All organizations do GRC (governance, risk management, and compliance). It does not matter if the organization uses the acronym or not, every organization has some approach to the elements of governance, risk management and compliance whether it is non-integrated and siloed across scattered areas of the organization or a federated GRC strategy that links GRC activities into a strategy, process, information, or technology architecture. GRC by definition (OCEG) is “a capability to reliably achieve objectives [governance] while addressing uncertainty [risk management] and acting with integrity [compliance].”
GRC maturity is highly dependent on technology. To be clear, you cannot buy GRC — GRC is something you do, not purchase. You can buy GRC technology that assist in managing GRC related processes, analytics, reporting, and more. Every organization uses technology for GRC; pens and paper are a form of technology, so is email, spreadsheets, and documents. The correct selection and use of GRC technology is one aspect in maturing the organization’s approach to GRC. In fact, GRC maturity cannot be achieved without improving your information and technology architecture for GRC. However, I cringe when organizations tell me they just bought GRC and now need to figure out what to do. Strategy and process comes before technology.
The coverage of GRC technology by other analysts is frustrating. For full disclosure, I am a research analyst. I research and monitor GRC best practices, benchmark organizations, and define/model the market for GRC solutions, content, and services. I review solution provider offerings, assist organizations in selection and write/manage RFPs. While an independent research analyst for the past seven years, I previously spent seven years at Forrester Research where I was the first analyst to define and model the market for GRC solutions and services and label it GRC (February 2002). I wrote the first two Forrester GRC Waves comparing solutions. Since leaving Forrester I have spent the last seven years bewildered by the way my analyst competitors cover the market for GRC technology. I respect that in some cases they are handicapped by internal research boundaries of other analysts. However, the coverage of the GRC market by other analysts firms is confusing and damaging.
Before I critique my competitors, let me state my position. GRC, approached correctly, involves a strategy, process, information, and technology architecture. The GRC market is comprised of a wide range of solution categories. Some of these are represented in a GRC platform that tries to accomplish several areas of GRC in one neat little package. Caution though, the idea of a single ‘GRC Platform’ to meet all your needs has challenges. There is no one-stop show for GRC. There can be a core backbone for GRC, but GRC often requires integration of a range information and technology. Some of today’s complex governance, risk, and regulatory reporting requirements are only done through significant integration and analytics of data across the business. Organizations are best served to approach GRC as an architecture and throw away this idea of a single platform that promises to do everything. I still reference GRC platforms as there can be a backbone that brings things together. Organizations are best served through a federated architecture that allows for best of breed GRC solutions where they make sense and does not force the organization into the lowest common denominator through one platform that tries to be all things to all needs. I will be discussing my representation of the GRC market in next week’s 2014-Q2 State of the GRC Market Research Briefing.
Now that you understand my position, let’s review how GRC 20/20’s competitors approach the GRC market from the perspectives of Gartner, Forrester, Chartis, and Market to Markets:
Gartner
Gartner is the largest market research firm covering a wide range of technology and services. Their GRC research I have ranted on in the past:
In these posts I have critiqued Gartner’s GRC Magic Quadrant stating it is not transparent and does not represent the real world of GRC buying as 80% is focused on specific areas of GRC and less than 20% on enterprise GRC platforms. Gartner has responded to my critiques and changed course (though they would never confess). In a blog entry, French Caldwell announced their new approach: A Revolution in GRC Affairs at Gartner (or burning the EGRC mq). To me it reads that French is saying ‘GRC is dead, long live GRC.’ In this post Gartner recognizes what I have been preaching form may analyst pulpit for seven years that the GRC market is a broad market with solutions that do different things.
Gartner has responded by breaking up the Magic Quadrant and analyzing solutions on use cases. This analysis is just starting and covers the aspects of:
- Use case 1: IT Risk Management (ITRM).
- Use case 2: Operational risk management (ORM).
- Use case 3: Audit management.
