Before even getting into technology and vendors it is necessary to understand what GRC is about. I argue that GRC is nothing new – we have been doing GRC long before we had an acronym that I first started using back in 2002. The truth is organizations have governance, risk management, and compliance (GRC) practices and processes in place. Your organization is doing GRC whether you call it GRC or not. These processes are most likely siloed and scattered across the organization. They may be formal processes or informal, they may be defined and written down or ad hoc. You will not find an executive that states we lack governance, do not manage risk, and can care less about compliance. Whatever you may call it – the truth is that GRC exists in your organization.
So why all this fuss over GRC? There are better ways of doing things. The goal is to make GRC processes that already exist in the environment more effective at meeting obligations and managing risk, more efficient in use of financial and human resources, and more agile to the needs of a dynamic and distributed business environment.
Thus enters technology – GRC technology is used to go bring greater effectiveness, efficiency, and agility to GRC processes across the organization. One goal is to move beyond documents and spreadsheets that have there issues (such as no audit trail, difficulty reporting). Another goal is to share information and provide a framework for collaboration across risk and compliance roles. Finally, a goal is to provide shared processes and technology.
I often hear the line of business screaming “ENOUGH.” This week it is a SOX assessment, next week an oprisk assessment, the week after that a business continuity assessment, and then five others. Several come in spreadsheets formatted differently, others in web survey tools, others in software applications. There are a dozen of more file shares or intranet sites claiming to have corporate policies – where is the correct one? How come they are in different formats? Who is controlling this? Investigations, incident, and issue systems are scattered across several areas as well.
Organizations are waking up to the fact that GRC can be more effective, efficient, and agile. Thus enters technology to enable it. GRC technology is very much like CRM (client relationship management) technology back in the 1980’s which are a core part of business today. Before we had CRM we still managed client relationships. The issue is that we had out of sync data and no one had the complete picture of the client. Sales had their view, marketing theirs, and then service theirs. CRM systems came in to provide a holistic view of the client – one complete and accurate picture that all these roles in their respective capacities can access. The same for GRC technology – there are a variety of roles across the business doing aspects of risk and compliance that have very similar information and process needs though they maintain their individual subject expertise.
I will state that there is no single vendor that does all of GRC from a technology perspective. There are over 400 vendors that do aspects of GRC. I model the market around 28 categories of GRC software (this will be released in a few weeks in the updated OCEG Solutions Guide for GRC). Several of these technology categories span needs across the enterprise others address needs within specific functions.
In my work in GRC market research, education/training, and advisory I get involved in over 200 interactions each year with organizations looking for GRC technology. Most, as much as 90%, are focused on specific issues while about 10% are truly focused on enterprise GRC initiatives. However, even those focused on specific issues want to invest in technology that can address other issues and grow and expand into enterprise GRC over time.
Looking over the past two years of interactions with buyers of GRC software, the top five GRC vendors that I see most often in RFPs/RFIs are (in alphabetical order): BWise, MetricStream, OpenPages, RSA Archer, and Thompson Reuters Accelus. Of these it is BWise and RSA Archer that most often come up in interactions.
This does not necessarily mean that these vendors are the best for you. There are aspects of the 28 categories of GRC that they do not do. Every vendor has their strengths and weaknesses. Depending on organization size, industry, complexity, and needs the vendor you want to engage will vary. In fact, several organizations I have interacted with have four or more GRC vendors in place doing different parts of GRC.
Other vendors that I frequently encounter include (in alphabetical order): ActiveRisk, Compliance 360, CMO Compliance, CURA, Easy2Comply, EthicsPoint, Lockpath, Mitratech, Oracle, QUMAS, SAI Global, SAP, SAS, and Wolters Kluwer.
Beyond this group are vendors such as Agiliance, AlineAlytics, AssurX, BPS Resolver, Chase Cooper, Continuity Logic, Global Compliance, MEGA, Methodware, Modulo, Policy Technologies, The Network, Pilgrim Software, Process Unity, and RSAM.
Here I have only touched on a few dozen of the 400 vendors in this space.
If this topic interests you, I would encourage you to consider my upcoming online training on the GRC technology market.
State of the GRC Market Q4-2011 FRIDAY, OCTOBER 14, 2011 EASTERN TIME 12:00 PM – 2:00 PM / PACIFIC TIME 9:00 AM – 11:00 AM / GMT 4:00 PM – 6:00 PM
Today’s complex and competitive GRC market demands that you be at the top of your game. Corporate Integrity is the leading GRC market research and education firm.
This webinar is Corporate Integrity’s quarterly uddate on the State of the GRC Market. This is the summary of Corporate Integrity’s market intelligence that spans several hundred interactions/conversations with GRC technology buyers each year. It is an excellent opportunity for organizations looking to buy technology to learn what is going on in the market. It is a necessary educational opportunity for technology providers to understand the GRC market and refine their strategies.
Attendees will be able to answer the following questions:
- Who are the leading (most active) GRC technology providers?
- Why are organizations buying GRC technology?
- What differentiates the GRC technology providers?
- How do you categorize and define the GRC technology market?
- What is the market size of the GRC technology market? Where will it grow?
- What are the leading risk and compliance drivers for buying GRC technology?
- What is the value that organizations have achieved by implementing GRC technology?
- Where is GRC technology headed?
- What are the different needs of GRC roles (e.g., audit, risk, compliance, IT, finance, legal)?
- Who are some of the up and comers in GRC technology that I should be watching and why?