The software category known as "governance, risk, and compliance" ended 2009 pretty much where it began: still lacking a clear identity. Any apt description of GRC, in fact, remains tantamount to, as one industry insider puts it, "an academic definition of the word mess."
It is an open question whether the GRC umbrella — stretching over at least 20 substantially different "enterprise platforms" plus an immense array of more-focused products that address specific facets of GRC (often tailored for a specific industry's needs) — has any definition at all. "There's no arguing that from a buyer's perspective, 'GRC software' doesn't exist today," Ventana Research analyst Robert Kugel wrote recently.
But even as its marketers struggle to explain GRC, the software itself is becoming more capable of managing governance, risk, and compliance on a cross-functional, integrated basis — a long-standing need that is intensifying as customers increasingly find that their jury-rigged "solutions" aren't up to that task.
Many companies are still saddled with narrow, duplicative approaches to GRC that lead to both economic and operational inefficiencies. Extra costs accrue when, for example, several different business units and functions separately track and manage a single risk factor — especially if, as is common, each buys its own software for the task. GRC platforms aim to solve that by offering data mapping, workflow, content management, and reporting, on top of which specific-purpose modules can be added.
While most GRC products were created as compliance aids, it is the "R" in the acronym that has driven the evolution toward a more flexible architecture. Managing and mitigating risks has taken an overwhelming lead as the top priority for GRC investments, according to a recent survey of 151 companies by AMR Research.
A confluence of events — the implosion of the risk-embracing financial-services sector, heightened pressure from the Securities and Exchange Commission regarding risk disclosure, high-profile product recalls, and increasing Foreign Corrupt Practices Act prosecutions — has renewed interest in risk-management practices, which may help galvanize the GRC market in a way that compliance-related worries have not.
"As companies start looking at managing risk across the enterprise, they want to pull all of that information into one place for reporting and analytics," says Forrester Research analyst Chris McClean.
Many vendors embraced the GRC moniker before they had much to offer in the risk area. Now they are building out their risk-management capabilities with new modules and a higher degree of integration, but it's very much a work in progress.
A holistic view of risk would, ultimately, include the ability to generate a single report tracking every business risk. "There's no product or service provider that actually does that, but if you're the CFO or chief risk officer, that's what you're trying to migrate to," says Gordon Burnes, vice president of marketing for OpenPages, a GRC platform provider.
Depending on the industry, the portion of a company's risk profile that cannot be handled through the integrated platform approach may be significant. For Axis Capital, a commercial property-and-casualty insurance and reinsurance company, the biggest risks are catastrophic events like earthquakes and hurricanes. "A general-purpose GRC application can't handle the kind of probabilistic, modeled data required to manage those risks," says Anders Anderson, the company's chief audit executive. Similarly, pharmaceutical firms are most exposed to risks related to drug testing and regulatory approvals, for which specialized software is needed.
But Axis manages many of its other risk factors — including those related to financial reporting, operations, and information technology — in a consolidated fashion through enterprise software from business-media giant Thomson Reuters, which last year acquired GRC supplier Paisley Inc. Successive versions of the software have allowed the company to get past its former "siloed" approach to risk management, Anderson says.
"By having things integrated in a single tool, we're able to pull out single reports covering multiple components of our risk-management framework," he says. "By no stretch is [Paisley] the only vendor we would consider working with, but we have found that we can make the tool do what we need it to do."
From Compliance to Controls?
If a clear definition is lacking, a continuous stream of enhancements is not. Consider BWise, which announced a new version of its eponymous product in December. The pitch? New and enhanced functionality designed to provide more of an end-to-end view of risk management. While compliance is still important, "it's not as sexy anymore," says founder and chief technology officer Luc Brandts.
As sexy as risk management may be, many companies are in the early stages of infatuation. Before risks can be managed, they must be identified. "They want to have an idea of where they stand, and not in a very complex way but in an easy-to-digest way. That's what we've built into this release," Brandts says.
While risk is in vogue, what ultimately may prove most notable about the updated BWise product is its inclusion of continuous controls monitoring (CCM) functionality. The GRC software market can be broadly divided into products that oversee risk-management and compliance programs and those that automate and monitor controls. According to Brandts, by integrating CCM into its platform, BWise is looking into the future. "I think three years from now there won't be two separate markets," he says.
If that proves true, the two dominant players in another major business-software sector, enterprise resource planning, may be prime catalysts.