- Use case 4: Vendor risk management (VRM).
- Use case 5: Business continuity management (BCM).
- Use case 6: Corporate Compliance and Oversight.
Further Gartner has scoped a wide range of other GRC market research:
- Market Guide for Audit Management
- Magic Quadrant for Operational Risk Management
- Magic Quadrant for Security & IT Risk
- Magic Quadrant for Business Continuity Planning
- Magic Quadrant for Vendor Risk Management
- Market Guide for Corporate Compliance and Oversight
- Critical Capabilities of GRC Vendors
Gartner is to be commended for this shift in research and is my most formidable competitor. I do appreciate the interactions I have with French despite our online debates. We make a great nemesis team — protagonist and antagonist — Batman and The Joker, Superman and Lex Luthor (I will let you decide who is who).
Despite this tremendous change in strategy I am here to say it has some issues in the definition of the use cases. Basically, some of the use cases do not accurately represent the breadth of market requirements. I have looked them over carefully. As an independent analyst I get engaged to assist solution providers in how to approach and manage their relationships with the major analyst firms. I am asked to play the role of French Caldwell and review their responses and watch their demos to improve how they present their solutiosn to analysts. It is quite fun. The past few weeks, several solution providers have reached out to seek my assistance in strategizing responses to Gartner’s new GRC use cases. My concerns are as follows:
- Use case 1: IT Risk Management (ITRM). This use case I find interesting: its criteria covers the basics, but I am surprised on the limitation of the compliance mapping. It makes no reference to ISO 27000, NIST, or other popular standards and only references US-based regulations (note: PCI is not a regulation, but a contractual requirement). I take particular issue in Gartner Analys
t Paul Proctor’s blog Gartner Resets Approach to GRC. What Paul states is counter to Gartner having a use case in this area, he says, “The delineation of IT-GRC vs EGRC is almost meaningless because all of the IT-GRC vendors claim to do everything the EGRC vendors do and vice versa.” My point of view: IT-GRC solutions have an expanded data architecture to cover information and IT assets (e.g., logical, physical, relational, process), vulnerability and threat information, and hooks into the security architecture (e.g., vulnerability scanners, configuration management, security event/information management). There is a difference between IT-GRC and EGRC. Yes, some EGRC solution providers make a lot of claims and can tell Gartner all day long they do IT-GRC, it is Gartner’s job (and mine) to hold them to account on this and not just cave in. Some vendors state they can do anything, and with a significant amount of money and services they can do some interesting things, it will just cost you money and time. It is the job of analysts to analyze solutions and tell the world who actually has the features, who has the track record of success, who simply has capabilities that can be built out at a cost, and who lacks it all together. In my view it is easier for an IT-GRC solution to be an EGRC solution than an EGRC solution to become an IT-GRC solution. Gartner – you appear to be speaking out both sides of your mouth stating that delineation is almost meaningless and putting the time and effort into a use case in this area.
- Use case 2: Operational risk management (ORM). This use case has many of the high-level core criteria I would expect. I would like to see more on risk identification and collaboration. It could be more thorough in the variety of risk models solutions can do. There are over a dozen different risk analysis/assessment techniques that I review in my Risk Management Workshop. The international standard ISO 31010 (which provides supporting guidance to ISO 31000) has thirty different approaches. I often get asked which solutions support which of these risk assessment and analysis techniques when other analyst firms cannot answer this question. Another area for improvement in this use case is the ability to map/relate risks to show how risk interrelates with other risk not just vertically in hierarchies but horizontally across hierarchies. A particularly big issue in this area, and lacking in the use case, is the ability to aggregate and normalize risk. Some in the Magic Quadrant are quite flawed. They break down when different departments have different risk models and scoring. To overcome this, vendors have significant implementation time lines (at great financial cost) to build out rulesets and logic for risk normalization and aggregation because it is not a native feature to the solution. Risk normalization and aggregation is critical and necessary so risk reporting across department/operational areas to enterprise risk reporting makes sense.
