GRC 1.0 – it was a good start.
When I originally defined the GRC market, unlike other analysts, I had a holistic view of business processes in mind that needed to participate in a GRC vision and strategy. The goal was to make sure that GRC was not limited to SOX/finance or IT. GRC needed to embrace a range of roles and business processes and could not be hijacked (which it often has been) by specific roles. Thus, I defined the GRC Software Platform as one that could manage policies & procedures, risk & control assessments, loss & investigations, and analytics & reporting across the enterprise.
This was a good start and I have interacted with 114 software vendors that tell me they can do this across GRC roles (NOTE: this is a fabrication or at best a far stretch of the truth for most of them). In the meantime, I was compiling what appeared to be an endless list of 500+ software vendors offering GRC-related solutions. Further, I started working with consulting/professional service firms offering a range of professional services across roles and another growing list of 200+ firms. Finally, I became more aware of the dozens of information/content providers that provided GRC-related content and information to the various roles of GRC.
GRC 2.0 – The GRC.EcoSystem expands on the original vision.
Obviously, the definition and market of GRC needs an overhaul. And that is what I present to you today in draft form – GRC 2.0 – the GRC.EcoSystem.
The GRC.EcoSystem falls into three primary categories; each with myriad branches and interrelationship beneath them:
- GRC Technology Providers. The GRC.EcoSystem moves beyond the four areas I originally defined as GRC (Policy & Procedure Management, Risk & Control Management, Loss & Investigation Management, and GRC Analytics & Reporting). It now provides an architecture that can more relevantly map the 500+ technology providers.
- GRC Professional Service Firms. Next, the GRC.EcoSystem provides a framework for modeling the market for the range of consulting and professional services. This includes 200+ professional service firms from the Big 4, mid-tier audit firms, management consulting, systems integrators, outsourcers, and law firms.
- GRC Content Providers. Finally, the GRC.EcoSystem defines a model for mapping the dozens of firms aimed at consolidating and providing risk and compliance information to organizations.
The goal of the GRC.EcoSystem is to provide a map of the market to GRC professional roles (e.g., corporate secretary, legal, ethics, compliance, risk, security, audit, finance, IT, quality, health & safety, environmental, fraud . . . you get the picture). This map helps these roles understand how they integrate into the holistic view of business GRC issues as well as provides a resource for them to identify the right professional service firms, content providers, and technology providers with which to work.
Next, I would like to mention that my work on the GRC.EcoSystem is integrated with my work with the Open Compliance and Ethics Group. The GRC technology provider section is being leveraged as the foundation for what we are building together at OCEG as the GRC IT Blueprint. For those interested in OCEG’s work in this space, I would encourage you to contact OCEG to see how you can contribute to this work. Yes, I am working closely with the same individual who used to be my arch-rival and nemesis at Gartner when I was at Forrester.
As for my direction – I aim to take the structure of the GRC.EcoSystem when finalized and map, at a minimum, 500+ technology providers with over 1000+ products, 200+ professional service firms, and 50+ content providers into the GRC.EcoSystem. It will then be my tool to size and model the market, provide direction to buyers, and build an online directory of GRC to those looking for firms to engage.
Today, I am revealing the following document drafts to get your feedback on the organization and structure of the GRC.EcoSystem so I can incorporate it into a final (but ever evolving) market landscape.
- GRC.Ecosystem Map. This link provides the overall visual map in tabloid format. Those interested can purchase a large color printed format from me.
- GRC.EcoSystem Outline. This link provides the map in a text outline form that can be used alongside the map.
I would encourage you to review and provide feedback back to me on how it can be improved. You may post a comment on this blog, or reply directly back to me at firstname.lastname@example.org.
It has been a rewarding time working with many of you – and I look forward to many more years of interactions with my new endeavor!