Like the global economy, the governance, risk, and compliance (GRC) software business has experienced plenty of recent turmoil. Unlike the economy, however, the GRC world is used to it. Almost from the beginning, uniting governance, risk, and compliance into a single entity has been a delicate exercise. It required vendors to offer customers working in different business sectors three related, but not always easily integrated, capabilities.
The stock market's meltdown further unsettled this balance. Risk management and governance issues raced to the forefront while compliance, which tends to be at the core of most GRC products, receded into the shadows, at least temporarily.
"Compliance was really not a big factor in the meltdown," says Marc Othersen, senior security and risk management analyst at business technology research firm Forrester Research. "There were some compliance issues, but it was the risk and the governance [parts] where people had the whammies."
Where will that leave the software category in 2009? Michael Rasmussen, president of Corporate Integrity, a Waterford, Wisconsin-based consultancy that specializes in GRC issues, insists that GRC is far more than a handy marketing acronym. It captures a philosophy of business that encompasses oversight, processes, and culture. "Ultimately, GRC is about the integrity of the organization," says Rasmussen. Nonetheless, he expects both recent events and impending changes to the business climate, such as additional regulation, to have a strong impact on the space. "The GRC market today is not necessarily going to be the same one that is around a year from now," he adds. "Change is inevitable."
Properly deployed, Rasmussen says, GRC in bundled or à la carte form should help companies answer four key questions:
- Is the organization properly managed and does it have sound governance?
- Does the organization take risk within risk-appetite and -tolerance thresholds?
- Does the organization meet its legal/regulatory compliance obligations?
- Does the organization make its code of ethics, policies, and procedures clear to its employees and business partners?
Critics contend that vendors have allowed customers to stumble when insight was needed most. Some blame vendors for skimping on risk and governance software in favor of more easily salable compliance tools. "The risk function is something software vendors didn't build out very well," Othersen says. "Even if it did work well, it still had issues for some of these companies that had meltdowns."
Even when the software generated accurate and actionable data, customers may not have acted wisely on such information. Some disregarded the GRC-generated alerts and made bad decisions. Whether that's attributable to poor training, ignorance, or an inability or unwillingness to buck the tenor of the times is open to debate. "A lot of them either didn't know how much risk they were assuming," Othersen says, "or they knew exactly how much risk they were assuming but they decided to do it anyway."
Michael J. Duffy, president and CEO of Waltham, Massachusetts-based vendor OpenPages, defends the track record of GRC software. "In the case of the financial-services collapse and subprime crisis, some financial-services institutions — such as Goldman Sachs — did effectively identify the risk of falling home prices and foreclosures on their mortgage-backed securities and exited that business in time," he says. "Others either failed to identify and appreciate the impact of these risks on their business, or chose to ignore their own internal warnings from risk managers and GRC solutions."
Despite a less than perfect record, GRC vendors still tout the risk-management and governance capabilities of their products. In fact, they see a major marketing opportunity in the subprime crisis and in the current economic distress. "The collapse of the financial markets was a wake-up call," says Narina Sippy, general manager of German software vendor SAP's GRC business unit. "Companies are now taking action to ensure their organization is not next to be splashed across newspaper headlines," she says.
Once awakened, the argument goes, companies will need to invest in software that helps them stay alert. John Capobianco, president and CEO of Lumigent Technologies, says that companies can expect to pay between the mid five figures and low six figures for his company's product, broken out like this: a privately held company with $100 million in sales might pay as little as $53,000, while a midsize, newly public company with $750 million in sales might get started for $75,000, and a multibillion-dollar company with thousands of employees and several locations would begin at $113,000. In all cases, annual maintenance costs would run 22 percent of licensing fees; Capobianco predicts a positive ROI in a couple of audit cycles.
New York–based vendor BWise charges customers based on the number of users and the client's choice of modules. A cost-conscious customer can start small and add modules as needs arise, since the modules are built-in and can essentially be turned on or off at the flip of a switch — or remittance of a check. Like many other vendors, BWise also offers subscription-based pricing for their installed software and software-as-a-service model that allows customers to pay as they go. Implementations normally take from one to three months, depending on a project's complexity. BWise chief technology officer Luc Brandts also stresses a fairly short-term ROI (about one year).
Sharpen Your Pencils
All vendors, of course, lead with best-case scenarios. Deloitte principal Brian Parker warns that the tab can run a lot higher. A program dealing with regulatory compliance alone, he claims, can cost $200,000 or more. An integrated approach that delivers the full scope of GRC capabilities can crest the $1 million mark for a large organization. One reason for the spread is that there is not a great deal of uniformity among GRC products in terms of what they do and how they do it; therefore, each vendor's pitch has to be evaluated very carefully against a company's needs.
