Governance, Risk Management & Compliance (GRC) is something every organization does, but not necessarily does well. All have some approach to GRC whether it is ad hoc and broken, or mature and integrated. Every organization on the planet does GRC in some form or fashion. The official definition of GRC, as defined by OCEG in the GRC Capability Model, is that GRC is “a capability to reliably achieve objectives [governance] while addressing uncertainty [risk management] and acting with integrity [compliance].”
Organizations do not buy GRC they do GRC. However, there is a market for GRC related solutions, services, and content/intelligence. These help organizations in their doing of GRC within their organization and bring organization efficiency, effectiveness, and agility to GRC strategy, processes, and architecture.
A lot of attention has been given to the GRC technology solution market. I was the first to define and model this market back in February 2002 while at Forrester and have continued my nurturing and monitoring of this market. There are over 1,000 providers in the broad GRC market which is currently a $11.89 Billion market, but this does not count the professional services market which is significantly bigger than this. The Enterprise GRC market is about 10% of this figure.
To date, not a lot of attention has been given to modeling and sizing the GRC content and intelligence market. This market is significantly represented in the above market size figure but not completely. The reason is that there are a lot of GRC content and intelligence solutions that are tied and integrated into technology solutions. While this is true, many of these same GRC content and intelligence solutions can also be integrated with other GRC technologies and many are agnostic to GRC technology.
The role of content in GRC strategies, solutions, and architecture is becoming significant. Organizations find that they need access to risk and compliance intelligence updates, regulatory changes, risk libraries, audit templates, sanction and watch lists, sample policies, and more. GRC solutions are often differentiating themselves by their ability to provide and integrate a range of content offerings into their solution to provide complete situational awareness in a dynamic business environment.
On Monday, July 13th, GRC 20/20 will be presenting our latest Research Briefing on 2015 Market Analysis: GRC Content & Intelligence Providers. In this research briefing we will discuss the latest drivers and trends for GRC content and intelligence as well as segmentation, size, and forecasting of the GRC content and intelligence market.
GRC 20/20 has mapped 91 GRC Content & Intelligence providers with more than 350 content & intelligence offerings across the following categories (there is some overlap between these categories):
- Audit Template & Workpaper Libraries
- Benchmarking Solutions
- Control Libraries
- Compliance Forms & Templates
- Due Diligence & Financial Monitoring
- EH&S Libraries
- Geo-Political Risk Monitoring
- Industry Risk & Regulatory Reporting
- Legal Cases & Analysis
- Loss & Incident Databases
- Negative News Monitoring
- Policy Libraries
- Regulatory Intelligence (actionable insight on reg change, not just a library)
- Regulatory Libraries
- Reputation & Brand Monitoring
- Risk Libraries (including KRI, risk registers)
- Risk Forms & Templates
- Sanction / Watch Lists (including PEP lists)
- Third Party Forms & Templates
- Third Party Monitoring
- Third Party Shared Assessments
- Threat & Vulnerability Monitoring
- Training Libraries
The role of GRC content and intelligence integrated with technology is a growing demand and need in the GRC market. Organizations are more and more thinking along the lines of GRC architecture to support the range of their technology and content integration needs and not in siloed concepts of a single enterprise GRC technology platform.