- Use case 3: Audit management. Someone has done their homework. Compared to the other use cases, the audit management use case is far more detailed. Makes one wonder why Gartner goes deep in a few use cases while the rest are very light. My minor issues with this is an ability to build dynamic audit plans based on changes to business/regulatory/risk environments and the ability to build the more traditional three or five year audit plans. It could be stronger by listing the ability for external auditors to use the platform, and flexibility of the solution to perform a range of operational audits including those across vendor and supply-chains (where external auditors are often used).
- Use case 4: Vendor risk management (VRM). This one is a big disappointment. They scope the use case to be vendor risk management, and strongly lean it toward security. It should be 3rd party management (though in the commentary it does discuss applicability to supply chain, I suspect the narrow scope of this is due to internal politics and research boundaries with other Gartner analysts covering supply chain, if so it is a disservice to clients that are thinking more holistically). I do not see anything in the use case that identifies: a portal for 3rd parties, self-registration, communication of code of conduct and other policies, delivery of training, and ability for internal or external auditors to use the solution and record findings when exercising right to audit clauses. It is weak on detail about integration with 3rd party content for due diligence and monitoring activities — organizations are looking for solutions with a lot of depth in this area and the brief criteria statement is rather . . . light. In summary, from one industry perspective, this use case would end up with analysis of solutions that does not meet the needs of financial services institutions responding to the latest OCC requirements for more holistic vendor governance. The use case only partially fits the criteria needed by banks in this area.
- Use case 5: Business continuity management (BCM). Similar to audit management, Gartner has a lot more detail on the BCM use case and makes you wonder why the other four use cases are so light in comparison. A pretty thorough job in BCM.
- Use case 6: Corporate Compliance and Oversight. My greatest disappointment. This one is long and needs to be broken into subbullets:
- Compliance risk. Compliance risk assessments go beyond prioritization and planning. It is an integral part of the elements of a compliance program defined by the United States Sentencing Commission and is referenced by regulators as well as mentioned in some consent decrees, corporate integrity agreements, non-prosecution agreements, and more. It is part of board’s fiduciary obligations of compliance oversight. Compliance assessments are more than control assessments. Control is a term used by auditors, financial compliance, and IT. Compliance assessments, which can include control, also cover the state of policy development, maintenance, and communication. Compliance assessments review hotline reports and cases. Compliance assessments look at training programs. To do a proper compliance assessment looks at compliance process as well as controls.
- Exception management. Gartner’s coverage of exception management does not reference policy exceptions.
- Regulatory intelligence. I would expect to see deeper criteria on regulatory intelligence and the ability to not only integrate but provide content and in what areas content is provided (list the areas Gartner, break it out and measure solution providers on depth and breadth of regulatory content). Some solutions are deep in industry verticals like insurance, banking, health and safety – let your readers know which areas of content depth solutions deliver through relationships or directly themselves. Have a taxonomy in the criteria so solutions have to show the range of regulatory intelligence coverage – and I pray Gartner understands that this is more than the Unified Compliance Framework (I am not critiquing UCF, just recognizing that they only have a small slice of the regulatory world).
- Policy management. For policy management, Gartner should break this out in its own use case. There are a lot of enterprise and department policy management RFPs and projects that are not part of a broader compliance platform selection process. Gartner could spell out detail in policy lifecycle management capabilities, and it is missing exception management for policies as previously noted. There also is nothing in the criteria that covers the communication plan and campaigns for policies and training.
- Issue reporting and ca
se management. Under the incident criteria there should be an item that reviews the ability of the solution to stand up in court with proper evidence tagging and non-repudiation.
- Compliance forms & disclosure management. The use case criteria is missing forms management such as disclosures for conflict of interest; gifts; entertainment; hospitality – this is critical functionality for a solution for corporate compliance and ethics, particularly if you want to help your clients with FCPA and other regs.
