Software is only one part of a GRC strategy
"Spending money on people and not systems, that's partly due to the fact that it's hard to get an investment on systems [without] a demonstrated return on investment," said Jeremy Roche, CEO of Coda, which develops financial accounting, analytics and GRC software for the financial services industry. "The thing is about properly designed [GRC] systems is that once they're designed, they don't make mistakes. People make mistakes." The Deloitte study found that, although the financial costs of compliance have been significant, the tendency for banks has been to respond by adding people rather than technology to manage compliance.One reason compliance efforts are being duplicated is that initiatives are often managed on a case-by-case basis, based on a specific (and looming) regulations-an approach that leads to siloed initiatives. At the same time companies struggle with implementing a concise, organization-wide GRC strategy because of the people issue, according to Narina Sippy, senior vice president and general manager of SAP AG's GRC group. "Software and technology in general is really only as good as the people who use them, and as good or strong as the corporate commitment and the cultural willingness to embrace the technology that is put in place," said Sippy. "Sometimes it's change management [issues], sometimes it's cultural. If those are not aligned, the software is not going to be as effective as it could be." Sippy said that while software has a big role to play in the GRC field, it's only one of the factors. "We're starting to see some changes. In the last six months or so there's been a slight shift in how companies are looking at GRC in their organization," she said. "Up until not too long ago, and it was pretty rampant, companies were managing whatever regulation they were facing at the time. An integrated approach is what's really missing today. By having isolated controls, it really leads to corporations being vulnerable." Chris Capdevila, vice president of Application Strategy at Oracle, said that GRC maturity and evolution really involves several pillars: organizational, cultural and processes. The organizational layer-where the decisions are made to determine controls-is where a lot of companies struggle. "A lot of companies moving up in maturity are dealing with organizational issues-sending up a chief risk officer or a chief strategy officer," he said. "Historically audit [function] was looked down on. Now audit has seen more prominence, in a lot of cases reporting directly to the board. There are different ways of dealing with the organizational issue," Capdevila said. Richard Speer, CEO of Speer & Associates, s strategic planning and risk mitigation consulting company for the banking industry, said that most financial institutions want to understand what their risk exposure is on an ongoing basis. But the fact is that most don't have any particular knowledge of what is going on day-to-day in a particular business unit. "Our clients are saying 'are there any managerial weaknesses that could create something like Soci??«t??« G??«n??«rale?' But because Soci??«t??« G??«n??«rale is still unfolding we're still unclear on all the lessons," he said. "But all the sudden every one is much, much more interested in GRC than when it's an abstract."
While banks have made "considerable progress" in integrating compliance management across the different parts of their business, there's still a lot of fragmentation and duplication of efforts, according to Deloitte. Abut 30 percent of the respondents to Deloitte's study said that duplication had actually increased rather than decreased.