The IT vocabulary is so peppered with acronyms and abbreviations that come and go that it’s really hard to keep track, and even harder to figure out which ones are meaningful.
Reading product spec sheets, especially for software, can be particularly baffling – depending on the vendor, the same concept may be expressed in many ways, based on the marketing spin du jour. It’s almost a relief when one vendor (or analyst, or journalist) comes up with a particularly fetching acronym or abbreviation and everyone else leaps to adopt it.
GRC is one such lucky trio of letters. I’ve no idea who decided to abbreviate the mouthful of “governance, risk and compliance” – probably a tired typist – but it’s been around for a few years. However, in our compliance-obsessed environment, we’re hearing about it with increasing frequency.
More importantly, so are customers who are facing the painful truth that they have to pay attention to GRC or risk expensive consequences from regulatory bodies.
According to a recent report from the IT Policy Compliance Group (IT PCG), an organization which focuses on assisting members in improving business, governance, risk management and compliance results based on fact-based benchmarks, companies high on the GRC maturity scale (based on the standard Capability Maturity Model) not only spend less on their compliance efforts, they also enjoy higher profits and revenues, and better customer satisfaction.
That elite group – a scant 12 per cent of the sample – may not need a whole lot of help from VARs, but the remaining 88 per cent of surveyed organizations presents a huge opportunity.
The report, presented at the Symantec Vision conference in June (Symantec is a sponsor of the IT PCG, along with the Computer Security Institute, The Institute of Internal Auditors, Protiviti, ISACA, and IT Governance Institute), revealed that companies lowest on the scale may spend the least on GRC activities, but they also face the highest financial risk from business disruption (10 per cent of revenue, versus 0.2 per cent for top organizations) or loss of customer data (9.6 per cent versus 0.4 per cent of revenue), and have 17 per cent lower revenues and almost 14 per cent lower profits than the highest ranked companies.
These least mature companies comprise a whopping 20 per cent of the sample.
Even companies half-way up the scale stand to gain a lot by improving their GRC efforts. The reduction in financial risk is still significant, and the GRC spending differential between top-ranked companies (five on the scale) and middle of the road three rankings is immense: the mid-rank companies spend three per cent less than the maximum spent on GRC, the top-ranked companies spend 52 per cent less!One key to that cost saving, says the report, is in automation of monitoring activities. That translates to software and services that need to be acquired, not to mention the consulting expertise of people who know how best to leverage them.
As governments and other regulators get stricter, and the rules get more convoluted, anyone who can provide these services will be in demand. It’s one of those few times when bureaucracy can be a friend. No matter what acronym you stick on it.