However complicated the buying decision may be, there is evidence that more companies will be sharpening their pencils and taking a closer look, if only to satisfy the growing drumbeat coming from the top of their organizations, and beyond. "Auditors, audit committees, governments, regulators, and credit-rating agencies are increasingly asking companies to improve their risk-management efforts," says Brandts. "The influx of companies asking for help in this regard has significantly increased over the last few months."
Corporate Integrity's Rasmussen notes that a stampede toward G and R (if not C) is creating a brisk sales environment. "Vendors that can target third-party risk management — managing the risk of processes and relationships — are finding that this is a very hot area right now," he says.
James Doss, CFO of RF Industries, is convinced. Risk management is a top priority at the San Diego–based provider of wired and wireless networking and communications products, and Doss says GRC software can address it effectively. "Risk is probably a secondary thought to most people [when they buy this software], but in essence that's really what the driver is."
Another key concern, says Doss, is flexibility on the part of the vendor. "You want the software to flex with your changing processes and needs," he says, in part to "get buy-in from your company's stakeholders so they feel that the software works with them, instead of forcing them to change their ways."
Power Up, Price Down
The changes that Rasmussen speaks of will likely manifest themselves in several different ways this year. For one, expect vendors to expand their offerings from core areas of expertise into more complete products or product suites that address all three components of GRC. While many may continue to stress a particular niche as a way to win sales, most will attempt to convince customers that their products can, and should, be more widely deployed across the enterprise to address governance, risk, and compliance. Customers will have to decide to what degree they buy based on today's niche expertise versus tomorrow's promise.
That may sound daunting, but market forces will provide some relief. The rapid proliferation of GRC vendors — Rasmussen now counts around 1,300 GRC technology and consulting service providers, from major players like Oracle, SAP, BWise, and OpenPages to single-owner start-ups — is about to give way to the same wave of consolidation that has swept through the business-intelligence market in the past two years.
The software should also get easier to use. OpenPages, for example, has been following a path in which its products can be tailored without expensive and time-consuming reprogramming. John Klein, vice president of audit services at Miami-based Carnival Cruise Lines, says that that has allowed his company to give more employees access to the software. "When we first implemented OpenPages, only a handful of 'power users' were utilizing the software to document [Sarbanes-Oxley]-related activities associated with hundreds of process and control owners," he says. "We have since configured the software so that process and control owners can perform certifications directly."
And it should become easier to afford, as the transition toward software-as-a-service continues to gain momentum. Centrally hosted software that is rented not only allows customers to avoid a capital outlay, but it also offers a number of technological benefits, such as automatic updates, improved scalability, and reduced IT overhead.
But GRC remains far from a no-brainer. For one thing, companies that already use ERP or other sophisticated enterprise software must decide whether they want to bring in a niche player or rely on the GRC offerings (and, in general, more-sophisticated if more-expensive support) of their key vendors. There is also the question of which vendors will still be around a year from now, and whether an acquisition will have any impact on the product of the acquired company.
But the biggest question of all remains whether and to what degree software can automate and augment the many business processes that lie at the heart of governance, risk, and compliance. If a company takes a fragmented approach toward those tasks, the existence of a unified software package may not gain much traction at a time when each department or business unit is scrutinizing its budget like never before and shelling out for only what it needs today.
John Edwards is a freelance writer based in Gilbert, Arizona.
What We Talk about When We Talk about GRC
Since GRC technology and services comprise three separate activities, companies naturally emphasize different reasons for investing in it. Compliance was the main attraction at first, but after several years of wrestling with Sarbanes-Oxley, "people had compliance fatigue," says John Hagerty, an analyst at AMR Research in Boston. Risk management subsequently started to drive the GRC market, beginning in the first half of 2007. "The conversation really changed," says Hagerty. "Companies were looking specifically to understand what their risk profile was — which areas they were exposed in, which activities could be risky."
Hagerty says the issues that dominate the news tend to drive GRC spending. In 2007, information technology risk, particularly that focused on data security and privacy, became a cause célèbre following widely reported thefts of credit-card numbers and breaches of government databases. In 2008, the banking crisis highlighted how irresponsible risk-taking can cause entire organizations to collapse. Thus risk management, increasingly for operational risk, continued to be "the new compliance," as an AMR report put it.
However, compliance could make a comeback, says Hagerty, thanks to the recession. Cash-strapped companies are reviewing all of their investments with a gimlet eye, including their IT portfolios. If they decide "to get back to essentials," he says, they may refocus on the compliance component of GRC, which handles regulatory issues that companies must address.
The next big driver of GRC technology could be environmental initiatives — managing carbon footprints and greenhouse-gas emissions, or implementing a sustainability program. In a 2008 AMR survey of GRC buyers in the United States, Germany, and Japan, only 6 percent said that environmental health and safety compliance was their largest single GRC investment, compared with 23 percent for IT-specific risk management, 15 percent for Sarbox or other financial-governance initiatives, and 14 percent for operational and general risk management. But that balance could change if global warming becomes a larger corporate priority, or if the Obama Administration steps up environmental regulation. — Edward Teach