Managing GRC Content
October 28, 2015 by
Filed under: Compliance Management
The business of GRC is an amalgamy of different solutions, different providers, each addressing different market needs. It's an illusion that any single party could ever cover all of the needs in GRC. For this, the GRC market is simply too broad, with too many industry specific angles and regional differences.
An important part of the differences is in the content. Different regions, different industries, different legal company structures, and different company sizes all require different content. And with that, I mean not only that risks and controls are (vastly) different, but also and especially that regulations differ tremendously. Being a US asset manager, or a German insurance company, a French energy company, or an Australian telecom provider; it all is vastly different. Regulations are simply very specific.
The commonalities are tremendous however at a process level: risk assessments largely look the same across the board. KRI management is done in similar processes; incident management looks similar, reporting is similar. Of course, at a detailed level differences are quite substantial, but process-wise commonalities are certainly there. So, this is precisely why a configurable GRC platform most certainly can be applied across industries, across regions and company types. In fact, it greatly helps to leverage the process knowledge gained in one industry in another industry.
This is dramatically different with content. Apart from some generic frameworks, all content is very (!) specific. These generic frameworks, like ISO 27.002 in information security, are applied in many different industries because of the commonalities of the underlying subject (IT processes and assets in this case). But in the vast majority of cases, say 90% of all content needs to be country specific, industry specific and even company specific.
The conclusion is that a leading GRC platform should have a content-agnostic strategy. And this is exactly what Nasdaq BWise does; we work with all leading content providers. And we're also happy to work with the not (yet) leading providers as well. We need to; the global market is immensely diverse, and although customers may be in the same industry, every customer is unique.