“We did look at other suppliers, but they didn’t have the integration with SAP for automated reports or other things we wanted,” says Tom Trainor, assistant controller for process management and business controls. “It would have been additional work to use another provider.”
SAP and Oracle are “definitely affecting the market,” says McClean. “Unless there’s a big implementation already, they’re not competing for [GRC] deals very often, but that’s starting to change.”
In December, Oracle boosted its GRC street cred by releasing Oracle Enterprise GRC Manager, along with an update to its existing controls product. The new platform is touted for its support of cross-enterprise, risk-based modeling, analysis, and decision-making, and for its ability to manage interdependent risks and compliance initiatives within a single system.
Two years ago, says Chris Leone, group vice president of applications development, every GRC system Oracle sold was solely for the purpose of financial governance. Last year, customers began to indicate a desire to expand risk management to other areas of the business, and Oracle now finds itself selling multiple GRC modules beyond financial governance that give visibility to other kinds of risks, like those pertaining to health and safety, suppliers, and IT, according to Leone.
Meanwhile, the newest application within SAP’s GRC platform, released in December, is designed to help manage sustainability initiatives. Most large companies are now reporting on those efforts, but they may have trouble tracking them and identifying risks, SAP says, particularly given the proliferation of standards and guidelines related to sustainability. The new module joins a product lineup that covers enterprise risk management, access controls, process controls, global trade services, and health and safety management.
SAP will roll out more GRC capabilities in 2010, says Ranga Bodla, senior director of GRC solution marketing. The goal is to free customers from “an endless loop” in which they find a problem, report on it, fix it, and go on to the next problem. “That is unsustainable,” he says, so SAP’s focus is on “automating more and more” risk-management processes. It may not be possible or even desirable to eliminate silos within organizations, he adds, but creating more visibility around risks will at least help define risk-tolerance thresholds.
Eventually, though, the silos are likely to crumble. “Everybody is starting to recognize that managing things in a siloed manner runs significant risks,” says William Miller, controller of a subsidiary that manages the IT operations for Nationwide Insurance. “It’s expensive, it’s not efficient, and you can miss the forest for the trees.” That forest-for-the-trees metaphor nicely sums up what GRC is trying to do; vendor marketing departments should take note.
David McCann is senior editor for technology at CFO.
GRC Investment: Back on Track in 2010
Companies will spend $30 billion, mostly on internal management and external consulting.
After two years of decline, U.S. companies’ spending on governance, risk, and compliance (GRC) will grow by 3.9% this year, according to a November 2009 report by AMR Research. The outlay is expected to reach $29.8 billion, though technology — software, hardware, and integration — constitutes less than a third ($9.2 billion).
Almost half of the total is for day-to-day internal management and execution across lines of business and functions like IT, legal, and audit. Another chunk is for external consulting, implementation, and outsource services. “GRC is still an intensely human effort,” AMR says.
The recession significantly slowed the market’s growth. In early 2008, AMR forecast that spending would hit $33.5 billion in 2009. Instead, it reached only $28.7 billion, or 14% less than predicted. “We thought it was going to take off like a rocket,” says AMR analyst John Hagarty. But when money grew tight, the GRC market suffered because “this stuff is often considered discretionary — a good business practice, but not essential.”
Some vendors have fared better than others. Archer Technologies, a smaller enterprise-software supplier whose technology has received good reviews, saw revenue leap more than 30% last year, to $31 million, according to marketing vice president Alex Bender. “Our clients continue to expand their GRC programs and make them more enterprisewide,” he says. — D.M.