Demand & Market for GRC Content & Intelligence Offerings

Governance, Risk Management & Compliance (GRC) is something every organization does, but not necessarily does well. All have some approach to GRC whether it is ad hoc and broken, or mature and integrated. Every organization on the planet does GRC in some form or fashion. The official definition of GRC, as defined by OCEG in the GRC Capability Model, is that GRC is “a capability to reliably achieve objectives [governance] while addressing uncertainty [risk management] and acting with integrity [compliance].”

Organizations do not buy GRC they do GRC. However, there is a market for GRC related solutions, services, and content/intelligence. These help organizations in their doing of GRC within their organization and bring organization efficiency, effectiveness, and agility to GRC strategy, processes, and architecture.

A lot of attention has been given to the GRC technology solution market. I was the first to define and model this market back in February 2002 while at Forrester and have continued my nurturing and monitoring of this market. There are over 1,000 providers in the broad GRC market which is currently a $11.89 Billion market, but this does not count the professional services market which is significantly bigger than this. The Enterprise GRC market is about 10% of this figure.

To date, not a lot of attention has been given to modeling and sizing the GRC content and intelligence market.  This market is significantly represented in the above market size figure but not completely. The reason is that there are a lot of GRC content and intelligence solutions that are tied and integrated into technology solutions.  While this is true, many of these same GRC content and intelligence solutions can also be integrated with other GRC technologies and many are agnostic to GRC technology.

The role of content in GRC strategies, solutions, and architecture is becoming significant. Organizations find that they need access to risk and compliance intelligence updates, regulatory changes, risk libraries, audit templates, sanction and watch lists, sample policies, and more. GRC solutions are often differentiating themselves by their ability to provide and integrate a range of content offerings into their solution to provide complete situational awareness in a dynamic business environment.

On Monday, July 13th, GRC 20/20 will be presenting our latest Research Briefing on 2015 Market Analysis: GRC Content & Intelligence Providers. In this research briefing we will discuss the latest drivers and trends for GRC content and intelligence as well as segmentation, size, and forecasting of the GRC content and intelligence market.

GRC 20/20 has mapped 91 GRC Content & Intelligence providers with more than 350 content & intelligence offerings across the following categories (there is some overlap between these categories):

  • Audit Template & Workpaper Libraries
  • Benchmarking Solutions
  • Control Libraries
  • Compliance Forms & Templates
  • Due Diligence & Financial Monitoring
  • EH&S Libraries
  • Geo-Political Risk Monitoring
  • Industry Risk & Regulatory Reporting
  • Legal Cases & Analysis
  • Loss & Incident Databases
  • Negative News Monitoring
  • Policy Libraries
  • Regulatory Intelligence (actionable insight on reg change, not just a library)
  • Regulatory Libraries
  • Reputation & Brand Monitoring
  • Risk Libraries (including KRI, risk registers)
  • Risk Forms & Templates
  • Sanction / Watch Lists (including PEP lists)
  • Third Party Forms & Templates
  • Third Party Monitoring
  • Third Party Shared Assessments
  • Threat & Vulnerability Monitoring
  • Training Libraries

The role of GRC content and intelligence integrated with technology is a growing demand and need in the GRC market.  Organizations are more and more thinking along the lines of GRC architecture to support the range of their technology and content integration needs and not in siloed concepts of a single enterprise GRC technology platform.

2014 GRC Technology Innovation Award: MetricStream Offers Capability to Actively Deliver GRC Content from Multiple Sources

The 2014 GRC Technology Innovation Awards was filled with competition.   Nominations increased to 62 over last year’s awards, and fifteen winners were selected.  GRC 20/20 looked through all of the submissions, asked for clarification where needed, and selected15 recipients that demonstrated outside the box thinking in taking GRC in new directions to receive this year’s award.

MetricStream Offers Capability to Actively Deliver GRC Content from Multiple Sources

MetricStream’s GRCIntelligence.com is an innovative cloud-based content portal that enables GRC professionals to access and integrate the latest GRC content from a variety of knowledge providers and information sources through a single online content store – GRCIntelligence.com.  GRCIntelligence.com makes curated intelligence available to all users within the enterprise adding significant value and increasing the effectiveness of the GRC program within the organization. The portal is integrated with MetricStream GRC Platform, thus providing subscribers with content updates and notifications directly within the MetricStream GRC application.