- Due diligence. The criteria is void on integration with due diligence and other content databases (beyond regulatory intelligence) to fulfill due diligence requirements on internal personnel as well as 3rd parties.
- More compliance content. Some of the strongest compliance solution providers in the space provide content themselves and there is no coverage or the range of content – regulatory analysis, policies, controls, training/elearning courses, standardized assessments, 3rd party due diligence.
- Defensibility. Most significantly, there is nothing on a defensible audit trail. There is a reference to history in the use case – but organizations need more than that and solutions need to prove it to you Gartner. Look at the DoJ memo on Morgan Stanley and how they were praised for the ability to demonstrate policy maintenance, communication and training activities, assessments, monitoring, due diligence. Organizations need defensible compliance with clear audit trails of who did what, how, when, and why. Regulators are starting to tell banks that spreadsheets/documents do not have the right integrity in audit trail to use for assessments (something I have been stating for a decade). The November 2012 FCPA guidance by the DoJ and SEC states that they often encounter compliance programs that look good on paper but fail operationally and they are sick and tired of it. We need defensible compliance.
These are the use cases GRC solution providers have to prepare for, Gartner is just beginning their process. They could explore much of what I discuss throughout the process, but it would be best if it was apparent up front in the use cases themselves. There also is still time to revise these use cases as analysis is just starting. This matters as organizations invest a lot of money in solutions and need the deepest insight into the solutions they are purchasing. When requirements are not met it hurts the market as a whole. Gartner has a log of influence and is the biggest brand in the business. While we compete in market research, their approach can cast a shadow that hurts the rest of us. I dive deep into the functionality of these solutions and care that organizations select the right solution for their needs.
One more thing – Paul Proctor’s blog I referenced above. He critiques the acronym of GRC as being the most overused term confusing things. For clarity, the individual parts of GRC – governance, risk management, and compliance are all very overused terms across the business with many different interpretations. This is the area of research each of our firms cover and the one our clients engage us to make sense of.
Forrester
Compared to the long Gartner post, the brevity of this discussion may come across as letting Forrester off lightly. There is some serious misalignment between Forrester on one-side and myself and Gartner on the other. I cannot even go into the detail that I did with Gartner as Forrester just lacks the same point of view of the GRC market. I cut my GRC teeth at Forrester, defined the GRC market before anyone else, wrote the first two Forrester GRC Waves (as well as the first two ERM Consulting Waves). I recognized in 2007 with the 2nd GRC Wave that this market was too complex to represent in one two-dimensional graphic. As a result, my Wave had four graphics representing the aspects of: 1, overall GRC; 2, governance (audit); 3, risk management; and 4, compliance management. I reference Forrester in some of the blog entries I link to above discussing Gartner, but also have discussed Forrester in the following:
Previously I have given praise to Forrester for transparency. The Wave process gives clarity into scoring and criteria that Gartner’s Magic Quadrant does not (but these use cases are getting there). In the past seven years Forrester has collapsed the GRC Wave and failed to expand it. The four GRC Wave graphics went to one graphic. To make matters worse, Forrester combined a separate Wave on IT-GRC into the Enterprise GRC Wave (I discuss my views on the differences of IT-GRC and Enterprise GRC above in the Gartner analysis). Further consolidating research analysis of solutions where I have been expanding it and now Gartner is as well. Forrester – what GRC market are you covering? Certainly not the one I am covering, and not the one Gartner is covering.
Chartis
Chartis is not as well known as Gartner or Forrester. They provide market research with a predominant focus on financial services. They cover a range of GRC topics that I would all put under the umbrella of GRC, but their approach is to split GRC into its own category of multi-functional platforms distinct from other areas of their risk and compliance coverage.
