I trust the New Year is off to a great start and your governance, risk management, and compliance (GRC) initiatives are fruitful. Myself, I have been quiet in communications this last month wrapping up 2013 projects, redoing much of the www.GRC2020.com website, and planning for 2014.
It is important to note that every organization does GRC. Every organization has some approach to governance, risk management, and compliance processes. These may be siloed or integrated, centralized or federated. They may be fly by the seat of your pants or defined and disciplined. GRC is not just technology; it is about people, strategy, process, information and technology. GRC maturity is measured by how this is integrated, aligned with the business, and provides business value. GRC is not only about a strategy that spans the enterprise – GRC happens in different departments and functions throughout the business. There are top down enterprise-wide GRC initiatives, but a lot of GRC happens in the trenches throughout the organization in disconnected departments.
As with any New Year initiative – it is good to be forward looking to see what the future beholds us in GRC. As a market research analyst I dust off my palantir (that is a crystal ball for the non-Tolkien enthusiasts) and tell you what is important for 2014 as we look ahead.
The future depends on the past and the events that drive us toward the trends that lay before us. The drivers impacting organizations to improve their GRC related processes are:
- Rapid pace of change. Business itself is changing rapidly (e.g., employees, partners, technology, processes, strategy). Risk environments are changing (e.g., geo-political, financial, environmental, competitive). Regulatory and legal requirements are changing. Trying to keep business, risk, and regulatory change in sync is not easy. The greatest challenge for GRC is to coordinate all of this change and ensure that the organization achieves its objectives while addressing uncertainty and acting with integrity (see blog: Tracking Change that Impacts Policy).
- Increased risk, regulation, and scrutiny. Not only is risk and regulatory change happening faster than organizations can keep, risk, regulations, and scrutiny of business governance and operations are also increasing. This results in an exponential GRC impact on organizations as we manage increasing new risk and new regulation in an environment where existing risk and existing regulation is also rapidly changing.
- Extended enterprise adds layers of complexity. It is one thing to manage all of the change bearing down on business in a contained environment. When you begin to think of the hundreds to thousands to tens-of-thousands of business relationships impacting the organization you face GRC terror. Suppliers, vendors, outsourcers, service providers, contractors, agents, temporary workers, partners . . . they all impact your business (see blog: Growing Risk Exposure in Business Relationships). Your risk and regulatory issues are their risk and regulatory issues, however you are the one left in the spotlight when things go wrong and fines are imposed and your organization is on the front page of news in a negative way.
- GRC addressed in silos. We talk a lot about Enterprise GRC. It is a great idea – how perfect the world would be if we had one single integrated view of GRC information and processes. Reality is different. Organizations have GRC processes and data scattered across the organization with several “GRC platforms” installed. Sort of makes you think of the ERP world. We talk about how wonderful business will be with one instance of ERP when in reality the organization has several. Right now 80% of the spending on GRC solutions happens at the department or issue level and less than 20% on top-down enterprise GRC strategies. Some of the 80% is moving toward the enterprise view but are still on the journey.
- Herding cats. There are those that have vision for an enterprise approach to GRC and bringing everything together. Many times these roles are a voice crying in the wilderness. Worse, there are several with a vision but internal political strife rises within the business over who controls enterprise GRC strategy. Needless to say, getting people on board and cooperating is a lot like herding cats (see my favorite cat herding video).
- Multiple GRC solutions in house. As stated, most organizations have many GRC solutions in house. Some are home grown, others are commercial software. Every week I am told how such and such a vendor is the GRC platform for some organization and I reflect back to last week when someone else told me they were for the same organization and the week before that . . .
- Documents, Emails & Spreadsheets. Oh My! Despite multiple solutions in house, much of the business is still struggling with manual and document centric approaches to aspects of GRC. Yes, some solutions have been purchased – but many areas of GRC are still encumbered by the inefficiency and ineffective use of documents, spreadsheets, and emails (see blog: GRC Spreadsheets, Documents & Email, OH MY!). Not to mention that this approach is often not defensible in a growing legal landscape that requires auditable and defensible GRC.
- Policies are a cornerstone to successful GRC. There is growing awareness that policies are the cornerstone of a successful GRC initiative whether focused on a specific issue, department, or enterprise. Policies need to be properly written, communicated, and maintained. They address risk, define how to comply with obligations, and establish culture (at least properly written, managed, and enforced policies). Policies are essential to successful GRC.
