James Doss, CFO of RF Industries, is convinced. Risk management is a top priority at the San Diego–based provider of wired and wireless networking and communications products, and Doss says GRC software can address it effectively. “Risk is probably a secondary thought to most people [when they buy this software], but in essence that’s really what the driver is.”
Another key concern, says Doss, is flexibility on the part of the vendor. “You want the software to flex with your changing processes and needs,” he says, in part to “get buy-in from your company’s stakeholders so they feel that the software works with them, instead of forcing them to change their ways.”
Power Up, Price Down
The changes that Rasmussen speaks of will likely manifest themselves in several different ways this year. For one, expect vendors to expand their offerings from core areas of expertise into more complete products or product suites that address all three components of GRC. While many may continue to stress a particular niche as a way to win sales, most will attempt to convince customers that their products can, and should, be more widely deployed across the enterprise to address governance, risk, and compliance. Customers will have to decide to what degree they buy based on today’s niche expertise versus tomorrow’s promise.
That may sound daunting, but market forces will provide some relief. The rapid proliferation of GRC vendors — Rasmussen now counts around 1,300 GRC technology and consulting service providers, from major players like Oracle, SAP, BWise, and OpenPages to single-owner start-ups — is about to give way to the same wave of consolidation that has swept through the business-intelligence market in the past two years.
The software should also get easier to use. OpenPages, for example, has been following a path in which its products can be tailored without expensive and time-consuming reprogramming. John Klein, vice president of audit services at Miami-based Carnival Cruise Lines, says that that has allowed his company to give more employees access to the software. “When we first implemented OpenPages, only a handful of ‘power users’ were utilizing the software to document [Sarbanes-Oxley]-related activities associated with hundreds of process and control owners,” he says. “We have since configured the software so that process and control owners can perform certifications directly.”
And it should become easier to afford, as the transition toward software-as-a-service continues to gain momentum. Centrally hosted software that is rented not only allows customers to avoid a capital outlay, but it also offers a number of technological benefits, such as automatic updates, improved scalability, and reduced IT overhead.
But GRC remains far from a no-brainer. For one thing, companies that already use ERP or other sophisticated enterprise software must decide whether they want to bring in a niche player or rely on the GRC offerings (and, in general, more-sophisticated if more-expensive support) of their key vendors. There is also the question of which vendors will still be around a year from now, and whether an acquisition will have any impact on the product of the acquired company.