The software category known as “governance, risk, and compliance” ended 2009 pretty much where it began: still lacking a clear identity. Any apt description of GRC, in fact, remains tantamount to, as one industry insider puts it, “an academic definition of the word mess.“
It is an open question whether the GRC umbrella — stretching over at least 20 substantially different “enterprise platforms” plus an immense array of more-focused products that address specific facets of GRC (often tailored for a specific industry’s needs) — has any definition at all. “There’s no arguing that from a buyer’s perspective, ‘GRC software’ doesn’t exist today,” Ventana Research analyst Robert Kugel wrote recently.
But even as its marketers struggle to explain GRC, the software itself is becoming more capable of managing governance, risk, and compliance on a cross-functional, integrated basis — a long-standing need that is intensifying as customers increasingly find that their jury-rigged “solutions” aren’t up to that task.
Many companies are still saddled with narrow, duplicative approaches to GRC that lead to both economic and operational inefficiencies. Extra costs accrue when, for example, several different business units and functions separately track and manage a single risk factor — especially if, as is common, each buys its own software for the task. GRC platforms aim to solve that by offering data mapping, workflow, content management, and reporting, on top of which specific-purpose modules can be added.
While most GRC products were created as compliance aids, it is the “R” in the acronym that has driven the evolution toward a more flexible architecture. Managing and mitigating risks has taken an overwhelming lead as the top priority for GRC investments, according to a recent survey of 151 companies by AMR Research.
A confluence of events — the implosion of the risk-embracing financial-services sector, heightened pressure from the Securities and Exchange Commission regarding risk disclosure, high-profile product recalls, and increasing Foreign Corrupt Practices Act prosecutions — has renewed interest in risk-management practices, which may help galvanize the GRC market in a way that compliance-related worries have not.
“As companies start looking at managing risk across the enterprise, they want to pull all of that information into one place for reporting and analytics,” says Forrester Research analyst Chris McClean.
Many vendors embraced the GRC moniker before they had much to offer in the risk area. Now they are building out their risk-management capabilities with new modules and a higher degree of integration, but it’s very much a work in progress.
A holistic view of risk would, ultimately, include the ability to generate a single report tracking every business risk. “There’s no product or service provider that actually does that, but if you’re the CFO or chief risk officer, that’s what you’re trying to migrate to,” says Gordon Burnes, vice president of marketing for OpenPages, a GRC platform provider.
Depending on the industry, the portion of a company’s risk profile that cannot be handled through the integrated platform approach may be significant. For Axis Capital, a commercial property-and-casualty insurance and reinsurance company, the biggest risks are catastrophic events like earthquakes and hurricanes. “A general-purpose GRC application can’t handle the kind of probabilistic, modeled data required to manage those risks,” says Anders Anderson, the company’s chief audit executive. Similarly, pharmaceutical firms are most exposed to risks related to drug testing and regulatory approvals, for which specialized software is needed.