OCEG: We are hearing a lot about the need to integrate governance, risk management and compliance efforts – something that no one talked about just a few years ago. Is integration of GRC a trend or a fad? Do you see a real paradigm shift occurring?
back to top
Rasmussen: The integration of GRC is not a trend or a fad but a requirement. Business today is complex, distributed and diversified around the world and across business relationships–this requires that siloed functions of the past begin to collaborate and share information. Organizations need an infrastructure and architecture to allow this collaboration. That is what integrated GRC is all about. From an organizational perspective, it needs to be federated, not centralized or decentralized. From a technology perspective, it needs to become integrated. GRC is a framework and philosophy and not a job description, as GRC crosses many roles across the organization.
Hagerty: Almost all emphasis to date has been on the “compliance” part of GRC. Differing compliance programs have been managed independently in pockets across the organization. With maturity, many firms have become increasingly sensitized to spotting areas of risk in their business: financial, operational, IT, brand and/or reputation. Executives and boards of directors demand visibility into exposure and status so they can manage the organization’s long-term strategies effectively. We see more firms taking a critical step back to get a fix on the big picture. It’s already beginning to affect how they systemically identify, measure, prioritize and respond to all types of risk in the business, and then manage any exposure accordingly.
Caldwell: Well, of course, five years ago no one had heard of Paul Sarbanes or Michael Oxley either. The Sarbanes-Oxley Act triggered a lot of interest in compliance activities, since now the CEO and CFO were directly accountable for the validity of the financial statement and for internal controls. Furthermore, companies’ external auditors were required to attest to management’s assertions on the internal controls. Thus, compliance became a front-burner executive management and boardlevel issue. SOX also had the effect of making the cost of compliance much more visible. It was sudden, and money had to be spent on not just external auditors, but also on internal labor and consultants. Many companies began to report these costs in their quarterly and annual reports. Executive management then became aware of the redundancies of SOX compliance with other regulatory compliance–the costs of which had grown, but stealthily over years.
With more visibility of the complexity and costs of compliance, executive management and the board are focused on how to bring those costs down. And the way forward is clearly a riskoriented, principles-based approach, that basically says: “If you have pretty good governance, and are doing a good job of identifying and managing your risks, then compliance and audit activities can be focused on entity-level and IT general controls, rather than getting into more granular process and technical controls.” Hence, the relationship of governance, risk and compliance activities.
OCEG: What is the size of the GRC market today and where do you see it being five years and 10 years from now, for software and for services/ consulting in terms of spend?
back to top
Hagerty: AMR Research estimates that 2007 GRC spending will hit $29.9 billion, growing 8.5% from last year; companies now expect to spend an additional 3.6%, or $31 billion, in 2008. Of that, $9.9 billion will be spent on technology. The top four areas of spending include financial controls (i.e., Sarbanes-Oxley), document and records retention, security and privacy and finally, general and operational risk management. Spending continues to accelerate. We anticipate the market will surely grow over the next five years. But at this point, it’s difficult to estimate, given the shifting regulatory environment.
Rasmussen: Size of the GRC market... big. Forrester has sized the GRC software platform market that is characterized across four areas; policy and procedure management, risk and control assessment, risk analytics, and investigations management. This specific area of software is currently on target for over $820 million this year, and I forecasted it to grow to $1.3 billion by 2011. However, this is a very conservative estimate and does not account for many global factors that have happened in the past year–the market for this specific area of GRC is bigger. Further, it does not account for the range of GRC software spending in other areas–such as security, matter management, contract management, environmental health and safety, quality, automated controls, and many other areas of GRC. Further, it does not account for the services side. The risk and compliance consulting market is currently at $36 billion and is expected to grow to more than $50 billion worldwide over the next three years.
Caldwell: I assume you mean the information technology-related market. There is really not a distinct GRC market. Many IT markets support GRC activities, and those range from management applications such as Finance GRCM to technical controls tools such as firewalls. Gartner has looked at the impact of GRC activities on overall software spending, and it is at about $12 billion. However, there is a subset of that spending that is GRC-specific IT markets at about $1 billion in 2007.
OCEG: How many software providers are there that offer complete or partial solutions for governance, risk management and compliance efforts to U.S. and multinational companies? Is the market dominated by a handful of these or is it pretty evenly spread out?
back to top
Rasmussen: Forrester has identified over 500 software vendors offering GRC applications. These span from technologies focused on very specific applications to broad GRC platforms. There are over 100 GRC software platform vendors offering capabilities that span across policy and procedure management, risk and control assessment, risk analytics and investigations management. Further, there are over 200 consulting firms offering compliance consulting services, and that does not account for law firms. The market is very spread out at this point˜–but it is ripe for consolidation.
Hagerty: There are several hundred software providers that have a stake in some way, shape or form in the GRC marketplace. There are GRC specialists that have significant mindshare in the market today. And there are scores of other providers that deliver on specific functionality for GRC. Based on such a broad and diverse marketplace, it is fairly well diffused. However, we expect this to shift over the next few years, with power concentrated in some powerful vendors.