- GRC to the scale of ERP cost and complexity. Every week I am hearing the weeping from organizations as they tell me tales of GRC initiatives that are burying them. Monstrous and costly initiatives that are over budget and past deadlines. I taught a workshop in 2013 in which I had to rein attendees in three times throughout the day as they wanted a GRC psychiatrist to listen to their PTSD stories of GRC implementation. Ironically, the GRC solution providers are not the only culprits for selling complex and cumbersome GRC initiatives; large consulting firms that love the services revenue from these projects also drive it. I had one client I helped with an RFP (who chose a solution against my recommendation) tell me it took them two years to roll out and was significantly over budget . . . they now wished they had listened to me.
- Unintuitive and difficult to use GRC solutions. I am regularly told about the frustrations on easy of use of GRC solutions. Many of the leading GRC solutions are very complex, lack intuitiveness and ease of use, and have dated interfaces. Interesting, you talk to some vendor references and you hear glowing reports. However, these references tend to be the decision maker who is thrilled to be paraded at conferences, given press, and like to bask in the light of their ever so wise decision of a GRC solution. Instead, if you talk to the users of the platform in the same organization you often get a completely different point of view.
- Major analyst firms offer poor GRC advice. The GRC market is a macro-market with a lot of segments. It includes categories like risk management, audit management, compliance management, policy management, security, health
and safety, and more. You cannot collapse this market into a two-dimensional graphic that gives a perception of leaders and losers. There are 500+ solution providers GRC 20/20 tracks in the market and the major analyst reports only cover 10 to 20. The last Forrester GRC Wave I wrote in 2007 before going independent had four different Wave graphics, as the market was complex then. Forrester is in retreat. Subsequent Waves went to one graphic. Now they are collapsing two separate Waves (IT GRC and Enterprise GRC) into a single Wave graphic. This does not make sense and organizations are frustrated. I had one large organization tell me that they do not think Gartner could spell FCPA as they had no clue and kept throwing broad GRC platforms at them with no context of how it addressed anti-bribery and corruption (see blog: Gartner GRC Magic Quadrant Rant, Part 3).
Before I get to the GRC trends that spring from these GRC drivers, I want to address the GRC naysayers. I use the term GRC broadly to bucket a range of terms and approaches to risks and regulations. GRC includes ERM, and some would define ERM the way I would define GRC. So the issues listed above are not the result or because of GRC. I can do a find and replace of GRC with ERM and we have the same truth. These are acronyms that cover a wide range of processes, information, and approaches. The pain expressed above is the growing pains of maturity in GRC, ERM, and many other acronyms and terms we use. It is the result of misguidance from major analyst firms and organizations taking on more than they can accomplish.
The answer to the pain that is burdening organizations in the GRC drivers above are the trends that are happening in the GRC market and will be reflected in GRC 20/20’s research throughout 2014. These trends are:
- GRC by Design. Organizations are realizing they cannot buy GRC. You cannot go to a vendor and buy a platform and get GRC and bring it home to the office. Successful GRC is an architecture (see blog: The Rise of GRC Architecture in GRC 3.0). It requires design and planning. It requires structure. There will not be one GRC platform that solves all your problems. There can, and often should, be a core GRC platform that is the backbone of GRC integration, processes, and reporting. However, there are solutions that are built for very specific purposes of IT security/GRC, health & safety, quality, matter management, and more. All these are in the GRC space – but one platform does not do all these categories well. Mature GRC requires a strategy that applies architecture design to GRC processes (aligned and integrated with business processes), information, and technology. This is GRC by Design.
- Over the course of 2014, GRC 20/20 will be working on a series of research on GRC by Design supported by research on Audit by Design, Compliance by Design, Risk by Design, and more.
- The GRC 3.0 Marketecture is a representation of the GRC market across a range of categories. There are over 500 solutions in the GRC market that GRC 20/20 maps into the GRC 3.0 Marketecture (e.g., there are 81 policy & training management solutions, 75 3rd party management solutions). This is coming together in the GRC Directory being launched in February on the www.GRC2020.com website.
- Measuring GRC Maturity & Building a Business Case. The first decade of GRC solutions and strategy is past and we are in the maturing phase. Organizations are looking to compare themselves and demonstrate maturity against peers. They are looking at how do we articulate the value of GRC and build a business case for improvement.
- GRC 20/20 is supporting this trend through our GRC Benchmark projects that includes a GRC Benchmark for enterprise GRC as well as focused benchmarks on policy, risk, audit, and compliance.
- Further, our 2014 research will have a series of pieces on GRC Archetypes that define the different approaches organizations can take, how maturity is measured and value articulated, and building a business case for improvement.
