Dodd-Frank and the GRC imperative

You could argue that the birth of the GRC industry occurred when Sarbanes-Oxley (Sarbox news) was passed back in 2002. Does the passage of Dodd-Frank mean anything at all for GRC?

There are several ways to spin it. You could say that the necessity of Dodd-Frank--a reflection of the financial crisis--revealed the shortcomings of GRC programs at financial and other firms caught in the swirl. But that may be asking too much of any GRC program as currently conceived.

Can any such program actually prevent a financial crisis at various banks? Truth be told, risk management at the portfolio level was never really envisioned in the early GRC implementations. But this all begs a question: Now that Dodd-Frank is upon us, are current GRC frameworks adequate as a way to comply with the many mandates of the new law? According to Financier Worldwide, the Dodd-Frank Act is expected to continue the interest in investment in systems and processes related to governance, risk and compliance.

The real action for banks, anyway, will focus on R, that is, risk management. The type of risk contemplated by GRC originally was IT and financial reporting risks. Portfolio risk is a whole new animal, though it will be interesting to see if any real integration work bubbles forth. Companies would be well served by integrating their portfolio and other business GRC activities with their IT GRC activities.

For more:
- here's an interesting look

Related Articles:
Identity crisis for GRC industry?
GRC software to go green?
Thirteen steps to merging compliance frameworks
A new call to break down risk management silos