VideoThe software category known as "governance, risk, and compliance" ended 2009 pretty much where it began: still lacking a clear identity. Any apt description of GRC, in fact, remains tantamount to, as one industry insider puts it, "an academic definition of the word mess."
It is an open question whether the GRC umbrella — stretching over at least 20 substantially different "enterprise platforms" plus an immense array of more-focused products that address specific facets of GRC (often tailored for a specific industry's needs) — has any definition at all. "There's no arguing that from a buyer's perspective, 'GRC software' doesn't exist today," Ventana Research analyst Robert Kugel wrote recently.
But even as its marketers struggle to explain GRC, the software itself is becoming more capable of managing governance, risk, and compliance on a cross-functional, integrated basis — a long-standing need that is intensifying as customers increasingly find that their jury-rigged "solutions" aren't up to that task.
Many companies are still saddled with narrow, duplicative approaches to GRC that lead to both economic and operational inefficiencies. Extra costs accrue when, for example, several different business units and functions separately track and manage a single risk factor — especially if, as is common, each buys its own software for the task. GRC platforms aim to solve that by offering data mapping, workflow, content management, and reporting, on top of which specific-purpose modules can be added.
While most GRC products were created as compliance aids, it is the "R" in the acronym that has driven the evolution toward a more flexible architecture. Managing and mitigating risks has taken an overwhelming lead as the top priority for GRC investments, according to a recent survey of 151 companies by AMR Research.
A confluence of events — the implosion of the risk-embracing financial-services sector, heightened pressure from the Securities and Exchange Commission regarding risk disclosure, high-profile product recalls, and increasing Foreign Corrupt Practices Act prosecutions — has renewed interest in risk-management practices, which may help galvanize the GRC market in a way that compliance-related worries have not.
"As companies start looking at managing risk across the enterprise, they want to pull all of that information into one place for reporting and analytics," says Forrester Research analyst Chris McClean.
Many vendors embraced the GRC moniker before they had much to offer in the risk area. Now they are building out their risk-management capabilities with new modules and a higher degree of integration, but it's very much a work in progress.
A holistic view of risk would, ultimately, include the ability to generate a single report tracking every business risk. "There's no product or service provider that actually does that, but if you're the CFO or chief risk officer, that's what you're trying to migrate to," says Gordon Burnes, vice president of marketing for OpenPages, a GRC platform provider.
Depending on the industry, the portion of a company's risk profile that cannot be handled through the integrated platform approach may be significant. For Axis Capital, a commercial property-and-casualty insurance and reinsurance company, the biggest risks are catastrophic events like earthquakes and hurricanes. "A general-purpose GRC application can't handle the kind of probabilistic, modeled data required to manage those risks," says Anders Anderson, the company's chief audit executive. Similarly, pharmaceutical firms are most exposed to risks related to drug testing and regulatory approvals, for which specialized software is needed.
But Axis manages many of its other risk factors — including those related to financial reporting, operations, and information technology — in a consolidated fashion through enterprise software from business-media giant Thomson Reuters, which last year acquired GRC supplier Paisley Inc. Successive versions of the software have allowed the company to get past its former "siloed" approach to risk management, Anderson says.
"By having things integrated in a single tool, we're able to pull out single reports covering multiple components of our risk-management framework," he says. "By no stretch is [Paisley] the only vendor we would consider working with, but we have found that we can make the tool do what we need it to do."
From Compliance to Controls?
If a clear definition is lacking, a continuous stream of enhancements is not. Consider BWise, which announced a new version of its eponymous product in December. The pitch? New and enhanced functionality designed to provide more of an end-to-end view of risk management. While compliance is still important, "it's not as sexy anymore," says founder and chief technology officer Luc Brandts.
As sexy as risk management may be, many companies are in the early stages of infatuation. Before risks can be managed, they must be identified. "They want to have an idea of where they stand, and not in a very complex way but in an easy-to-digest way. That's what we've built into this release," Brandts says.
While risk is in vogue, what ultimately may prove most notable about the updated BWise product is its inclusion of continuous controls monitoring (CCM) functionality. The GRC software market can be broadly divided into products that oversee risk-management and compliance programs and those that automate and monitor controls. According to Brandts, by integrating CCM into its platform, BWise is looking into the future. "I think three years from now there won't be two separate markets," he says.
Reader Comments» Post a comment