There certainly is a lot of activity in the GRC – governance, risk, and compliance – software market. This is due to companies coming out of budget freezes imposed on them in October as a result of the plunging economy. Buyer interest and buying has also started to recover as organizations begin to position themselves to manage risk and gear up for forthcoming regulations.
In general, risk management spending is currently getting more activity than compliance. The reason is that risk is something companies aim to get a handle on in reaction to the current environment while compliance spending is on hold as expectations of significant government overhaul of regulations is seen in the forthcoming months. Corporate Integrity sees compliance spending significantly increasing in the second half of 2009 as organization react to new regulations and requirements.
The current market is also seeing significant focus on merger and acquisition strategies in the GRC technology space. After several questions and a few vendor engagements, Corporate Integrity has put effort into further understanding the market size of the GRC market.
From an addressable market size – a market size if every company was buying solutions in the GRC space – the GRC market is approaching $30 billion. This is done by calculating the average deal size in the core GRC market segments (e.g., policy & procedure management, control & audit management, risk management, loss & investigations management, continuous control monitoring) and multiplying this by the number of large organizations around the world. However, this figure does not include the addressable market size for many segments of the GRC market such as quality, EH&S, hotline/whistleblower, matter management, board management, etc. Nor does it include large and independent GRC related markets such as security (which itself is much bigger than $30 billion).
Thirty billion dollars is a large market – but the key to understanding this is that this is the addressable market size. The actual GRC software market size (the amount currently being spent on specific GRC technologies) is approaching $2 billion for enterprise GRC solutions. If you account for all of the niches of GRC software spending the software market may be as big as $6 billion.
Let’s do the math – $30 billion minus $2 to 6 billion equals an unaddressed market of $24 to 28 billion. That is a lot of money not being spent and opportunity for growth. The natural questions are:
- Why such a gap between addressable and actual market size?
- What are companies doing if they are not buying software?
The gap comes down to two things. The first is that everyone (globally) has not come under pressure to buy at this point. There have certainly been hotspots such as SOX, but in general, and on a global scale, there has not been specific demand for organizations to invest in this space. That is changing as more organization adapt to a dynamic risk environment and prepare for increasing regulatory oversight.
The second reason as to why there is a gap dovetails into the second question – what are companies doing if they are not buying software? The two go hand and hand. Most organizations are complacent in their risk and compliance software spending because they have already invested in the largest non-GRC software to address risk and compliance processes.
Who is the largest GRC software provider to the GRC space?
None other than Microsoft. You ask any vendor in this space who their largest competitor is and they will tell you it is Microsoft Excel, SharePoint, and Word – as well as other technologies such as using email for workflow. Organizations continue to kludge through poorly defined risk and compliance processes by using band-aids of desktop applications instead of a platform built for specific risk and compliance purposes. This does not mean that Microsoft has $28 billion in GRC revenues – certainly not. It is just that their solutions have kept many organizations complacent about further spending in this market.
This is a significant concern to me – and one that needs to be addressed. Governance, risk, and compliance information and processes house some of the most sensitive and critical information of an organization. Any organization relying on desktop applications as their risk and compliance backbone should consider . . .
- Non-repudiation. How do you know that the person who answered the questions in Excel or Word was the person it was supposed to be? How do you verify for accountability that the questions and surveys are going to the right people? This is critical as you need to identify accountability – who answered a survey, who read a policy, who was trained.
- Audit & integrity. How do you know that the questions, responses, and/or information is the exact original information/answers and were not entered or modified at a later time to cover a trail, or turn attention away from a specific area? Is there a detailed audit trail of who accessed what and what modifications and changes were made to the file(s)? This is critical as the organization needs to demonstrate integrity in risk and compliance information – that information was not changed in an unauthorized/unaccounted for manner.
- Data overload. How many files are you managing? Can you adequately integrate, digest, and report on the volume of individual files from desktop applications that come back to your desk (e.g., Corporate Integrity has seen some organizations struggle with as many as 40,000 spreadsheets for a single risk and compliance purpose). This is critical, as organizations need to be able to demonstrate they are on top of compliance and not just going through the motions.
Spreadsheets, word processor documents, homegrown databases – they all may play a supporting role in risk and compliance processes, but should not be the backbone of them. As organizations wake up to this and further address GRC through the use of technology built to provide sustainability, accountability, efficiency, transparency, and accountability the actual market size will grow over the next few years to fill the addressable market size.