Enterprise Governance, Risk & Compliance
Hypatia Research assesses governance, risk, and compliance solutions as a continuum of people, process, and technology. The spectrum extends from enterprise GRC (eGRC) software solutions on one side to IT GRC software solutions on the other. At the extreme end of the enterprise side lies the element of business risk, which combines human elements such as instinct and experience with metrics for decision-making. At the extreme end of the IT side lie highly automated digital controls for managing data access. In between, multiple elements and processes overlap, incorporating capabilities such as assessment; auditing; compliance with industry, partner, and government regulations; and workflow, all of which combine elements of human assessment, business processes, and enabling technologies.
To get a sense of current attitudes toward GRC, Hypatia Research evaluated 23 GRC vendors, and interviewed users of these applications. We also surveyed 664 global end-users of GRC software, and the results were stark: while just under 30 percent had been utilizing GRC software for more than five years, another third have only been doing so for less than five years, and still another 30 percent still perform GRC processes manually using spreadsheets or other home-grown solutions. That represents a lot of room for growth.
Survey Respondent Profiles
Respondents operate primarily in Europe (41.5%) with healthy representation from Asia Pacific (32.4%), and North America (26.1%) regions. Among the 664 respondents, the organizations were divided among SMBs (8%) with revenues under $100 million, mid-market (34.6%) and large enterprises (57.5%) with $2 billion or more in revenues.
Overwhelmingly, managers, directors, vice presidents and C-level executives directly accountable or involved in their organization’s GRC initiatives were represented (81.5%) in our survey responses (figure 5). This strongly suggests that interest in convergence of GRC is high among decision-makers and those directly accountable for governance, risk and compliance practices. Retail and CPG (15.7%) financial services (15.2%) excluding insurance (6.8%), and manufacturing (13.6%) and comprised the largest industry sectors representation followed by telecommunications and media (11.5%).
“The Convergence of Enterprise GRC: Benchmarks & Vendor Galaxy Rankings” ©2014-2015 Hypatia Research Group, LLC. All rights reserved. No part of this research study may be repurposed, distributed, translated or published in any format without the express written consent of the Hypatia Research Group, LLC and its management.
Customer Identity Authentication in the age of digital interaction, customer engagement and commerce is a highly necessary component in protecting customers from fraud as well as for managing business risk. While many organizations often consider a certain percentage of fraudulent transactions as an acceptable (risk calculation) cost of doing business, the bigger issue is how to prevent fraud and identity-theft related losses while enhancing the trust, quality and security of the customer experience.
There are many types of identity authentication technologies available. Over 600 global practitioners (at the manager to the C-Level) involved with customer engagement, call center, customer service & support, audit, risk, fraud and commerce were surveyed and/or interviewed for this 30+ page study. Only those who influence, use, hold budget or veto power over investment in Customer Identity Authentication software and services were used for our analysis.
Vendors evaluated in this study include:
For related research, see “Enterprise GRC: Best Practices, Benchmarks & Vendor GalaxyTM Evaluations”. © 2015 Hypatia Research Group. All Rights Reserved.
The GRC market in 2014 is still highly fragmented. In too many instances, enterprises are still using GRC applications as departmental solutions to solve a specific issue relating to governance, risk, compliance, or security.
There’s a logical reason for this. Frequently, enterprises deploy a GRC solution to solve a specific problem. They’ve flunked an audit. They’ve discovered a security breach. They’re subject to a new regulation. (In short, they react.) Facing this urgency, they turn to a solution that’s simple and inexpensive to deploy. Short-term problem solved.
The problem with that strategy is that every department in an enterprise can benefit from the operational insight that GRC applications can provide. Tackling GRC on a departmental basis solves that department’s problem, but it doesn’t provide the enterprise-wide insight that helps companies understand where its capability gaps are. Nor is it particularly easy to integrate or aggregate the information to develop a consistency view for analysis.
The basic problem is a lack of collaboration, which leads to a lack of visibility. The legal, human resources, and finance departments are all separate and using different tools. No one’s interested in the needs of the other divisions, and everyone mistrusts the other’s data. That means at the top, there’s no transparency into the overall risks.
Hypatia’s Product MatrixTM: 2014 GRC Evaluation Methodology
Our due diligence included a 1) vendor briefing, 2) product demonstration and 3) customer reference interviews. In certain cases, customer references were obtained without vendor involvement through our professional network.
An effort to avoid “boiling the ocean” in our analysis of this highly fragmented vendor landscape compelled us to evaluate enterprise GRC software providers by 16 discrete yet interdependent dimensions. We affectionately refer to our Matrix as an AWD or 4X4 evaluation. Each of the vendors were ranked by product features, functionality and professional service capabilities provided by the vendor rather than partners or resellers. These criteria were utilized for our overall assessment of these software solution providers.