- GRC Intelligence & Analytics. To manage the amount of change impacting organizations requires intelligence. This is more than raw data, but the integration (and not necessarily consolidation) of information to bring knowledge and insight. Much of this intelligence is in information sources feeding information on regulatory change, geo-political risk, environmental factors, financial risks, world developments, 3rd party screening and due diligence. The organization needs to integrate a changing business with changing risk and regulatory environments. This requires that organizations rethink GRC data and have the ability to integrate multiple sources of data for analysis and reporting. It also requires us to rethink how we address Big GRC Data. Monolithic and expensive GRC data warehouses are not necessarily the answer, nor are they needed. It is a matter of connecting the right information sources where they are at – harvesting what is needed – and bringing together this information into actionable GRC intelligence.
- GRC 20/20 is supporting this trend with a variety of research and projects focused on GRC information and data architecture and reporting.
- Getting a Handle on the Extended Enterprise. This is the fastest growing segment of the GRC market (currently has 76 solutions in it that GRC 20/20 tracks to size, segment, and forecast this market). Organizations are struggling with issues like conflict mineral compliance (see blog: Where does conflict minerals fit into your broader 3rd party GRC strategy?), social accountability, privacy, security, code of conduct, ethics, environmental responsibility, health and safety, quality, and more. They are looking for integrated solutions that help them manage risk and compliance across their 3rd party relationships (see blog: 3rd Party GRC: Business Agility in a Dynamic and Distributed Environment).
- GRC 20/20 will be releasing our Market Landscape and Buyers Guide for 3rd Party Management solutions shortly as soon as infrastructure work on the www.GRC2020.com website is complete.
- GRC 20/20 is also managing the design and layout of the OCEG GRC Illustrated series on 3rd Party Management. The first illustration is complete and published and work has begun on the 2nd. This will come together in an eBook later this year.
- Getting Your Policy House in Order. The busiest segment of the GRC space for GRC 20/20 has been policy management. Throughout 2013 GRC 20/20 has been actively involved in many RFPs and GRC buyer inquiries looking for policy management solutions. The trend is toward enterprise policy management. There is growing demand for platforms to manage policies across the enterprise. 2014 is showing a whole new range of RFPs just starting to open up in enterprise policy management (as noted above, there are 81 solutions in this space). Organizations are being held under greater regulatory scrutiny for how they manage and communicate policies and find that their current approaches do not provide a defensible position when under legal and regulatory scrutiny. Organizations are also looking for guidance on how to build a business case and articulate value of policy management.
- GRC 20/20 has a lot of published research in this space and will be updating
much of it in 2014. We have a policy management business justification and value tool we use with organizations to articulate the value of an enterprise policy management strategy and a policy management benchmark as to tell them how they compare to their peers in maturity.
- GRC 20/20 has a lot of published research in this space and will be updating
- The Year of the GRC David/Underdog. There are lots of solutions in the GRC market. Some focused on very specific issues (e.g., FCPA, conflict minerals, PCI), others on departments/roles (e.g., IT, audit, compliance, risk), and some are solutions that transcend across a range of departments and address a variety of issues. Many, in fact the majority, cannot be found in major analyst reports. With growing frustration with large complex GRC projects that under deliver, are over budget, and have missed deadlines, organizations are becoming more interested in the new breed of GRC solutions. There are some great solutions that offer very elegant and intuitive user interfaces that are easy to deploy and use (see blog: Employee Engagement in the Context of GRC: Bringing GRC to the Coal-Face).
- GRC 20/20 is covering the range of solutions in the GRC market from the established major players that have been racking up market share and brand recognition for years to the nimble start-ups that offer a fresh perspective on GRC technology and ease of use.
- Growth in GRC Software as a Service. Related to the previous point, GRC 20/20 is seeing a massive and growing interest in Software as a Service (SaaS or cloud) for GRC. Yes, we still have security naysayers that seem to want to shut down the cloud. The reality is that some of the most sensitive business information is in the SaaS cloud. Most board portal solutions managing board papers, calendars, and board voting is cloud-based. GRC 20/20 is seeing significant growth in cloud-based solutions for legal matter management and many other sensitive areas of GRC.
- GRC 20/20 is committed to publishing research in 2014 focusing on cloud adoption for GRC solutions.
There you have it – a synopsis (though a lengthy one) of the drivers and trends impacting GRC in 2014. More detail will be given in next week’s Q1 State of the GRC Market Research Briefing. GRC 20/20 is also working on publishing a range of Buyers Guides for categories of GRC solutions as well as Market Landscapes of GRC solutions. These will cover GRC solution categories of policy, 3rd party, compliance, audit, and risk management to begin with and expand into other categories of GRC solutions over time. These will be supported by research on value and business case justification and a variety of case studies.
Bottom Line: GRC 20/20 is focused on providing you the deepest and broadest insight into the GRC solution market covering a range of solutions, buying criteria, market growth dynamics, projections, and business/value justification throughout 2014.