Caldwell: There is no such thing as a complete GRC solution. Governance cannot be shrinkwrapped. There are some vendors that offer Finance GRC Management applications, and others that offer IT GRC Management applications–but then there are dozens and dozens of other vendors that offer GRC-related technologies ranging from audit management to IT technical controls automation to e-discovery. No vendor combines all these capabilities into a single product, or even a single portfolio offering.
OCEG: Are you seeing a shift toward integrated solut ions that ensure those respons ible for governance, risk management and compliance are all operating on the same page, all using the same information? If so, is this being accomplished by enhancing the integration of separate component solutions or development of “complete package” solutions?
back to top
Rasmussen: Integration is where GRC is going. GRC is all about collaboration across silos; this requires sharing of information. At the core, you will have vendors with strong content and business process management capabilities that provide the backbone of GRC. These vendors will replace many of the disparate, dated and non-integrated technologies across the organization over the next decade. From there, these platforms will integrate into specialty applications to share information. Organizations are looking toward an integrated GRC technology architecture to provide sustainability, consistency, efficiency and transparency on GRC-related issues across the business.
Caldwell: If you mean the all-encompassing universal GRC solution, let me say again, there is no such thing. However, many Finance and IT GRCM vendors have evolved to include more support for risk assessments and risk management, and most aspire to improve and make explicit the linkage between regulations and rules, implementing policies and objectives and risks and controls. As the applications have become more complex and with demands for integration of various other technologies that support GRC, vendors are moving to a GRC platform strategy that can integrate finance or IT GRCM with other GRC tools and applications, and also with the general ledger, corporate performance management (CPM) and other business applications. With the platform strategy, the applicability of GRCM solutions could extend beyond just documentation of compliance activities to include real-time controls automation and monitoring.
Hagerty: Our interviews with hundreds of companies have resulted in an enterprise-wide maturity model for GRC management, a four-stage progression that outlines the steps each company must pass through before they achieve the next level of organizational maturity. The more mature a firm’s approach is to GRC, the more risk-aware they become and the quicker they can incorporate new requirements cost effectively into standard operating procedures, and the more likely they are to look to a suite of products from one or a few vendors to accomplish that business requirement.
OCEG: Will users have to replace existing solutions they have in place to implement integrated GRC solutions, or will they be able to effectively build on what is already in use?
back to top
Caldwell: Some organizations are laying the foundation for an integrated compliance and operational risk architecture. An integrated architecture will enable the elimination of some compliance process controls, because equivalent system controls will be inherent in the evolving architecture. Businesses also will be capable of eliminating numerous compliance-specific applications for audit, disclosure and financial controls, because standardization and automation of controls will eliminate the need for some of that compliance-specific functionality. The net result for businesses will involve a reduction in the total cost of compliance.
Rasmussen: Organizations will most likely have to replace many existing solutions. There are a lot of custom-built applications combined with commercial applications that were never designed to integrate with other applications. Forrester recommends that organizations do an assessment of what technologies they have in place today across the organization, identify which of these technologies can be consolidated on a common platform and then work on integration of technologies that offer special capabilities of risk and compliance that need to plug into the common architecture.
Hagerty: When companies initially invested in compliance solutions starting in 2003-2004, we recommended they evaluate them as tactical purchases with a lifespan of three to four years. With the depth of changes in this market and the early stages of consolidation underway, we would recommend that companies evaluate the health and viability of their existing GRC vendors before deciding whether to extend or replace products.
OCEG: If an organization was starting from scratch to implement technology solutions for GRC, how should it begin?
back to top
Caldwell: Before spending a lot on compliance technology, companies should first use a risk assessment to identify which are their key controls and standardize those controls across the business. Those key controls are where to focus technology support.
IT services and technology can support three different GRC objectives: efficient and effective operations, financial reporting accuracy and compliance with policies, laws, regulations and other binding requirements such as SLAs and contracts. All of these are business goals and to ensure that IT processes are effective in enabling them, IT goals should be aligned with those business goals. IT, though, also has its own goals for services management, good governance and compliance, that do support business goals, but are not intuitive to the rest of the business–unless something bad happens– such as a loss of customer data, fraud enabled through poor IT access controls or misuse and misappropriation of IT assets. So the IT organization has to look after itself as well as the business.
Hagerty: There are basic steps to the organization:
• Clearly define the scope of effort, specifying priority of specific functionality.
• Understand best practices of organizations like yours that have come before you.
• Evaluate future vision for what GRC can/ will manage. Use a consultant if needed.
• Take inventory of what architectural elements/backbone systems are in place.
• Create a shortlist of vendors, evaluate, check references and select.
• Implement incrementally, rapidly iterating through each area of emphasis.
Rasmussen: The first step is a GRC software platform that has strong content and process management capabilities. That is the core. As stated, this is a platform that does policy and procedure management, risk and control assessment, risk analytics and investigations management. This provides much of the common infrastructure for GRC across the organization. However, BE CAREFUL. You need to understand what your GRC strategy and philosophy is before selecting a vendor. Vendor solutions were designed with some pre-conceived notion of what GRC is about. Unfortunately, Forrester has seen many organizations that have let their software vendors define their approach and philosophy of GRC, which does not match that of the organization, once they understand what they are getting into.