My approach is that the entire market is called GRC and there are a lot of segments in this market of different types of solutions. Like IT security which has segments for firewalls, intrusion detection, anti-virus, and more . . . GRC has segments for risk, audit, compliance, policy, health & safety, quality management and many more areas. To me, GRC is the macro-market, an umbrella that covers a range of solutions. Chartis and I talk “apples and oranges” as we are representing GRC as different things. Their approach fails as it aligns more with Forrester than myself. Though if you take the scope of what they cover as ‘risk technology’ we become more “apples to apples.” It is how we name the high-level market category that everything cascades from that differentiates us. They call it risk technology, I call it GRC.
What really sets me off about Chartis is their recent statement in Enterprise GRC – Time for GFRC? Chartis states, “To drive a behavior-driven approach to GRC, firms need to incorporate performance and remuneration measurements into GRC. Chartis believes that firms should replace ‘GRC’ as a concept with ‘GFRC’ – Governance, Finance, Risk, and Compliance . . . Traditional GRC is outdated and fails to manage risk and prevent serious compliance breaches . . . Firms need to move beyond traditional GRC and take a more dynamic approach to governance, risk, and compliance.”
We are actually aiming for the same trajectory that there is more than a GRC platform and GRC platforms by themselves are not enough and can force an organization to the lowest common denominator in managing risk. Later in the article they state, “Chartis also believes that firms should do more to incorporate areas currently overlooked by GRC, including model risk, conduct risk, reputational risk, and stress testing.” These areas of risk are covered in the GRC 20/20 market model for GRC. I am writing a paper right now on model risk management, GRC 20/20 has a segment of the GRC market that catalogs solutions for reputation/brand risk, conduct risk falls into our coverage of compliance management solutions (e.g., market conduct exams for insurance), and stress testing is in the coverage of risk management technologies. Where GRC 20/02 defines a range of solutions in the market GRC and Chartis calls the same over
all market ‘risk technology,’ Chartis is using the GRC label similar to Forrester by collapsing a platform down to the lowest common denominator and then taking the perspective Gartner and I have stating it is missing something. Technically, Chartis and GRC 20/20 is aligned as we see a range of technologies that define a category. I call it GRC. Chartis calls it risk technology. We are pointing at the same thing in this sense.
I take issue with Chartis trying to create GFRC – that just confuses things. The GRC market started growth in financial controls as a fallout of SOX and some back in 2003 and 2004 tried to add Finance then. I don’t understand what Chartis is trying to communicate. Adding finance into the mix is a step back and not a step forward. One of the problems with traditional strategic planning is that it is really about financial planning and budgeting. In the UK there’s an entire movement around something called “beyond budgeting.” Finance, as well as operations, falls under the pervasive umbrellas of governance, risk management, and compliance. If not, do we start adding HR for human resources for the human element of GRC, IA for internal audit, H&S for health & safety. The nice thing about the GRC acronym is that these words are adaptable across the organization and provides a good umbrella. GRC defines the flow and context for the solutions in the market. GRC is a capability to reliably achieve objectives while addressing uncertainty and acting with integrity. Risk needs governance to set the objectives and strategy to give risk management context. We measure and monitor risk as it relates to performance, objectives, strategy with a focus on uncertainty. Part of risk management is setting boundaries that get established in policies, procedures, and controls that compliance ensures we adhere too – acting with integrity.
Markets to Markets
This company should not even be referenced in this post, but I do as they have been brought to my attention by solution providers a few times in concern. You can request their sample GRC report for free, but they charge thousands for the full report – the sample has anything of value redacted. Why I bring them up is their flagrant disregard for intellectual property and copyright. Their GRC market report takes some of my GRC content, particularly on GRC 3.0, the market timeline for GRC 3.0 in an exact representation of my work, and other GRC points and they source it back to themselves and not to GRC 20/20. Be wary of the analyst firm that fails to have an original thought of their own and takes the intellectual property of others. It came to my attention after solution providers in the GRC space (more than one) pointed out my IP being referenced as theirs. Still waiting for a confession and apology . . .