Historically, the purpose of governance, risk management and compliance (GRC) software was to allow publicly traded companies to integrate and manage IT operations subject to regulations, specifically the compliance requirements of the Sarbanes-Oxley Act (SOX) of 2002.
But today, GRC is about more than just establishing compliance programs to meet legal requirements and manage risk, experts say. Companies are also using GRC tools to automate the collection, correlation and reporting of data so they can get more comprehensive views of organizational performance.
"Over the last nine or ten years, it's been a very stable governance, risk and compliance software market that came out of the Sarbanes-Oxley wave that hit about ten years ago," said John Wheeler, research director of risk and security management at Stamford, Conn.-based research firm Gartner Inc. "Then vendors in the space started to move away from pure compliance into more of a risk management posture. They became more robust around providing information to folks to make better decisions using risk information that was gleaned from across the enterprise."
And because some organizations are now supporting true enterprise risk management programs, enterprise GRC tools have become the risk management systems of record in those organizations, Wheeler added.
However, they also go beyond systems of record. "Now companies are looking to move beyond that system of record into what we call systems of differentiation -- point solutions around IT risk and more specific financial risks in terms of credit market risks and operations risks," he said. "They're also looking more closely at business continuity management, disaster recovery and supply chain risk management within operations, as well as looking at legal as a risk area."
But all these specialized GRC tools need to feed into the enterprise GRC platforms -- the systems of record -- to provide companies with full risk views. Wheeler said companies are struggling to integrate all these disparate systems of differentiation across the enterprise.
Without integration, it's difficult for a company to get a handle on its so-called risk profile and compare it against its "risk appetite." And the ability to understand and measure gaps between risk profile and appetite is the key to success with enterprise risk management programs, Wheeler said. Although these types of integrations are still in their early stages, "I see a huge potential market for system integrators that will come in and start integrating these GRC tools," she said.
GRC software helps tech company identify, manage risk
Integrating and managing the data associated with business changes and regulatory requirements that was stored in siloed databases across the organization was why financial services technology company Fiserv Inc. decided to standardize its approach to GRC across the enterprise.
Fiserv launched an enterprise risk assessment process in 2008 to determine the type of GRC tools that would best help the firm, said Ed Sarama, senior vice president and chief security officer at the Brookfield, Wis.-based firm. Raji Ganesh, Fiserv vice president of risk and compliance, said the company needed technology that was more standardized, structured and powerful than Microsoft Excel.
"So in 2009 we started looking for IT-based risk assessment [tools] to manage IT-based risk," Ganesh said. "At the same time, the whole concept of risk assessment for the enterprise landed on our lap, so we decided we didn't just want to do IT. We wanted to do people, processes [and] even beyond IT-related processes."
Fiserv needed a tool that would facilitate the aggregation and analysis of its multiple business unit work products to create an overall enterprise risk view, according to Sarama. With the understanding that a GRC platform was a framework, Ganesh said Fiserv looked for a vendor with a product that offered more out-of-the-box functionality that the company could fit into its existing framework.
Ultimately, Fiserv selected RiskVision software from Sunnyvale, Calif.-based vendor Agiliance Inc. The tool automates data collection, aggregation, workflow and reporting, and Ganesh said it provides the necessary information to identify, understand and manage the company's risk and its compliance efforts as well as perform any remediation.
And that's just what GRC tools should do, according to Michael Rasmussen, chief GRC pundit at GRC 20/20 Research LLC in Waterford, Wis. GRC software allows companies to take organized approaches to managing GRC-related strategy and implementation, he said.
"Then companies can relate it to other information like risk assessment and audits and monitor that environment and pull together all that data to give senior and executive management a way to make decisions based on their risk environment," he said. "So it requires integration and support from a lot of disparate systems, individuals and roles and processes transactions to really get the big picture of risk. And it's nearly impossible to do without software."
Value proposition of GRC tools
Over the years, there's been a considerable amount of market consolidation in the GRC space, according to R "Ray" Wang.
"This is a niche market targeted toward CFOs and people in auditing and accounting, and there are big players," said Wang, principal analyst and chairman of San Francisco-based Constellation Research Inc. The largest private equity player in the sector, according to Wang, is Riverside Co., which "snapped up Ethics Point, PolicyTech, ELT, and Global Compliance last year and combined them into what is now Navex Global."
Wang added that the sector is approximately a 12 billion dollar market, which initially heated up in 2006 when vendors were hastily trying to ready themselves for SOX compliance. The next wave happened around 2010, when IBM and a handful of large European finance firms jumped into the market. "Thomson, Wolters Kluwer and Oracle … were picking up companies like crazy," Wang said. "They're all trying to figure out how to reduce risk because risk scares CFOs."
He added that while the value proposition of GRC tools initially centered on transaction automation, it's now more about using big data analysis in order to "get the patterns [and] actually surface the decisions."
In addition to the aforementioned large players, which also include SAP, there are numerous other smaller vendors that address certain pieces of GRC for specific verticals, Wang added.
But what all these various GRC tools have in common is that they help companies automate decision making, said Erik Heidt, Gartner's research director on the GTP security and risk management strategies team.
"And many of them contain knowledge bases that help you identify when the outside regulatory or commercial expectations are changing and alert you to the topics you need to consider paying attention to in terms of your policies and standards," said Heidt, who focuses on IT GRC.
He also said organizations are becoming more proactive about finding minor issues and documenting and addressing them in advance so they can reduce the risk and liabilities they have if the behaviors are ongoing or decisions are being made in ways that conflict with how things should be.
"A GRC tool is the layer above everything else that says 'I'm here to make sure that everything you say you're doing, you're doing,'" said Renee Murphy, security and risk management senior analyst at Cambridge, Mass.-based Forrester Research Inc.
About the author:
Linda Rosencrance has written about technology for more than 10 years and has been a reporter for more than 20. A former Computerworld reporter, she is a freelance writer in Massachusetts and also an author of several true-crime books.
This was first published in September 2013