While SOX requirements and the hoopla around SOX may have reduced these past few years, GRC remains a key requirement at most PLCs. In fact, I know of a handful of companies that got marked up for SOX failures on GRC deficiencies and usually the sword falls on the IT department. Unfortunately, these failures often become a source of opportunity for vendors to come peddle their GRC tools. – vendors are ready to demo their latest and greatest GRC tools with all fancy dashboards and reports. Word to the wise- implementing GRC is 80% preparation, 20% implementation. Companies should spend significant time designing their requirements, org structure, tolerance for risk, and available mitigation before embarking on choosing a tool. Once all the design is done, it is just a matter of finding a tool that is easy to install and use and maintain. Unfortunately, most companies choose the tool first and then start grappling with this bigger challenge. Another factor is that it is very easy to make this more complicated than it needs to be. This is where you need to remember that all you need is a passing grade and don’t need to have the best GRC installation- since there is no prize for the best GRC. There are many companies peddling their ‘custom GRC’ designs as well- once again, these need to be reviewed in the framework and context of the specific company.
Unfortunately, when it comes to compliance, most companies like to err on the side of caution and sign up for more than less. Objective thinking and some careful planning could make this a lot simpler than it is made out to be.