Extra, extra read all about it: “IT Vendor ‘X’ Has Solved World’s Risk and Compliance Problems.” Organizations are inundated with IT vendors claiming to have the answer for their risk and compliance problems. However, most of these vendors provide capabilities to meet only a single requirement or a handful of requirements and really are not a risk and compliance management vendor themselves. Real risk and compliance vendors provide a platform for documenting and overseeing risk and compliance across an organization. Products in this market include: enterprise risk management (ERM) dashboards; governance, risk, and compliance (GRC) platforms; applications that specifically target financial risk management; and applications that target specific areas of operational risk and control.
With corporate wrongdoing leading to increased government oversight and regulation, IT vendors have been quick to spin their message to capture corporate spending to meet new requirements. In fact, because of the buzz generated, Sarbanes-Oxley is often viewed as Y2K all over again but this time without an end date. Organizations are beginning to realize, though, that SOX is just one of many risk and compliance pressures that can pin them to a wall.
BEWARE THE FALSE PROPHET- Nearly every category of software vendor has a risk and compliance-related offering. Filtering through the vendor hyperbole, therefore, can be difficult. Prospective clients need to wade through:
Murky messaging about what vendors do.
While some vendors do a good job in defining what they do in light of requirements, others would have you believe that they are the complete answer to any risk and compliance nightmare. In fact, some vendors have developed completely misrepresentative white papers that promote their compliance product. One vendor quoted from sections of a regulation that were completely nonexistent, while in other instances Forrester has found vendor-quoted regulations taken completely out of context.
Misrepresentation of definition and scope.
Besides bad messaging, IT vendors in general completely misrepresent what risk and compliance management is all about. While most vendors would lead you to believe that they are the silver bullet, the reality is that there is no silver bullet for risk and compliance. Risk and compliance involve a combination of technologies to meet compliance requirements and to manage inherent risk. Ninety-nine percent of the current IT vendors are best-suited to meet a specific requirement or regulation or possibly to help mitigate/ manage a specific risk. This is a far cry from managing risk and compliance.
IDENTIFYING THE GRC MARKET LANDSCAPE- Despite these problems, there are vendors truly dedicated to the task of managing and measuring risk and compliance. Vendors that offer real solutions in the risk and compliance market are those aiming at management and measurement through the collection and analysis of risk and compliance-related information. Forrester has identified more than 400 vendors in this market space. These vendors fall across a range of capabilities: Some focus on specific approaches to measure risk and compliance in one industry or around one particular risk, while others have broad functionality to form an enterprise risk and compliance program platform.
The software market is complex.
There is no perfectly clean way to divide the market. The interconnectedness of the software market for enterprise risk and compliance mirrors the interdependency of risk and compliance fragments facing organizations. Feature functionality of varying platforms often falls across multiple categories, and one market category can easily have a half-dozen segments, each with accompanying sub-segments. For example, financial risk can be divided into multiple areas. One area is market risk, which can be further divided into categories such as interest risk, liquidity risk, foreign exchange risk, equity risk and commodity risk.
The solutions require an architectural view.
Interconnectedness of technology rolled into risk processes and oversight provides a cohesive way to define the market landscape and the relationship of different solutions to each other. This framework for developing a technology architecture drills down from the enterprise risk dashboard into specific areas of risk and compliance solutions. Forrester divides the risk and compliance market landscape into five market categories that should work together to provide a cohesive platform for building an ERM program (see Figure 1).
ERM DASHBOARDS TRACK KEY RISKS- Solutions in the ERM dashboard space are the risk central nervous system of an effective enterprise risk management program. To manage risk, a dashboard needs to be visible and understood. ERM dashboards that aggregate metrics about risk information from across an organization are the ones executives, the board and management can use to track and monitor risk.
Focus on Key Risk Indicators.
The core of these systems is their ability to monitor KRIs, often connected and balanced against key performance indicators (KPI). Dashboard systems for ERM must be integrated with systems such as ERP, ECM, CRM, BPM and BI to collect and aggregate risk information across business systems and processes. Furthermore, dashboard systems focus on the collection of KRI from business processes (e.g., manufacturing, supply chain, and accounting) and frequently require the manual collection of metrics to gather data that is not already in digital form.
Built from BI tools.
ERM dashboards are closely akin to, or are built from, business intelligence and dashboard products.
Integrated with GRC platforms.
In addition to the other IT systems mentioned, solutions in the ERM dashboard space need to be connected to GRC platforms.