In 2006, SAP AG acquired Virsa Systems, a compliance-software company with a CCM tool. Oracle Corp. matched that move the following year when it bought LogicalApps. Since then they have marketed themselves as GRC vendors. With their main focus on controls automation, though, their approach has been different from GRC specialty firms such as BWise, Paisley, OpenPages, Archer Technologies, and MetricStream, notes Forrester's McClean.
But their slate of other GRC capabilities is filling in, and they have a compelling carrot: a potentially more seamless integration between GRC and ERP platforms. Indeed, most of their GRC sales so far have been to their existing customers, although that is a huge potential market in itself.
Sharp Electronics has been a user of SAP's ERP since 2001, so when the company began to evaluate GRC vendors in preparation for its 2008 initial compliance with the new Japanese Financial Instruments and Exchange Law (essentially, Japan's version of the Sarbanes-Oxley Act), SAP was an easy choice.
"We did look at other suppliers, but they didn't have the integration with SAP for automated reports or other things we wanted," says Tom Trainor, assistant controller for process management and business controls. "It would have been additional work to use another provider."
SAP and Oracle are "definitely affecting the market," says McClean. "Unless there's a big implementation already, they're not competing for [GRC] deals very often, but that's starting to change."
In December, Oracle boosted its GRC street cred by releasing Oracle Enterprise GRC Manager, along with an update to its existing controls product. The new platform is touted for its support of cross-enterprise, risk-based modeling, analysis, and decision-making, and for its ability to manage interdependent risks and compliance initiatives within a single system.
Two years ago, says Chris Leone, group vice president of applications development, every GRC system Oracle sold was solely for the purpose of financial governance. Last year, customers began to indicate a desire to expand risk management to other areas of the business, and Oracle now finds itself selling multiple GRC modules beyond financial governance that give visibility to other kinds of risks, like those pertaining to health and safety, suppliers, and IT, according to Leone.
Meanwhile, the newest application within SAP's GRC platform, released in December, is designed to help manage sustainability initiatives. Most large companies are now reporting on those efforts, but they may have trouble tracking them and identifying risks, SAP says, particularly given the proliferation of standards and guidelines related to sustainability. The new module joins a product lineup that covers enterprise risk management, access controls, process controls, global trade services, and health and safety management.
SAP will roll out more GRC capabilities in 2010, says Ranga Bodla, senior director of GRC solution marketing. The goal is to free customers from "an endless loop" in which they find a problem, report on it, fix it, and go on to the next problem. "That is unsustainable," he says, so SAP's focus is on "automating more and more" risk-management processes. It may not be possible or even desirable to eliminate silos within organizations, he adds, but creating more visibility around risks will at least help define risk-tolerance thresholds.
Eventually, though, the silos are likely to crumble. "Everybody is starting to recognize that managing things in a siloed manner runs significant risks," says William Miller, controller of a subsidiary that manages the IT operations for Nationwide Insurance. "It's expensive, it's not efficient, and you can miss the forest for the trees." That forest-for-the-trees metaphor nicely sums up what GRC is trying to do; vendor marketing departments should take note.
David McCann is senior editor for technology at CFO.
GRC Investment: Back on Track in 2010
Companies will spend $30 billion, mostly on internal management and external consulting.
After two years of decline, U.S. companies' spending on governance, risk, and compliance (GRC) will grow by 3.9% this year, according to a November 2009 report by AMR Research. The outlay is expected to reach $29.8 billion, though technology — software, hardware, and integration — constitutes less than a third ($9.2 billion).
Almost half of the total is for day-to-day internal management and execution across lines of business and functions like IT, legal, and audit. Another chunk is for external consulting, implementation, and outsource services. "GRC is still an intensely human effort," AMR says.
The recession significantly slowed the market's growth. In early 2008, AMR forecast that spending would hit $33.5 billion in 2009. Instead, it reached only $28.7 billion, or 14% less than predicted. "We thought it was going to take off like a rocket," says AMR analyst John Hagarty. But when money grew tight, the GRC market suffered because "this stuff is often considered discretionary — a good business practice, but not essential."
Some vendors have fared better than others. Archer Technologies, a smaller enterprise-software supplier whose technology has received good reviews, saw revenue leap more than 30% last year, to $31 million, according to marketing vice president Alex Bender. "Our clients continue to expand their GRC programs and make them more enterprisewide," he says. — D.M.