Seven Ways SMEs Can Benefit From GRC Solutions 

Download Article Article in Digital Form

When the US Sarbanes-Oxley Act was first enacted in 2002 in the wake of several very visible accounting scandals, small to medium enterprises (SMEs) may have felt they dodged a very expensive bullet. The requirement to document processes for governance, risk management and compliance (GRC), and have them confirmed by outside auditors, applied only to publicly traded companies. Unlike their publicly traded brethren, SMEs were not forced to purchase costly GRC software, did not have to redirect resources from their normal daily tasks to prepare for audits and did not have to change their methods of operation to comply with a government mandate.

Yet a funny thing happened in large enterprises as a result of that “bullet.” While at first they did it just to check off the “compliance” box on their list of tasks, in time they found that they were operating more efficiently, lowering their costs, driving innovation and becoming more agile. The focus in GRC shifted from the “C” to the “G” and the “R.” And as SMEs stood on the sidelines and watched, suddenly the idea of following a GRC regimen started looking more attractive.

What was not attractive was the price tag for those first-generation GRC solutions. Now, with the introduction of second-generation GRC solutions, the price has come down significantly. In fact, some second-generation GRC solutions are one-third the cost (or less) of the first-generation products.

Still, SMEs are not required to demonstrate compliance to outside auditors or to the government. So how does an organization decide whether the benefits of implementing a second-generation GRC solution outweigh the cost? Here are some things to consider:

  1. Minimizes risk. Every business, no matter what the size, has risks. Anytime human beings perform manual processes, there is a risk of something being done wrong—either accidentally or on purpose. In a privately held company, those discrepancies are potentially more devastating than they are in a public company. They are also much more personal. A second-generation GRC solution mitigates that risk by automating and regulating business processes. It can assure that all work is performed properly by refusing to allow completion of the process if the prescribed procedure is not followed.
  2. Tightens up business processes. When a business first starts out, all the rules and business processes are generally laid out and closely followed by everyone who works there. Over time, however, as the business expands, the processes tend to expand along with it. Different people have different ways of working and will tend to do things in the way they are most comfortable—even if it conflicts with the organization’s best practices. Second-generation GRC solutions help rein in the “cowboy” approach by tightening up business processes, and then making compliance a part of the process instead of a separate operation. At the same time, if there are improvements that need to be made, they can be easily implemented across the entire organization rather than affecting only the originator(s). Ultimately, they create a culture of controls, ensuring that work is completed by following the proper, repeatable processes rather than through individual acts of heroism.
  3. Improves change management. Anytime there is a change, it is important to document it to be able to trace back through any later problems. Yet, documentation is often the bane of an organization—something people know they should do but often put off in the interest of more urgent matters. Second-generation GRC solutions automatically create the documentation for any changes, assuring that there is always a current and accurate record of every process from inception on. They also allows SMEs to make more changes within a given time frame, helping them react more quickly to market pressures and opportunities.
  4. Helps drive innovation. There are only so many hours in the day, and so much work each person in the organization can do. If that time is spent performing manual tasks (such as documenting changes), it is not available for more high-value work. By automating tedious but necessary manual processes, second-generation GRC solutions free up those resources, allowing more time to drive innovation and to help the organization gain a competitive advantage.
  5. Increases agility. One of the theoretical advantages an SME holds over a large enterprise is agility. Smaller companies are expected to be able to react more quickly to problems as well as sudden opportunities in the market. But, if they are bound by outdated or slow business processes, that advantage is often lost. Second-generation GRC solutions help SMEs regain and even increase their agility, making them more competitive even in the face of factors they cannot control (such as the economy).
  6. Eliminates costly, repetitive tasks in the enterprise resource planning (ERP) landscape. By their nature, ERP systems have many repetitive tasks. An example could be something as simple as provisioning new users into the system. This is normally a manual task that takes time away from more important work. Yet, it is also the foundation for everything else that user will do in an ERP system, so it is important that it be done quickly and accurately. Second-generation GRC solutions can automate the process of enrolling users, with the appropriate controls and audit trail to assure everything is spot-on. As a result, ERP administrators spend less time on repetitive manual tasks, which frees them to do more high-value work.
  7. Can be implemented in stages. Unlike the mandatory efforts for publicly traded companies that resulted from Sarbanes-Oxley, use of second-generation GRC solutions in SMEs is completely voluntary. As a result, they can be implemented in stages, allowing the cost savings from stage one to help fund the second stage, and so on. This option makes gaining all the other benefits much more palatable and realistic for budget-conscious organizations.

Compliance may not be required for SMEs, but sound business practices, tight controls and agility are—especially in the current economy. Second-generation GRC solutions give SMEs the tools they need to act like the “big boys”—and reap all the attendant benefits. They also make SMEs more attractive business partners for enterprises that are required to demonstrate compliance. When all the factors are considered, it is apparent that GRC is not the bullet that SMEs thought they dodged, but a powerful weapon to increase competitive advantage. And, now is the time to seize the opportunity.

Editor’s Note

Collaborate with ISACA members and access additional resources on this topic in the ISACA Knowledge Center located at

Dan Wilhelms
is president and chief executive officer (CEO) of SymSoft Corp., the makers of ControlPanelGRC, professional solutions for compliance automation ( He can be reached at

Enjoying this article? To read the most current ISACA® Journal articles, become a member or subscribe to the Journal.

The ISACA Journal is published by ISACA. Membership in the association, a voluntary organization serving IT governance professionals, entitles one to receive an annual subscription to the ISACA Journal.

Opinions expressed in the ISACA Journal represent the views of the authors and advertisers. They may differ from policies and official statements of ISACA and/or the IT Governance Institute® and their committees, and from opinions endorsed by authors’ employers, or the editors of this Journal. ISACA Journal does not attest to the originality of authors’ content.

© 2010 ISACA. All rights reserved.

Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, MA 01970, to photocopy articles owned by ISACA, for a flat fee of US $2.50 per article plus 25¢ per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume, and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the association or the copyright owner is expressly prohibited.