MANAGE RISK WITH GRC PLATFORMS- GRC platforms are the workhorse and focal point of a risk and compliance management program. While dashboards are metric aggregators and communicators, GRC platforms are the foundation of developing risk and compliance processes. Solutions in this space have core functionality that falls across four primary segments. Each area itself is a segment of a category, with products that fall specifically into that segment and do not have broader functionality to be a complete GRC platform. GRC platforms are specifically aimed at managing risk and compliance across the businessÃ¯Â¾â€”creating a centralized hub of risk and compliance documentation, assessment, analysis and loss information from every part of the business. Providing the functionality in these four areas requires that solutions in this product category have excellent content management and workflow capabilities.
1. Policy, procedure, and control documentation allows for the development, documentation and communication of policies, procedures, and controls to the business.
2. Risk and control assessment provides the ability to manage and survey various areas of the business to assess risk, compliance and controls in the environment.
3. Risk analytics uses the governance mandates laid forth in policy and control documentation combined with data gathered in risk and control assessments to quantify and model risk to the business.
4. Loss, event, and investigations management systems collect records for tracking organizations’ losses, events, gaps in controls and audit findings while facilitating investigations management to handle the investigation and response process. A variety of vendors have integrated loss/event management platforms in their risk analytics, assessment, and policy documentation products.
MONITOR DOLLARS WITH FINANCIAL RISK SOFTWARE- While GRC platforms provide the vehicle to establish and communicate policies around financial risk (and other areas such as the many segments of operational risk), financial risk software gets down into the details of money by crunching numbers to determine if the organization is staying within policy limits. The software in this area:
Crosses multiple segments of financial risk.
Financial risk management is a complex category of products that encompasses segments of credit, market, interest, liquidity, foreign exchange, derivative/hedging, capital planning/allocation, insurance/underwriting, trading/transaction and other areas of financial risk.
Targets the responsibilities of the CFO.
Software in this category is very focused on managing risks that fall under the umbrella of the CFO. In addition, the majority of vendors in this space concentrate on managing financial risk within the financial services industry itself (e.g., brokerage, banking, and insurance). Risk is closely tied into compliance in the financial services vertical, as the government has imposed strict requirements to control financial risk within financial services organizations.
Operational Risk and Control Software- Drilling down to specific problems, organizations use software that targets the management of specific areas of operational risk and control. The expanse of solutions that touch on enterprise risk and compliance is broad. In this specific category of specialized software and systems, several hundred vendors present unique solutions aimed at specific risk and compliance areas. Players in this space have very similar capabilities to broader GRC platforms, but they focus on specific categories, including:
Horizontal risk areas.
While GRC platforms aim at managing risk and compliance across the organization, operational risk and control software focuses on specific areas of risk and compliance, such as environmental, health, and safety (e.g., OSHA), workforce, technology/systems (e.g., HIPAA, GLBA), product quality/manufacturing (e.g., ISO-9000, FDA GxP), marketing/communications, business continuity, financial assurance (e.g., SOX), among others.
Vertical industry-specific requirements.
There are also products dedicated to specific verticals. For example, the pharmaceutical vertical manages the quality assurance processes to meet regulatory requirements for drug manufacturing. Other systems manage the risk and control around Supervisory Control and Data Acquisition (SCADA) systems controlling the flow of oil, gas, water, and electricity. There are even systems designed to measure and manage risk related to terrorism and homeland security.
BRING IT ALL TOGETHER- Ultimately risk and compliance boils down to implementing controls and/or mitigating risk; this is where the wealth of IT vendors marketing risk and compliance capabilities help organizations deliver the supporting technology infrastructure for meeting requirements. Many IT vendors do have a significant role in meeting the requirements generated by risk and compliance initiatives.
WHAT IT MEANS: CREATE A RISK AND COMPLIANCE ARCHITECTURE
The world of risk and compliance management is complex, and the software products in this space are varied. There is no one solution that will do it all, which means that an organization must build a sustainable business and technical architecture for enterprise risk and compliance. This architecture is modeled around the structure of an organization’s risk and compliance management program (e.g., centralized or distributed), the industry risks it faces, its compliance mandates and the governance requirements set forth by executives and the board. Software from these categories can be selected and, most importantly, integrated to sustain this architecture and the oversight of risk and compliance within the organization.
Michael Rasmussen is vice-president, risk & compliance research for Forrester Research, Inc. This article is adapted from the first article in the Forrester “Risk And Compliance Market Landscape” series. For information on specific vendors discussed in the full article, contact Forrester at firstname.lastname@example.org .