The Governance, Risk and Compliance (GRC) technology landscape is large and diverse. A truly complete GRC solution would be comprised of many modules including risk modeling, risk assessment, policy management, helpline/whistleblower, access controls management, incident capture and management, investigations management, controls monitoring and management, root cause analysis, audit management and more. While many Governance, Risk and Compliance (GRC) vendors claim to have a complete solution, the reality is that GRC is too big for any one vendor to meet every need. No one vendor today actually has a complete solution. Depending what you include as GRC, it’s likely no one vendor will ever have it. Even amongst those vendors who can tick many of the GRC boxes, each has different strengths and weaknesses that might limit which GRC modules a company might purchase.

Today’s reality is that any complete solution will be comprised of multiple vendors (for example BPS Resolver for ERM, Compliance and Audit and SymSure for Continuous Controls Monitoring). Looking at the market, many vendors, including us, have created partnerships and alliances to bring a more complete solution to clients. However, this approach is somewhat limiting and clients can’t really mix and match a solution from any vendor they choose without custom projects. Custom integration projects are required because there is no industry standard common GRC interface or language that would allow GRC systems to consume and publish data.

Enter GRC XBRL. XBRL stands for Extensible Business Reporting Language and is an open standard based on XML to define a common language for business reporting. GRC XBRL (sometimes called GRC XML) is a GRC specific definition built on the foundation of XBRL by the Open Ethics and Compliance Group (OCEG), including members from Approva, Thomson Reuters, Fujitsu, and PricewaterhouseCoopers. The alpha version of the standard was released to peer-review in October 2009 and should be published for widespread consumption in 2010.

Currently, no technology vendor reads or writes data to this open standard. The benefits of all GRC vendors adopting GRC XBRL as a common language would be enormous. To date, all systems integration has been customized and proprietary. If all GRC vendors adopt GRC XML and provide standard interfaces to publish and consume this data, the GRC market would enter a new era of plug and play components. Clients could choose a GRC backbone platform and add specialized components or modules from other vendors that best suit their business needs.

Another interesting opportunity from GRC XBRL is that it provides a common language across companies and industries to share and compare GRC data. In the future, GRC XBRL could be a mechanism for companies to benchmark their progress and practices against their peers in industry and geography.

In the same way that XBRL is transforming the business reporting landscape, GRC XML will soon have a large impact on GRC applications. All vendors with GRC related applications should move to support this new standard.

As a subject area Governance, Risk and Compliance (GRC) is broad and all encompassing. It includes legislative compliance, risk management, policy and procedure management, incident management, control monitoring and audit. The scope can be overwhelming. It can be a nightmare for those trying to manage it. Governance, Risk and Compliance (GRC) applications are meant to manage these complex interactions, but too often they make it more complicated.

According to Michael Rasmussen, Microsoft Excel (in concert with SharePoint and Word) is the most widely used Governance, Risk and Compliance (GRC) software. This approach certainly has many shortcomings, including security, data consistency and integrity, ease of reporting and version management. Most users of spreadsheet based approach recognize the need for a true GRC backbone platform. However, Microsoft Excel has some valuable lessons that Governance, Risk and Compliance applications could learn.

1. Simple but Powerful

The concepts behind a spreadsheet are simple yet incredibly powerful. Users can enter almost any kind of information, create functions and relate information. And spreadsheets don’t require a lot of configuration; users can just open a workbook and begin. GRC systems should also be flexible enough to capture any sort of information, provide facilities to calculate or rollup information and allow multiple relationship modeling. All this should be presented in an interface that is obvious and familiar to the user, perhaps in an interactive table similar to Excel.

2. Ubiquitous

It is very rare to find a business desktop that does not have MS Excel installed or a user who does not know how to use it. This application is so pervasive and well known that it is second nature to users. GRC systems should be the same way. They should be deployed on every users’ workstation in the company. Users should employ them as part of their daily life. GRC should become a ubiquitous part of their work experience and ingrained in the deep in the roots of daily activities.

3. Flexible

The spreadsheet was one of the first “killer apps” for the computer. This visible calculator unleashed the power of the pc and its incredible flexibility gave rise an almost infinite amount of uses. GRC platforms must also be flexible and adaptable. The GRC environment is a rapidly changing and evolving and backbone applications must have powerful modeling capabilities to match. This modeling ability must be easy to configure by end users who can take ownership of the system and keep it up to date.

4. Intuitive

Spreadsheets make sense. Generally, users look at them and know exactly what to do. They are accustomed to the table format that allows them to see and interact with large quantities of data at the same time. GRC platforms must also be intuitive to end users. As roles change in an organization, users will come and go and must be able to quickly learn and use GRC platforms as they relate to their duties. GRC platforms must be intuitive, easy to learn and present information in a fashion that users are accustomed to.

5. Unobtrusive

Excel is a normal part of knowledge workers everyday existence. It is an essential tool used in everyday activities. Users don’t think of it as another application they have to learn. It is just part of their life and routine. GRC platforms must also become unnoticeable to end users. They should not inconvenience users or put them out of their normal routine. This is essential if GRC platforms are to have widespread usage and adoption within an organization.