Some advice on second-generation GRC issues

"Once in a while, you can be better off getting hit with that bullet you thought you dodged." So says SymSoft CEO Dan Wilhelms. He's referring to the small-ish companies or pre-public that took their Sarbanes-Oxley compliance burdens seriously, instead of waiting for yet another Hail Mary reprieve. 

No small company that moved aggressively down the path to compliance should feel that they made the wrong bet. Indeed, there's a lot of benefits to voluntary compliance; at a minimum it makes for a great story for shareholders. At the same time, it affords an opportunity to take your GRC program to new plane, one that might yield benefits beyond the GRC basics.

Wilhelms has some advice for the small- and medium-sized companies out there that are in a position to really make good on their compliance investments to date. He suggests a second-generation GRC approach that: 

• Minimizes risk via automation and better processes. A given.
• Tightens up existing processes. Get rid of Cowboys that are not bound by any rules.
• Improves change management.Automatically document all changes for every process.
• Helps drive innovation. Resources can be freed up.
• Increases agility. That the benefit of a small company, even in compliance.
• Eliminates costly, repetitive tasks in some ERP-oriented landscape. Provisioning of users is a good example.
• Can be implemented in stages. Better to see this as along-term effort.