear to be more loyal to businesses that can point to a range of governance improvements, be it greater transparency or a broader acknowledgement of their impact on the environment. Those trends may give GRC a boost that ERM lacked.
Ed Fox, vice president and chief sustainability officer at utility Pinnacle West, believes managers are finally waking up to the importance of what he calls "principled business." Such an approach involves assessing the long-term societal impact of a company's operations. Toward that end, Pinnacle West recently purchased a sustainability and EH&S (environment, health, & safety) reporting program from Enablon. Among other things, the application helps the utility track some 150 key performance indicators. "But this must involve a change in corporate culture, too," says Fox. "It must be a top-down, bottom-up, unified approach. That's the hard part."
Indeed, the promise of convergence may be slightly ahead of the reality. Consider DreamWorks Animation SKG. In 2006, the creator of Bee Movie licensed a compliance application from — wait for it — BWise, in order to automate the testing of internal controls as required by Section 404 of Sarbanes-Oxley. Vicki Halliburton, head of internal audit at the company that gave us Shrek and Shark Tales, says the software has freed DreamWorks from the "distraction of spreadsheets."
The company is now finding additional uses for the program. The software, for instance, enables authorized visitors to view the policies and procedures governing the animator's dealings with suppliers. In addition, DreamWorks recently loaded financial information from its general ledger into the application. The data dump, when run through BWise's rules engine, allows managers to more easily scope hazards that might be material to the business. Indeed, Halliburton says that what was at first regarded as a Sarbox application now goes well beyond internal controls. "It has great functionality for conducting risk assessments," she says.
Even so, Halliburton says that management at DreamWorks is not entirely sure how to integrate other stand-alone applications into its GRC portal. And she grants that a more-holistic, enterprisewide approach to risk, compliance, and governance is a ways off. "Convergence," says Halliburton, "is a work in progress."
That's true both for companies' processes and the software they might use. Vendors like BWise, Qumas, 80-20, OpenPages, and Paisley have created impressive GRC platforms — that is, portals where managers can access and monitor information about governance, risk, and compliance. The problem, say analysts, is that no software publisher covers all the GRC bases. BWise and Qumas, for example, are strong in content and process management. Approva excels at helping customers automate controls. Axentis, another major player, markets an intriguing hosted product. Says Haggerty: "No vendor today offers a platform that can handle everything." And customers see some organizational roadblocks as well (see "Who Owns, Who Pays?" at the end of this article).
This may change as a different sort of convergence takes hold — among vendors. Industry consolidation has already commenced as smaller vendors (such as Securac Holdings and Certus Software) merge, and as ERP giants Oracle and SAP elbow their way into the space. In 2006, SAP indicated that it was getting into the convergence arena by acquiring automated-controls specialist Versa. Oracle announced its GRC strategy in March 2007, about a year after the company bought content-management specialist Stellent. "Oracle has a ton of GRC pieces," says Rasmussen, "but it's still putting them together."
So is SunTrust. The bank is now in the process of integrating its general ledger into its compliance software. It's only a trial, but one that underscores the promise of convergence. "We will be able to identify not only the most significant balances, but the controls associated with those balances," he says. "It will give real visibility to risk managers."
Is this the future of GRC? "We don't talk much about convergence or GRC," says Wheeler. "We still use the term 'enterprise risk management.'"
Give it time.
Who Owns, Who Pays?
Key challenges in implementing a GRC plan*
59% — No single point of ownership/accountability
57% — Obtaining executive sponsorship
56% — Lack of budget/resources
47% — Unable to justify return on investment
28% — No perceived input on corporate goals & objectives
*Percentage of companies; Source: Approva Corp.