Much as the Greek goddess Athena emerged from the forehead of Zeus, the marketplace for governance, risk and compliance (GRC) software was birthed in an epic headache. The accounting scandals and subsequent bankruptcies of Enron and WorldCom prompted the creation of the Sarbanes-Oxley Act (SOX) and GRC software soon emerged to help companies comply with the regulations.
"If you look at the genesis of the GRC market, it was brought on by the passage of SOX in 2002," says Tom Eid, VP research, at Stamford, Conn.-based Gartner Inc. "The first GRC solutions emerged in 2004, and at that point the focus was really on the finance and audit function."
Five years and one credit crisis later, the risk management component of GRC seems poised for a similar boom. While no legislation has yet passed as a direct result of the financial services meltdown, few expect this to persist for too much longer. Bills intended to rewrite the regulation of financial services in general, and insurance in particular, are winding through both houses of Congress. Leaving aside the diverging opinions on the merits of the bills, a broad consensus exists that more regulations-and a larger emphasis on risk management by regulators-are inevitable.
"The administration continues to make the case that they need some sort of consolidated oversight over insurance and financial services at the federal level," says Gary Bhojwani, president & CEO of Minneapolis-based Allianz Life. "They are talking about true regulatory oversight, whether they get it is a whole other discussion."
While the industry awaits development in Washington, rules propagated by standards bodies such as the Financial Accounting Standards Board are already being enacted, and rating agencies are putting a renewed emphasis on risk. Notably, the Solvency II regulations scheduled to be implemented throughout the European Union in 2011 enshrine stringent risk modeling standards for insurance carriers. Many expect future U.S. regulations to mandate a similar, principles-based approach. Considering this, the question may be not if insurers should consider GRC solutions, but when.
"It's a question every chief compliance officer should be asking," says Donald Light, a senior analyst at Celent, a Boston-based research and consulting firm. "You have to take a position on the future. Insurers can start beefing up systems now, or say 'there's a lot dust in air' and sit back and wait until it is settled."
NOT ANOTHER ACRONYM
Taking this uncertainty into account, few could fault a budget-conscious CFO for the begrudging the chance to spend money on GRC solutions. The fact that GRC is young and somewhat ill-defined also complicates matters. GRC bears more than a passing resemblance to enterprise risk management (ERM) platforms companies may already have in place. GRC proponents contend it augments, but doesn't replace ERM. They note GRC is broader in focus, and only emerged because traditional approaches were not sufficient for new business and regulatory realities.
By automating internal processes associated with compliance, GRC solutions address the lack of consistency endemic to manual procedures and promise a more comprehensive, unified picture of an organization's risk exposures across multiple geographies and jurisdictions around the globe. With much of this risk residing within arcane financial products housed within far-flung investment portfolios, GRC boosters say its breadth and immediacy are critical.
Indeed, among other revelations, the financial crisis laid bare the fact that many insurers lacked transparency into their investment portfolios. Now more than ever, insurers have a fiduciary responsibility to make sure they hold no securities below a specific rating or asset class. With the financial markets in flux and indicators such as bond ratings changing rapidly, keeping an eye on an investment portfolio is no mean feat, especially so for large insurers with diversified investment portfolios. In the fall of 2008, if an insurance industry treasurer or CFO wanted to know their firm's exposure to particular institution such as Lehman Brothers, an immediate answer may not have been readily at hand.
THE WIDE VIEW
It was this need to be sure of his positions that prompted Mike Warantz, treasurer from New York-based CV Starr & Co. Inc., to invest in a GRC solution. Warantz says the company saw the need for a solution in the fall of 2007, and implemented a Web-based platform from Boise, Idaho-based Clearwater Analytics in April of 2008. With asset managers around the globe, Warantz says he values the centralization and integration of accounting, compliance, risk and performance.
"We have investment professionals in New York, Hong Kong, Beijing, Shanghai and Russia," he says. "Previously, when management asked 'what's your position in XYZ,' we couldn't consolidate."
Warantz likes the idea of a global custodian, and says the solution is straightforward enough that even the senior executives can sign on and use it. He also says the solution will help the company abide by FASB's Rule 157, which deals with how organizations assign a fair-value measurement standard to all investment securities. That these products are getting more exposure at the board level may well be an indication of the role the credit crisis played in the increased prominence of GRC.
