Like the global economy, the governance, risk, and compliance (GRC) software business has experienced plenty of recent turmoil. Unlike the economy, however, the GRC world is used to it. Almost from the beginning, uniting governance, risk, and compliance into a single entity has been a delicate exercise. It required vendors to offer customers working in different business sectors three related, but not always easily integrated, capabilities.
The stock market’s meltdown further unsettled this balance. Risk management and governance issues raced to the forefront while compliance, which tends to be at the core of most GRC products, receded into the shadows, at least temporarily.
“Compliance was really not a big factor in the meltdown,” says Marc Othersen, senior security and risk management analyst at business technology research firm Forrester Research. “There were some compliance issues, but it was the risk and the governance [parts] where people had the whammies.”
Where will that leave the software category in 2009? Michael Rasmussen, president of Corporate Integrity, a Waterford, Wisconsin-based consultancy that specializes in GRC issues, insists that GRC is far more than a handy marketing acronym. It captures a philosophy of business that encompasses oversight, processes, and culture. “Ultimately, GRC is about the integrity of the organization,” says Rasmussen. Nonetheless, he expects both recent events and impending changes to the business climate, such as additional regulation, to have a strong impact on the space. “The GRC market today is not necessarily going to be the same one that is around a year from now,” he adds. “Change is inevitable.”
Properly deployed, Rasmussen says, GRC in bundled or à la carte form should help companies answer four key questions:
- Is the organization properly managed and does it have sound governance?
- Does the organization take risk within risk-appetite and -tolerance thresholds?
- Does the organization meet its legal/regulatory compliance obligations?
- Does the organization make its code of ethics, policies, and procedures clear to its employees and business partners?
Critics contend that vendors have allowed customers to stumble when insight was needed most. Some blame vendors for skimping on risk and governance software in favor of more easily salable compliance tools. “The risk function is something software vendors didn’t build out very well,” Othersen says. “Even if it did work well, it still had issues for some of these companies that had meltdowns.”
Even when the software generated accurate and actionable data, customers may not have acted wisely on such information. Some disregarded the GRC-generated alerts and made bad decisions. Whether that’s attributable to poor training, ignorance, or an inability or unwillingness to buck the tenor of the times is open to debate. “A lot of them either didn’t know how much risk they were assuming,” Othersen says, “or they knew exactly how much risk they were assuming but they decided to do it anyway.”
Michael J. Duffy, president and CEO of Waltham, Massachusetts-based vendor OpenPages, defends the track record of GRC software. “In the case of the financial-services collapse and subprime crisis, some financial-services institutions — such as Goldman Sachs — did effectively identify the risk of falling home prices and foreclosures on their mortgage-backed securities and exited that business in time,” he says. “Others either failed to identify and appreciate the impact of these risks on their business, or chose to ignore their own internal warnings from risk managers and GRC solutions.”