There is one big reason for doing it — cost containment. And there is no shortage of vendors hoping to help organizations automate GRC (governance, risk, compliance) through IT. Oracle, Agiliance, and Lumigent are three I have bumped into lately, but there are many more.

Gartner has a Magic Quadrant report on enterprise GRC that lists a dozen or more vendors. Forrester Research and AMR Research, too, cover the automated GRC market extensively. Various recent analyst reports are listed here.

Gartner divides these products between GRCM products (defined as the automation of the management, measurement, remediation, and reporting of controls and risks against objectives, and in accordance with rules, regulations, standards, and policies for the oversight and operation of risk management and compliance programs — a mouthful, for sure) and other GRC products for the automation and monitoring of controls.

The appeal of automated GRC is the ability to reduce the cost of compliance. John Capobianco, a veteran IT executive and currently CEO of Lumigent Technologies, an automated GRC player, likes to tell about his previous company, a small firm that ran up $2.5M in compliance costs. Automated tools, he notes, could have cut those costs substantially. You can see his white paper on application GRC here.

There are two big problems with automated GRC:

1) the size and complexity of the automation challenge;

2) the inability of the GRC discipline to conform to the needs of machine intelligence.

Size and complexity loom large. Governance, risk, and compliance actually are three different disciplines, each with its own needs in terms of automation. Further compounding the challenge is the variety of types of GRC required. GRC for the finance organization is different from GRC for the IT organization, which differs yet again from that for other business units.

All this complexity leads to the need for different, highly specialized tools, which raises a huge set of cost, integration, and management issues. To address this problem, many organizations, as Gartner reports, are opting for a single enterprise GRC platform and, when necessary, integrating the many point and functional solutions to satisfy specific GRC needs. This, however, won’t be cheap or easy, and whether the results will actually meet the organization’s needs effectively remains debatable.

Machine intelligence presents another challenge. Effective GRC automation revolves around rules and policies that are enforced by computers. The rules and policies must be something a computer can understand in binary (yes/no) terms. For example, a governance policy may require that any Social Security number transmitted over a network be encrypted. For a computer, that’s a snap. It can easily recognize an SSN, a network call, and encryption. It can enforce such a policy without human intervention.

But how will it handle, say, policies to prevent sexual harassment or insider trading or age discrimination? Here the policies may not readily translate into binary computer intelligence. But the penalties for a governance failure here could be staggering.

This is not to say that organizations should not try to automate GRC. Rather, they need to automate as much GRC as they can to contain compliance costs. Relying on one massive enterprise GRC solution, however, may not be the best way to go. Instead, they may prefer to deploy a mix of automated tools to come up with enough automation to lower the cost of GRC without increasing complexity to the point where automation is no longer cost-effective. And for some GRC needs, the manual approach may be the only way. ###