GRCIntelligence includes:

  • Curated content store. The GRCIntelligence.com portal serves as a one-stop shop for curated intelligence sources from partners and domain experts across industries for all GRC needs.
  • Direct delivery model. Automatically delivers subscribed content from the GRCIntelligence.com content store into the subscriber’s MetricStream GRC application through the GRCIntelligence application.
  • Content recommendations engine. Content recommendations engine within the MetricStream application based on user activity and social profiles.

GRCIntelligence.com enables GRC practitioners across the enterprise to purchase contextually relevant GRC content via credit card or purchase orders and have the content delivered automatically into their MetricStream GRC application for immediate use. This paradigm shift enables organizations to source and integrate GRC content from multiple sources across risk, compliance and audit with their MetricStream GRC applications in real-time. It also allows content updates to be notified to end-users via RSS feeds, system alerts or email.

The GRCIntelligence.com portal currently offers content from more than 50 content partners and sources including Unified Compliance Framework (UCF), Risk Spotlight, Shared Assessments, Code of Federal Regulations (CFR), and Clear Market Practices, and is adding new content partners and sources to its portfolio. A subscriber can choose from a range of content sources including regulatory updates, risk and control libraries, policy updates, market intelligence, and news feeds to receive periodic updates. The portal allows users to identify relevant content by leveraging features such as capability to filter results by content type, industry, role, and function with an intuitive and user-friendly interface.

The content is delivered into the subscriber’s MetricStream GRC application through channels that are setup in the GRCIntelligence application layer within the client installation of MetricStream. Once the content is in, MetricStream users have the capability to review the content, identify internal action items, log issues, trigger workflows, and notify users. The incoming content is stored in the Big Data store within the MetricStream client application and it can be selectively pushed into operational data store within MetricStream applications.

To learn more about the GRC 20/20 2014 GRC Innovation Awards and other recipients, please visit this post: GRC 20/20 Announces 2014 GRC Innovation Award Recipients

2014 GRC Technology Innovation Award: UCF Demonstrates it is the Science of Compliance Through its Most Recent Patent

The 2014 GRC Technology Innovation Awards was filled with competition.   Nominations increased to 62 over last year’s awards, and fifteen winners were selected.  GRC 20/20 looked through all of the submissions, asked for clarification where needed, and selected 15 recipients that demonstrated outside the box thinking in taking GRC in new directions to receive this year’s award.

UCF Demonstrates it is the Science of Compliance Through its Most Recent Patent.

The Unified Compliance Framework has recently received a patent for its applied technology for the structure, process for interpretation, quality assurance, and most particularly the segmentation and mapping of regulations. The UCF has been around for several years; the innovation recognized is their recent patent, process, and schema for segmenting and mapping regulations that will take the UCF well beyond the focus of IT compliance they have been successful with in the past. The solution will be delivered to vendors and corporate customers in the way of a RESTful API, XML tables, and interactive applications.

The Unified Compliance Framework has received the first ever patent for a compliance requirement segmentation and mapping framework. The patent was granted rapidly as the US Patent and Trademark Office stated that there has been nothing like it filed. This means that the UCF is the only GRC framework that has patented SNED values that can instruct GRC solutions as to which records are the Same, New, Edited, and Deprecated by using a single character to manage regulatory and requirement change.  This is supported by an end to end process that reaches from the Authority Document (AD) on one end, through the Authority Document’s Citations, to harmonized Common Controls, and out to Audit/Assessment Questions with supporting evidence. The UCF has a hierarchical structure wherein a parent and sort value can be assigned to any hierarchical record. This allows GRC solutions to plug into the UCF and automatically be able to display a list in original form, replicating legal or even “book” structures of original regulatory/requirement documents. GRC solutions utilizing UCF will be able to automatically discern how to handle audit questions and the necessary “skip logic” used when presenting hierarchical audits. Further, the schema allows for the breaking down of Citations and Common Controls into primary verb-noun pairs to “prove” the mapping of the Citation to the Common Control.

The business functionality is simple: any organization building out a GRC database or GRC solution can leverage the UCF’s patented structure to jump start their GRC strategy. There are already other firms such as Accenture that are now filing derivative work patents on top of the UCF’s patent.

To learn more about the GRC 20/20 2014 GRC Innovation Awards and other recipients, please visit this post: GRC 20/20 Announces 2014 GRC Innovation Award Recipients