GRC in 2014: Still Fragmented After All These Years

Since Hypatia Research Group first covered the governance, risk & compliance software market in 2011, much has changed. Much hasn’t. (See “Enterprise Convergence of GRC 2011: Best Practices, Benchmarks & Vendor Evaluations”.)

The market for governance risk and compliance (GRC) software is still a maelstrom, the kind of maelstrom that engenders confusion among both customers and vendors. Some vendors offer GRC for the enterprise, known as eGRC, focusing on strategic and operational risk management. Others offer what’s known as IT-GRC, focusing on monitoring access and communications for compliance.

The fact that both branches of GRC use technology to automate highly complex processes is confusing. The fact that many vendors offer capabilities that overlap into both areas is confusing. The fact that many vendors offer limited pieces of the GRC puzzle is confusing.

In 2011, we saw this highly fragmented, sometimes confusing market for enterprises, with most split along two lines: GRC for IT, focusing on security and data access, and GRC for the enterprise, focusing on risk management and compliance. At that time, we strongly urged that enterprises look for applications that integrated these two capabilities in order to develop a holistic view of their enterprise, one that would provide both insight and consistency across multiple areas.

The good news in 2014 is that enterprises have begun to see the value in GRC applications. (See “The Convergence of Enterprise GRC: Benchmarks & Vendor Galaxy Rankings” ©2014 Hypatia Research Group, LLC). The bad news is that the market is still fragmented; many vendors are still enticing enterprises with point solutions that solve pressing problems, but not long-term ones. In fact, this narrow focus on GRC can actually present challenges later.

To get a sense of current attitudes toward GRC, Hypatia Research Group evaluated over 20 GRC vendors, and interviewed users of these applications. We also surveyed 664 end-users of GRC software, and the results were stark: while just 30 percent had been utilizing GRC software for more than five years, another third have only been doing so for less than five years, and still another 30 percent still perform GRC processes manually using spreadsheets or other home-grown solutions. That represents significant room for expansion.

Usage Moves from Reactive to Proactive
But in our research into the applications themselves, the news is heartening. We found a number of applications that subscribe to our viewpoint that integration – not only between internal modules, but among external data sources – is imperative. Several vendors impressed us with a number of state-of-the-art features indicating forward-thinking insight about user needs; many have a strong sense on how their applications will accommodate cutting-edge technology such as mobile devices, social media, and big data.

Still, one thing has not changed with this updated research. Hypatia Research Group’s assessment is that enterprises will gain the most value from GRC applications that provide more than just a sense of insurance. Too often, enterprises invest in and deploy GRC applications as a reaction to a mandate: comply with this regulation; adhere to this service-level agreement; assure the access protection of this data.

Instead, GRC applications have the potential to help enterprises be proactive – to identify potential problems before they manifest themselves; to understand risks before they’ve invested too many resources; to prevent adverse events before they cause damage to revenues, reputation, or both.

Challenges Continue
This capability is not without its challenges. GRC applications that provide that kind of enterprise-wide insight tend to be far more expensive than counterparts that focus on narrow areas. They require a high-level of collaboration among executives from multiple departments – finance, information technology, operations – all of whom may have different agendas; or, more commonly, already-installed applications that work fine for their needs but not for the greater good of the enterprise.

As we noted in 2011, not since ERP applications became popular has there been an application that so intensely requires equal attention paid to people, process, and technology. Like ERP applications, GRC applications can be time-consuming, though with the increasing availability of cloud solutions, enterprises can derive the benefits of GRC sooner. In a world of ever-changing and ever-increasing regulations, having a service provider updating regulatory issues via a subscription or library – in the same way that a security provider updates malware definitions – can be helpful.

In addition, the topic itself covers so many areas, many of which overlap, hampering companies’ efforts. Governance covers not only how data is accessed, protected, and secured, but also involves adherence to everything from partnership contracts and service-level agreements, to internal policies. Risk covers investment in new products, geographic expansion, and exposure to lawsuits and reputation damage. Compliance covers not only industry-specific governmental regulations, such as those for the finance, healthcare or energy industries, but also other government regulations such as maintaining privacy of customer data; add to this compliance to industry regulations for the manufacturing and pharmaceutical industries.

Hypatia’s Assessment
Based on our research into the global GRC market and those success stories, Hypatia Research believes that the GRC software segment has a great potential to benefit not only ease in passing audits, but to support corporate performance management goals. This viewpoint is predicated on the ability of vendors to deliver solutions that represent a convergence of both IT and enterprise GRC capabilities, solutions based not on solving specific issues, but solutions that flexibly address at a holistic and integrated level all of the interlocking and interwoven governance, risk, and compliance issues that companies face no matter where or in what industries they do business.

But as with ERP, enterprise-wide GRC provides an unprecedented level of consistency, of accuracy, or auditability that is vital when it comes to understanding not only how the enterprise works, but how it can work better through deeper insight and better controls.

We strongly urge enterprises currently using or considering GRC applications to think beyond the problems they’re trying to solve toward the performance they’re trying to achieve.
For more information on vendor evaluations, best practices, maturity models, and derivative reports by country, size, industry or function, or for vendor selection advisory, please contact research@HypatiaResearch.com.

The Convergence of Enterprise GRC: Benchmarks & Vendor Galaxy Rankings” ©2014 Hypatia Research Group, LLC. All rights reserved. No part of this blog may be repurposed, distributed, translated or published in any format without the express written consent of the Hypatia Research Group, LLC and its management.

About Hypatia Research Group
Hypatia delivers high impact market and customer intelligence research, industry benchmarking, best practices, technology vendor selection, ROI assessment, and consulting services that reduce cycle-time and influence customer management, product strategy and channel development goals. Since 2001, clients have relied on our industry insight, expertise and independent research for guidance in assessing various technology, solution and service options.