The discipline known as governance, risk, and compliance (GRC) management — which entered infancy only a few short years ago — has smacked headlong into adolescence, the results of which, according to Business Finance’s 2010 GRC Maturity Study (see “Methodology” sidebar), include a lingering identity crisis as well as some awkward issues interspersed with flashes of highly mature (and effective) behavior.

“You have a lot of organizations that have been somewhat static for about a year in terms of how they were approaching however you want to define GRC,” responds Approva Vice President Michael Evans when asked to provide a snapshot of GRC capabilities in North America. “Now these companies are basically reassessing to make sure that (a) they understand the world they live in now, and (b) their limited resources are properly invested to address these risks. At some level, it seems like the way people approach GRC has been flipped on its head.”

During its infancy 3 or so years ago, “GRC” consisted of documenting the heck out of every internal control that the compliance team — often helmed by internal audit — could unearth. In retrospect, that bottoms-up effort now appears to have been plagued by duplicate work, unnecessary worry, and a host of other headaches.

Today, thanks to welcome doses of Sarbanes-Oxley compliance guidance from the SEC and Public Company Accounting Oversight Board (PCAOB), the majority of public and private companies are engaging in what Evans describes as a “fundamental transformation” to a more (drum roll, please) top-down, risk-based approach.

The survey data confirms that this transition is under way. Nearly three-quarters of respondents describe their GRC strategies as principles-based (more of a top-down and, often, risk-based approach) as opposed to rules-based (which requires a documentation-heavy approach). Nearly 65 percent of respondents report that their companies have some sort of enterprise risk management (ERM) program in place. Moreover, a surprisingly high number of respondents (60 percent) say that their companies have embraced some form of a relatively sophisticated GRC practice, continuous auditing and continuous monitoring.

To be fair, the survey indicates that there are some pimples and other signs of developmental awkwardness (operational risk management, treasury and cash management risk management, and third-party contract management appear in need of improvement) within current GRC programs as well as an identity crisis, which GRC experts echo.

The survey indicates the existence of relatively advanced ERM programs, yet among the disciplines that comprise GRC, respondents say that risk management remains a larger, more important challenge than either governance or compliance.
“There is still a tremendous amount of confusion about what GRC is,” asserts Norman Marks, vice president, GRC, for SAP’s BusinessObjects division.

Findings from Business Finance’s 2010 GRC Maturity Study also suggest that the majority of GRC practitioners know where they want to go. If these companies can address some adolescent angst and insecurity, their entire GRC programs should soon develop in ways that individual components of their programs already have matured.

See a larger version of the GRC Maturity Index.