This week in GRC focuses on the many challenges 2010 poses for companies, in regards to spending, compliance and risk management.

5 Things Legal Departments Need to Manage

As 2010 is on track to bring more compliance and governance, it also may bring companies more challenges about how to adopt integrated strategies without raising budgets.

The Huron Consulting Group is here to help. They recently compiled a list of five areas of management that legal departments should focus on so that they can best determine who and what drives costs and how these issues can be managed for success in 2010 and beyond.

  1. Discovery Management
  2. Cost Management
  3. Outside Counsel Management
  4. In-House Resource Management
  5. Technology & Process Management

Chances are companies have money, time and manpower invested in many, if not all of these areas, yet they may not recognize the depth and breadth of their investment.

Taking the time to understand what each of these components manage and why they are necessary is sure to help many across the enterprise see where resources are being spent. Better insight makes for better oversight.

Companies Approach GRC with Heads Up, Eyes Open

In the third quarter of 2009, AMR Research conducted a GRC study that assessed plans, motivations and spending priorities at 151 U.S. companies of all sizes and across industries. The study indicated that:

  • U.S. companies will spend US$ 29.8B on GRC activities in 2010, up 3.9%.
  • Risk management remains the top GRC motivation.
  • Better visibility leads to an agile response.
  • Efficiency equates to operating at the highest impact and lowest cost.

The study, GRC in 2010: $29.8B in Spending Sparked by Risk, Visibility, and Efficiency, outlined three major areas of GRC spending: Technology, External Services and Internal Efforts. While companies are spending more, they are driven to compliance by a plethora of motivating factors.


In addition, organizations seem to have matured in their GRC thinking, but inconsistencies still remain, especially between departments. Business executives are much more confident about their approaches and processes than their IT counterparts.

Overall, visibility and efficiency drive a majority of investments for 2010, encouraging companies to operate with “heads up, eyes open, and as efficiently as possible”.

Putting Change in a Bucket

CIOs are constantly faced with how to make IT-related risk management easier and more effective. Brian Barnier, principal at ValueBridge Advisors says that CIOs need to be prepared to change quickly so they can adapt to new regulations. Barnier organizes change into four categories, or buckets:

  • business driven change (e.g., acquisition, consolidation, product change, new regulations);
  • technology management change (e.g., consolidation, shared services);
  • technology change (e.g., cloud, mobile, virtualization); and
  • failure-driven change (e.g., actual, audit finding, testing finding or compliance gap).

In order to earn return on investments, these changes must be addressed head on and strategically. Barnier says that by using risk IT, CIOs can reduce the risks inherent with most business changes, while managing compliance within an organization.