RiskTech Forum

Chartis: Slow Progress in Uncertain Times for Enterprise GRC

Posted: 8 May 2017  |  Author: John MacDonagh  |  Source: Chartis


Despite gradual progress toward integrated enterprise Governance, Risk and Compliance (GRC) in the past few years, vendors and end users have struggled with the concept. It’s easy to see why: integrating established systems that were designed to be independent is not a simple task, and other developments in the GRC sector have kept vendors busy. Although it’s hard for vendors, this slow but steady push toward integrating their GRC systems will ultimately be beneficial for end users. They will be able to use data more easily from functions that were previously separate, and simplify the governance of their GRC processes.

The breadth of enterprise GRC requirements and solutions means that progress has been varied. Some aspects of GRC, like governance-level IT risk management and internal audit management, have changed little. Others, meanwhile – notably conduct and third-party risk and the application of Artificial Intelligence – are advancing rapidly.

As well as pushing toward more integrated GRC, vendors and users of enterprise GRC solutions must also plan for an uncertain future. The current climate of political change is threatening the status of existing and planned regulations. In particular, a presidential executive order released by the U.S. government in early February 2017 stated seven core principles of regulation, and ordered an evaluation of ‘the extent to which existing laws, treaties, regulations, guidance, reporting and recordkeeping requirements, and other Government policies promote the Core Principles’. This review will focus on the effectiveness of the Dodd-Frank Act, as well as the financial regulatory agencies who implement it, and could result in replacement, or a significant rework of the Act. While this executive order does not make any direct changes to the regulatory environment itself, there is a very real chance that it will lead to significant change for U.S. financial institutions.

Unfortunately, plans to deregulate particular industries, or make significant changes to regulations, are very difficult to predict, introducing further uncertainty in many industries. This uncertainty affects firms everywhere, who must now assess how regulatory change might affect them, and how best to react to it. GRC software vendors, meanwhile, must carefully consider which regulations will be most relevant in future, and how the demands of their clients are likely to change; vendors may need to reassess the functionality and coverage of their solutions, and remain flexible to keep their offerings in line with future changes to regulation.

For an executive summary of Chartis’s report Enterprise GRC Solutions: Market Update 2017, visit www.chartis-research.com.