But Axis manages many of its other risk factors — including those related to financial reporting, operations, and information technology — in a consolidated fashion through enterprise software from business-media giant Thomson Reuters, which last year acquired GRC supplier Paisley Inc. Successive versions of the software have allowed the company to get past its former “siloed” approach to risk management, Anderson says.
“By having things integrated in a single tool, we’re able to pull out single reports covering multiple components of our risk-management framework,” he says. “By no stretch is [Paisley] the only vendor we would consider working with, but we have found that we can make the tool do what we need it to do.”
From Compliance to Controls?
If a clear definition is lacking, a continuous stream of enhancements is not. Consider BWise, which announced a new version of its eponymous product in December. The pitch? New and enhanced functionality designed to provide more of an end-to-end view of risk management. While compliance is still important, “it’s not as sexy anymore,” says founder and chief technology officer Luc Brandts.
As sexy as risk management may be, many companies are in the early stages of infatuation. Before risks can be managed, they must be identified. “They want to have an idea of where they stand, and not in a very complex way but in an easy-to-digest way. That’s what we’ve built into this release,” Brandts says.
While risk is in vogue, what ultimately may prove most notable about the updated BWise product is its inclusion of continuous controls monitoring (CCM) functionality. The GRC software market can be broadly divided into products that oversee risk-management and compliance programs and those that automate and monitor controls. According to Brandts, by integrating CCM into its platform, BWise is looking into the future. “I think three years from now there won’t be two separate markets,” he says.
If that proves true, the two dominant players in another major business-software sector, enterprise resource planning, may be prime catalysts.
In 2006, SAP AG acquired Virsa Systems, a compliance-software company with a CCM tool. Oracle Corp. matched that move the following year when it bought LogicalApps. Since then they have marketed themselves as GRC vendors. With their main focus on controls automation, though, their approach has been different from GRC specialty firms such as BWise, Paisley, OpenPages, Archer Technologies, and MetricStream, notes Forrester’s McClean.
But their slate of other GRC capabilities is filling in, and they have a compelling carrot: a potentially more seamless integration between GRC and ERP platforms. Indeed, most of their GRC sales so far have been to their existing customers, although that is a huge potential market in itself.
Sharp Electronics has been a user of SAP’s ERP since 2001, so when the company began to evaluate GRC vendors in preparation for its 2008 initial compliance with the new Japanese Financial Instruments and Exchange Law (essentially, Japan’s version of the Sarbanes-Oxley Act), SAP was an easy choice.