GRC Predictions For 2016

Bruce McCuaig

Over the last few weeks, in the spirit of the holidays, my colleagues here posted blogs on the Twelve Days of GRC Christmas and Resolutions for a Better GRC in 2016. I offered to complete the trilogy with a blog on predictions for GRC in 2016. It seemed easy then. I was sitting on a beach in Curacao at the time. Back home, with the wind howling and snow falling, it’s more of a challenge.

Analyze the past, understand the present, and predict the future

On Thursday this week, I am participating in a webcast of the recently completed OCEG GRC Technology Strategy Survey. SAP co-sponsored the survey and I encourage you to join the webcast. I found the results interesting and insightful. But in thinking about predictions for GRC for 2016 the survey made me realize I had a problem.

It’s tough to predict an outcome if the destination is unknown. I don’t believe there is a consensus on what the outcome of GRC should be. I believe the profession is moving in the right direction, but drifting.

The caption above is a tag line used by our digital boardroom folks. I think it’s useful to use it to understand not what might happen, but what needs to happen with GRC.

A good carpenter doesn’t blame his tools

Cost-effective, robust technology for GRC exists today and has for some time. Expecting technology to achieve what I think GRC should accomplish is like dumping a pile of building materials on the ground beside a set of tools and equipment and expecting a house to appear. More is needed.

I predict 2016 will see a continued increase in technology spend, shifting to enterprise platforms and the use of analytics.

Start with the end in mind

To me, analyzing the past, understanding the present, and predicting the future is an ambitious goal. But what will propel the vision is reporting. Analytical tools exist today. Neither regulators nor boards are demanding GRC reports today. Suitable reporting frameworks will evolve only if demand for reporting exists. Technology is not the issue. Demand is the issue.

I predict that GRC will be asked to contribute to the digitalization of the boardroom in 2016 and will struggle to do so.

GRC capability model

For most professions, standards are set and practitioners certified. With a few exceptions, OCEG itself being the major one, uniform standards and professional capabilities are absent for GRC.

I predict the need for professional GRC standards and initial reporting frameworks will emerge and accelerate in 2016. The OCEG GRC Capability Model will lead the way.

A great way to join the discussion of GRC and technology is to attend the GRC2016 Governance, Risk & Compliance conference, which takes place in Las Vegas March 15-18. Learn more and register by February 12 for the early bird discount.


Bruce McCuaig

About Bruce McCuaig

Bruce McCuaig is director of Product Marketing at SAP GRC solutions. He is responsible for development and execution of the product marketing strategy for SAP Risk Management, SAP Audit Management, and SAP solutions for three lines of defense. Bruce has extensive experience in industry as a finance professional, as a chief risk officer, and as a chief audit executive. He has written and spoken extensively on GRC topics and has worked with clients around the world implementing GRC solutions and technology.