By Dan Wilhelms

When the Sarbanes-Oxley Act (SOX) was first enacted in 2002, in the wake of several very visible accounting scandals, small to medium enterprises (SMEs) may have felt they dodged a very expensive bullet.

The requirement to document processes for Governance, Risk management and Compliance (GRC), and have them confirmed by outside auditors only applied to publicly traded companies. Unlike their publicly traded brethren, SMEs were not forced to purchase costly GRC software, did not have to re-direct resources from their normal daily tasks to prepare for audits, and did not have to change their methods of operation to comply with a government mandate.

Yet a funny thing happened in large enterprises as a result of that “bullet.” While at first they did it just to check off the “compliance” box on their list of tasks, in time they found that they were operating more efficiently, lowering their costs, driving innovation and becoming much more agile. The focus in GRC shifted from the “C” to the “G” and the “R”. And as SMEs stood on the sidelines and watched, suddenly the idea of following a GRC regimen started looking more attractive.

What wasn’t attractive was the price tag for those first-generation GRC solutions. Now, with the introduction of second-generation GRC solutions, the price has come down significantly. In fact, some second-generation GRC solutions are one-third the cost (or less) of the first generation products.

Still, SMEs aren’t required to demonstrate compliance to outside auditors, or the government. So how does an organization decide whether the benefits of implementing a second-generation GRC solution outweigh the cost? Here are some things to consider.

1. Minimizes risk. Every business, no matter what the size, has risks. Anytime you have human beings performing manual processes, there is a risk of something being done wrong – either accidentally or on purpose. In a privately held company, those discrepancies are potentially more devastating than they are in a public company. They are also much more personal. A second-generation GRC solution mitigates that risk by automating and regulating business processes. It can assure that all work is performed properly by refusing to allow completion of the process if it does not follow the prescribed procedure.

2. Tightens up business processes. When a business first starts out, all the rules and business processes are generally laid out and closely followed by everyone who works there. Over time, however, as the business expands, the processes tend to expand along with it. Different people have different ways of working, and will tend to do things in the way they are most comfortable – even if it conflicts with the organization’s best practices. Second-generation GRC solutions help rein in the “cowboy” approach by tightening up business processes, and then making compliance a part of the process instead of a separate operation. At the same time, if there are improvements that need to be made, they can easily be implemented across the entire organization rather than only affecting the originator(s). Ultimately, they create a culture of controls, making sure work is being completed by following the proper, repeatable processes instead of individual acts of heroism.

3. Improves change management. Anytime there is a change, it is important to document it in order to be able to trace back through any later problems. Yet documentation is often the bane of an organization – something its people know they should do but often put off in the interest of more urgent matters. Second-generation GRC solutions automatically create the documentation for any changes, assuring there is always a current and accurate record of every process from inception

You do not have flash or javascript support.

Average (0 votes)

Reply