Building a GRC practice
Every business has its own unique risks, environment and compliance rules, and all these aspects must be considered when developing a governance, risk and compliance (GRC) strategy. While there is no shortage of tools available touting comprehensive solutions to an organisation’s needs, claims by some IT vendors that GRC is just a plug tool into the network and a company’s concerns drift away aren’t realistic, primarily because every organisation has its own unique risks and compliance mandates. So how can solution providers go about building GRC practices within their businesses?
While the overall business climate in the regional channel remained sluggish for most of last year, pundits are hoping that 2016 will see business improve despite lingering uncertainty especially in the PC segment, where sales of desktops and notebooks have continued to dip.
The Middle East governance, risk and compliance (GRC) market is rising rapidly, driven by regional pressure as well as an increasingly demanding global business regulatory environment. Compliance is a box that any organisation with international ambitions must tick. But across the Middle East, the heat is also on when it comes to participating in the many government-backed infrastructure initiatives and flagship development projects.
There is no shortage of tools which, thanks to the power of vendor marketing, can give the impression that successful GRC is just a question of implementing plug-and-play software. But the reality is complex, and different for every organisation. Solution providers with designs on this specialist market must look at the consultative aspects they will need to invest in if they are to build a successful GRC business.
“As the market matures, the regulatory landscape is undergoing a major transformation, led by regulators in Saudi Arabia, Qatar and the UAE,” said Ghassan AlKhalout, regional director at Nexthink.
“The opportunity for GRC in the region is huge. In a recent study from EY of MENA business decision makers, 75% of respondents claim their risk reporting is still poor, and 88% have not fully implemented an IT system for risk [management].”
AlKhalout said the subject is high on the agenda of CIOs he encounters, and is becoming increasingly important for daily activities and long-term sustainability.
“The industries where we are seeing the most demand for GRC are the public sector and financial services,” he said. “Effective GRC encourages efficient use of resources, strengthens accountability and improves management and service delivery, thus contributing to the enhancement of service quality provided to end-users, customers and the public.”
Faizal M. Ali, CEO of BitMinions Consulting FZC, said there are three main influences on the rise of GRC, led by regional milestones such as Expo 2020 and FIFA 2022. Even SMEs involved in these projects are facing rigorous compliance tests.
“Compliance frameworks are always the key to measuring the momentum of change in the GRC space,” he said. “In my opinion, within the next two to three years, we will have a rather comprehensive suite of frameworks in the UAE across industries like healthcare, hospitality, finance and real estate.”
Ali said the rise of a new breed of entrepreneurs and the next generation taking over the helm of family-owned groups is another influence: well-educated professionals with a deep understanding of risk identification and management. “They are strategic thinkers who are comfortable with risk management and will report to their boards accordingly,” said Ali.
The third influence is the emergence of Venture Capital funds in the region – less conservative in their investments but equally reliant on risk management when it comes to spotting business opportunities.
“As these entities and professionals start moving into an operational state, they will all have very strong governance requirements,” said Ali. “These governance models will lead us to the next set of quality benchmarks and excellence.”
Ali is emphatic that building a GRC practice is not about developing plug-in software. It demands a holistic view and an understanding that GRC requirements will vary – not just between vertical markets but between different layers in every sector.
“To put this into a simpler context, the compliance requirements from Central Bank are very different for banks, exchanges and insurance companies,” he said. “While all three are in the financial sector it is imperative to understand that the requirements are completely different. What complicates things further is that not all companies use the same software or have it configured in the same way. In fact, the challenge is even greater when looking at the SME segment. Most SMEs that have been around for a few years do not have proper systems in place yet.”