When the Sarbanes-Oxley Act (SOX) was first enacted in 2002 in the wake of several very visible accounting scandals, small to medium enterprises may have felt they dodged a very expensive bullet. The requirement to document processes for governance, risk management and compliance (GRC), and have them confirmed by outside auditors only applied to publicly traded companies. Unlike their publicly traded brethren, SMEs were not forced to purchase costly GRC software, did not have to re-direct resources from their normal daily tasks to prepare for audits, and did not have to change their methods of operation to comply with a government mandate.
Yet a funny thing happened in large enterprises as a result of that "bullet." While at first they did it just to check off the "compliance" box on their list of tasks, in time they found that they were operating more efficiently, lowering their costs, driving innovation and becoming much more agile. The focus in GRC shifted from the "C" to the "G" and the "R". And as SMEs stood on the sidelines and watched, suddenly the idea of following a GRC regimen started looking more attractive.
What wasn't attractive was the price tag for those first-generation GRC solutions. Now, with the introduction of second-generation GRC solutions, the price has come down significantly. In fact, some second-generation GRC solutions are one-third the cost (or less) of the first generation products.
Still, SMEs aren't required to demonstrate compliance to outside auditors, or the government. So how does an organization decide whether the benefits of implementing a second-generation GRC solution outweigh the cost? Here are some second-generation GRC benefits to consider:
Minimizes risk. Every business, no matter what the size, has risks. Anytime you have human beings performing manual processes, there is a risk of something being done wrong - either accidentally or on purpose. In a privately held company, those discrepancies are potentially more devastating than they are in a public company. They are also much more personal. A second-generation GRC solution mitigates that risk by automating and regulating business processes. It can assure that all work is performed properly by refusing to allow completion of the process if it does not follow the prescribed procedure.
Tightens up business processes. When a business first starts out, all the rules and business processes are generally laid out and closely followed by everyone who works there. Over time, however, as the business expands, the processes tend to expand along with it. Different people have different ways of working, and will tend to do things in the way they are most comfortable - even if it conflicts with the organization's best practices. Second-generation GRC solutions help rein in the "cowboy" approach by tightening up business processes, and then making compliance a part of the process instead of a separate operation. At the same time, if there are improvements that need to be made, they can easily be implemented across the entire organization rather than only affecting the originator(s). Ultimately, they create a culture of controls, making sure work is being completed by following the proper, repeatable processes instead of individual acts of heroism.
Improves change management. Anytime there is a change, it is important to document it in order to be able to trace back through any later problems. Yet documentation is often the bane of an organization - something its people know they should do but often put off in the interest of more urgent matters. Second-generation GRC solutions automatically create the documentation for any changes, assuring there is always a current and accurate record of every process from inception on. It also allows SMEs to make more changes within a given timeframe, helping them react more quickly to market pressures and opportunities.
Helps drive innovation. There are only so many hours in the day, and so much work each person in the organization can do. If that time is being spent performing manual tasks (such as documenting changes), it is not available for more high-value work. By automating tedious but necessary manual processes, second-generation GRC solutions free up those resources, giving them more time to drive innovation and help the organization gain a competitive advantage.
Increases agility. One of the theoretical advantages an SME holds over a large enterprise is agility. Smaller companies are expected to be able to react more quickly to problems as well as sudden opportunities in the market. But if they're bound by outdated or slow business processes, that advantage is often lost. Second-generation GRC solutions help SMEs regain and even increase their agility, making them more competitive even in the face of factors they can't control (such as the economy).
Eliminates costly, repetitive tasks in an SAP landscape. By its nature, SAP has many repetitive tasks. Take something as simple as provisioning new users into the system. This is normally a manual task that takes time away from more important work. Yet it is also the foundation for everything else that user will do in SAP, so it is important that it be done quickly and accurately. Second-generation GRC solutions can automate the process of enrolling users, with the appropriate controls and audit trail to assure everything is spot-on. As a result, SAP administrators spend less time on repetitive manual tasks, freeing them again for more high-value work.
Can be implemented in stages. Unlike the mandatory efforts for publicly traded companies that resulted from SOX, use of second-generation GRC solutions in SMEs is completely voluntary. As a result, they can be implemented in stages, allowing the cost savings from stage one to help fund the second stage, and so on. This option makes gaining all the other benefits much more palatable and realistic for budget-conscious organizations.
Compliance many not be required for SMEs. But sound business practices, tight controls and agility are - especially in the current economy.
Second-generation GRC solutions give SMEs the tools they need to act like the "big boys" - and reap all the attendant benefits. They also make the SMEs more attractive business partners for enterprises that are required to demonstrate compliance. When all the factors are considered, it's apparent that GRC isn't the bullet that SMEs thought they dodged, but a powerful weapon to increase competitive advantage. And now is the time to seize the opportunity.
About the author:
Dan Wilhelms is president and CEO of SymSoft Corporation, maker of ControlPanelGRC, professional solutions for compliance automation (www.controlpanelgrc.com). He can be reached at dwilhelms@sym-corp.com.