"People have been burned enough over the past 24 months, and they now know that if they don't have these controls in place they are at a significant disadvantage," notes Eric Gwilliam, director of statutory reporting at Clearwater analytics. "It's imperative for an insurer in today's environment to consider every investment that they have, look at every rule they have set forth in their specific investment policy and track on a daily basis that they are in compliance."
THE EVOLUTION OF GRC
Many feel that, as a whole, GRC solutions need time to mature within an organization before they become true risk management tools. Organizations that invested in GRC as a tactical response to SOX ultimately realized that the solutions could provide ancillary benefits, such as increased automation and better transparency. Gartner's Eid says use of GRC solutions often evolves from the reactive, to the proactive, to the strategic.
"Initially, companies view regulations as a tax that they have to respond to," he says. "After the first three to four years, the solutions can provide benefits once the organization has had a chance to build them into workflows and new business processes."
Moreover, Eid foresees GRC spreading horizontally throughout the enterprise. From its traditional role in financial controls and internal audit processes, he sees it next impacting IT in areas such as security and access management and, lastly, moving into operational risk management within business units. "We anticipate that many years out there will be a stronger blending of finance, IT and operations GRC," he says. In this sense, the emergence of GRC may well parallel the spread of ERP, which also started strictly as a financial control solution but was soon adopted elsewhere in the enterprise.
Yet, some of the primary obstacles to widespread, successful leveraging GRC may be cultural. "The real issue around GRC isn't a technical issue, it's more of a personnel issue," says John Kelly, director of product marketing, at Waltham, Mass.-based risk management solutions provider Open Pages. "You need to get all the stakeholders together as well as business unit managers and get them agree on what to track in order for GRC to work. You need a common set of methodologies and taxonomies to make it effective."
Howard Stecker, co-COO at Devon, Pa.-based SMART Business Advisory and Consulting, says carriers also need to leave behind the "checklist" mentality common to prior compliance solutions, and instead embrace a live analytic model in order to gain strategic value. What's more, this move toward economic capital modeling may soon be a regulatory imperative as well as a strategic one.
"In the past, solutions revolved around documenting processes," Stecker says. "In the future, it's not going to be sufficient to say 'we have a system in place;' you will have to show from an analytical perspective that it's working."
However, Stecker doesn't discount the technical considerations of melding GRC solutions with a motley mixture of modern and legacy core systems. "Companies are going to have to find ways to pull disparate pieces of information together in a more cohesive manner than what they have at this moment," he says.
Kelly, too, acknowledges that challenges exist from a vendor perspective. "Previously, GRC just dealt with one specific regulation," he says. "With operational risk, it's not as neat because every business has a different set of operational risks. You need a software platform that is flexible enough to be configured."
Indeed, the nascent nature of the GRC marketplace further complicates matters for insurers accustomed to solutions designed specifically for their vertical. While software heavyweights Oracle and SAP both offer GRC solutions, the market is dominated by best-in-breed vendors, many of whom are far from familiar names. Yet, there has been some consolidation in the space. Last year, well-regarded GRC solution provider Axentis Inc., Cleveland, was acquired by Riverwoods, Ill.-based Wolters Kluwer Tax and Accounting. Likewise, New York-based Thomson Reuters acquired GRC provider Paisley, Minneapolis, to become part of its tax and accounting business.
Still, Eid says he tracks more than 50 different vendors in order to compile Gartner's magic quadrant on the GRC sector. "The vendors in the marketplace are not traditional software vendors," he says "Essentially, this is a marketplace that got started in 2004. It's a much smaller revenue stream than ERP."
Despite this, vendors are putting together full-featured enterprise GRC platforms that carriers can readily leverage for efficiency and strategic advantage. These tools will enable carriers to align key risk indicators with key performance indicators for the business. "I would not call it mature, but it's starting to be pretty well defined at the enterprise level," adds Celent's Light.
As the market matures, it will address more specific vertical market requirements. For example, GRC solutions could have business rules tailored to insurance regulations, and include software development kits designed to work with business processes such as claims.
Another interesting trend is on-demand GRC offerings. One of the persistent knocks against SOX is that its onus falls more heavily on smaller corporations. Because they are better able to spread out the up-front cost, larger organizations have been more likely to spend money on GRC solutions. By eliminating up-front costs, the growing cadre of on-demand GRC solutions may alter this dynamic. Eid estimates that Software-as-Service offerings currently account for 15% to 20% of total market revenues.
"They are certainly a viable alternative to on premise solutions," he says.
(c) 2009 Insurance Networking News and SourceMedia, Inc. All Rights Reserved.
