State of the GRC Market, Q1-2012
2012: The Chinese Year of the Dragon to Mayan Doomsday prophesies – this year certainly proves to be interesting (note: I myself do not hold to these views; feel free if it interests you to ask me my view on providence and the end of the world).
One thing is for sure: it is the year of GRC. I have never personally been involved in so many GRC strategic plans, training, and RFPs. There certainly is more activity in the GRC market right now than at any other point in its ten year history.
Which brings us to an important point – HAPPY 10TH BIRTHDAY GRC!
Yes, the GRC market is now ten years old. It was back in 2002 as an analyst at GiGa Information Group (soon to be acquired at the time by Forrester Research, Inc.) that I was the first to model a market for professional services, software, and content and label it GRC (Governance, Risk Management, and Compliance). This was right before Sarbanes Oxley (SOX) became law. That was providence: all that hard work in defining and scoping a market which may have fizzled and dwindled if it was not for a major law from the U.S. Congress. While my original vision of the GRC market was well beyond what was defined with SOX it is fair to say that SOX established and advanced the GRC market for several years, and continues to do so today. Today GRC strategies and spending encompasses the breadth of enterprise and operational risk management, corporate compliance, audit, IT security, financial controls, corporate social responsibility, legal and other areas across the business.
There are over 400 vendors that I categorize into the GRC market. The market has evolved to embrace many niches. The analyst firms today do a disservice to the GRC market with a report that plots a handful of vendors against each other. The GRC market today is more akin to the breadth of the IT security market. Within the IT security market you have sub-markets for anti-virus, perimeter security, vulnerability scanners, intrusion detection/preventions systems . . . and more. The GRC market is at the point it cannot fit into one graphic to plot vendors against each other. It is a whole market with several sub-markets – while some vendors offer solutions that embrace many components of it there is no vendor that covers all of the GRC market.
The needs of the GRC market are varied by industry, role, as well as size of the organization. Some are looking for solutions strong in elements of compliance while others in risk or audit. Many GRC strategies start in what is referred to as IT GRC (I prefer IT Risk and Compliance) and expand to other areas. There are many perspectives and starting points.
The market has matured to the point that industry heavyweights such as IBM, Oracle, SAP, and SAS providing stability, solutions, and thought leadership. This is supported by a legion of small to mid-sized vendors solving GRC problems from the narrow and focused to the enterprise GRC strategy. In the first month of 2012 we have already seen the beginning of what will be several merger & acquisitions in the GRC market – the acquisition of Compliance 360 by SAI Global. This acquisition provides one of the most complete GRC offerings targeted at corporate compliance and ethics professionals.
GRC technology itself is evolving and changing. After going through dozens of nominations I have now selected 10 vendors to receive Corporate Integrity’s 2012 GRC Technology Innovation Awards. These will be announced next week.
A particularly important GRC development is the release of the OCEG GRC Capability Model version 2.1. This is a significant achievement as it evolves the GRC Capability Model to take a broader understanding of risk and performance with several other enhancements. For those that are looking for an integrated capability and process framework for GRC the OCEG model is the ONLY publicly vetted and open standard for GRC. There are many excellent standards focused on niches of risk, compliance, and audit – but the OCEG GRC Capability Model is the only one that provides the integration and harmonization of these other frameworks and standards. The OCEG GRC Capability Model is the GRC Rosetta Stone for organizations.
Tied to the GRC Capability Model is the release of the OCEG GRC Technology Solutions Guide 2.1. As the chair of the OCEG Technology Council it is rewarding to see this work moved forward as a framework to define and model GRC technology areas. It incorporates my thoughts with those of several other GRC pundits and thought leaders on the Technology Council. The OCEG GRC Technology Solution categories, listed below, are how I define, frame, model, and size the market (note: the only change I would make is the addition of a 29th category for identity and access management). The categories of the OCEG Guide and the framework are:
- Audit and Assurance Management
- Board and Entity Management
- Brand and Reputation Management
- Business Continuity Management
- Compliance Management
- Contract Management
- Control Activity, Monitoring, and Assurance
- Corporate Social Responsibility
- Discovery/eDiscovery Management
- Environmental Monitoring and Reporting
- Environmental, Health, and Safety
- Finance/Treasury Risk Management –
- Fraud & Corruption Detection, Prevention & Management
- Global Trade Compliance/International Dealings
- Hotline/Helpline
- Information/IT Risk & Security
- Insurance and Claims Management
- Intellectual Property Management
- Issue and Investigations Management
- Matter Management
- Physical Security & Loss Management
- Policy Management, Communication, & Training
- Privacy Management
- Quality Management and Monitoring
- Reporting and Disclosure
- Risk Management (Enterprise & Operational)
- Strategy, Performance, and Business Intelligence
- Third Party/Vendor Risk & Compliance
OCEG will be rolling out the GRC Directory in a few months to index GRC solutions around this model for those looking for solutions.
A few further items of note:
- For more detail on the State of the GRC Market, Q1-2012 I will be hosting my quarterly online market training seminar on February 15, 2012.
- The first OCEG Technology Council call will be on February 16, 2012 for those that are members of the OCEG Technology Council.
- Within OCEG I will also be chairing a new Council – the OCEG Policy Management Council aimed to develop a defined policy lifecycle management process with su
pporting sample templates, policies, and style guide. This also is for OCEG Enterprise, Technology Council, and Leadership members.
I would love to hear your thoughts, interpretations, and experiences with the GRC software market. Please comment below!