A recent blog post http://bit.ly/bVd2i1 from Forrester Research made some very useful points, in my opinion.  The focus of the article was on flexibility, in two key respects.  First, flexibility is a key requirement of any GRC program, primarily because the demands for risk and compliance are so fluid right now.  There are clearly more regulations coming, but we don't know the exact extent of them, or how prescriptive they will be.   Some, like Barney Frank, are arguing for more regulations to prevent similar disasters to what we have seen in the financial services market over the past two years.  And I doubt if anyone would disagree that the impacts were severe, and were (at least for awhile) potentially catastrophic.

Others, notably financial service firms, are arguing that "excessive" (in the eyes of the beholder, obviously) regulation will stifle growth (read: profits and bonuses) of these financial firms, and is therefore bad for the economy overall.  [As a lengthy aside, I was intrigued by the comment from the Deutche Bank CEO who said "we should stop the blame game and start looking forward."  Have you ever noticed that anytime a public figure is faced with their mistakes, they always want to "avoid the blame game"?  I remember during the Katrina disaster, the Bush Administration argued strongly that we all should "avoid the blame game."  Sometimes I feel that a little blame would be a good thing!]

The point here is that we don't really know what's coming in the regulatory world.  As a result, GRC programs need to be designed in such as way that they can accommodate whatever comes down the pike.

The other area of flexibility that's relevant here is in the GRC market itself, in the sense that the market is evolving as we speak.  Over the past few years, compliance has generally been the primary driver for many GRC adoptions.  More recently, risk management has become a more prominent driver for many companies.  Similarly, we are starting to see the evolution of the GRC market to include more integration with CCM (continuous controls monitoring) solutions.  Many analysts argue that the distinction between these two markets will disappear over the next couple of years.  We at CA have been aggressively working in this area, having partnered with some key CCM vendors, as well as aggressively integrating our GRC Manager product with our broad security management product suite.  I think this is an obvious evolution, and one that will help reduce the "mini silos" of GRC and CCM across the industry.

In summary, "flexibility" is not only a key requirement for the success of a GRC program, but it's also an apt description of the ongoing evolution of the GRC market itself.