Most business executives only spend money when they foresee a reasonable return on the investment, unless there is some other compelling reason for the expense — like keeping them out of jail.
To a large extent, the development of governance, risk management and compliance (GRC) technologies was spurred not by the promise of financial return, but by the provisions for stiff fines and prison terms in the Sarbanes Oxley Act (SOX).
When President George Bush said: “No more easy money for corporate criminals, just hard time,” the business community knew that the U.S. government meant business and would enforce SOX, which Bush signed into law on July 30, 2002.
“We kind of went from zero to 60 in a pretty short time,” said John Hagerty, a vice president at AMR Research.
“There are a lot of factors behind the growth of GRC, but the most important one was SOX,” agreed Forrester Research analyst Chris McClean.
Slower Growth in a Big Market
Seven years after the enactment of Sarbanes-Oxley, however, the pace of GRC implementation appears to have hit a plateau. That doesn’t mean the GRC technology market will shrink — it just won’t grow as fast as it did during the first wave of SOX compliance activities.
The GRC market is already huge. It is likely to reach US$33.5-billion in 2009, according to AMR. Of that total, $11 billion will be spent on technology, $9.3 billion will be directed to services, and just over $13 billion will be spent on “head count,” or personnel dealing with GRC issues in some fashion.
“There is still a lot of original legal compliance work to be done that will justify GRC spending, but we are also beginning to see some caution with managements looking to determine an ROI before they spend,” AMR’s Hagerty told the E-Commerce Times.
“Some companies are looking for the GRC investment to pull double or triple duty,” he remarked. For example, companies seeking to upgrade their procurement operation to meet legal and ethical standards may seek technology programs that also provide ways to streamline the procurement function in general.
The GRC market “is pretty complex,” Forrester’s McClean told the E-Commerce Times, who noted that many companies are still at the first stages of implementing a GRC program, based mainly on regulatory and compliance issues.
“But there are dozens of applications that go beyond compliance which still fit into the GRC range,” he continued. “In the risk management category, a quality control program improves a company’s product, but that can also count as a program that helps reduce risk.”
Currently, the GRC market represents the sum total of expenditures allocated to a wide range of activities that have something to do with governance, such as ethics, compensation and transparency; risk issues such as IT security or a “credit crunch”; and compliance issues such as regulation by government agencies.
Long-Term Enterprise Approach
It is becoming clear that GRC is maturing as a concept. While some applications for GRC technologies will always be used as short-tem responses to put the fire out in terms of meeting laws and regulations, there is a discernible movement toward the use of GRC solutions for a more comprehensive risk reduction purpose throughout an enterprise.
“GRC is shorthand for an integrated system of people, process and technology that helps any organization obtain the achievement of business objectives while staying within the boundaries of conduct set by laws and organizational values,” Carole Switzer, president of the Open Compliance and Ethics Group, told the E-Commerce Times.
The key concept is “integrated” — an element that is central to a productive deployment of GRC technologies.
For many organizations, embarking on a full-scale enterprise-wide GRC program all at once may be formidable in terms of management commitment and cost. For such firms, an incremental approach may be the most appropriate way to achieve the enterprise GRC goal. Components of GRC can be implemented in phases — a document management program one year, an audit program the next, and so on.
Although awareness of an enterprise approach to GRC is starting to take hold, a post-SOX syndrome appears to be setting in as well. With the immediate SOX compliance requirements met, many companies are using business tools such as ROI to justify GRC investments.
There’s a prevailing atmosphere of caution regarding GRC expenditures, suggests an OCEG survey released in early October.
Marketing to a ‘Point of Pain’
About 21 percent of the respondents in the survey — which involved about 570 subjects across a broad spectrum of small, medium and large companies or government agencies — had no plans at all for GRC spending in 2009. Another 41 percent said they would spend less than $100,000 on GRC this year.
About 12 percent said they would invest more than $500,000 in GRC efforts in 2009. Sixty percent of respondents planned to increase GRC spending in 2009 versus 2008, while 40 percent sad they would spend less.
About 50 percent of respondents either “somewhat” or “strongly” agreed that they could not get budget authority, or make a “compelling” case to management for IT investments in GRC programs.
Nearly 50 percent of the respondents expressed at least some doubt that technology solutions now exist in the market “to meet the needs of our GRC professionals.”
Perhaps because the GRC market is still relatively new — and because GRC applications cover a wide range of activities, especially in the risk reduction category — the vendor market is both large and fragmented.
“There are over 700 vendors that describe themselves as GRC IT providers, and most address only small portions, but that doesn’t mean those portions aren’t critical,” said OCEG’s Switzer.
“Each group of vendors is important, as each comes from a unique angle to push the maturity and depth of capabilities of the GRC space as a whole,” observed Forrester’s McClean.
To help businesses sort out the maze of offerings in the GRC technology sector OCEG plans to release a market guide by early November.
“Some companies, like Symantec, Sun and Novell, deal with security issues,” said Hagerty, “while others, like SAP and Oracle, organize their GRC programs around business activities.”
There are several pure-play providers that specialize in GRC applications, as opposed to larger IT firms that handle GRC as part of a wide offering of IT applications.
Among the pure play providers are OpenPages, BWise, MetricStream and Archer Technologies, noted McClean. Some large companies have recently acquired pure play vendors — for example, Thomson Reuters absorbed Paisley and Wolters Kluwer acquired Axentis.
By virtue of its multiple offerings dealing with GRC issues, Microsoft is still the dominant player in GRC, notes Corporate Integrity CEO Michael Rasmussen.
Whether a vendor is a niche player or a full-service provider, it appears that it will take more effort in the future to successfully market GRC products.
Despite the recognition that an integrated, enterprise strategy may be the best approach, AMR’s Hagerty noted that GRC purchasing “may still come down to reacting to a point of pain.”