GRC

Major events this century have driven up the profile and importance of GRC. The events of 9/11 brought a huge focus on risk and business continuity, while the collapse of Enron, and other high-profile corporate fraud cases, caused governments and regulatory  bodies to start to increase control measures, and therefore the compliance burden on companies.  Because the sheer volume of compliance requirements has increased so enormously over the long period since, this burden is a major strategic and operational headache for organisation of all sizes and types, and management of all related issues is impossible without an ability to handle GRC issues.

The primary usage of GRC solutions is the analysis and reporting of risk and compliance information, and the support of tracking organisational objectives. Risk analysis can also support decisions in operational areas supported by the GRC solution – the GRC information should not be treated as solely the domain of risk practitioners.
However, GRC solutions do not act as the primary system of record, or support primary operational processes, for any operational area (except those with risk management and compliance roles). Taking an element of IT Risk Management as an example, other vendors’ security solutions deal with the processes to combat threats, while the GRC capability focuses on the organisational risk context of current and potential threats, and could assess the financial ramifications arising from the risks (a requirement that security solutions don’t support).

Organisational risk practices vary in maturity, scope, and specialist focus (also strongly influenced by vertical sector), so some GRC vendors provide solution options for different types of risk practice e.g. Enterprise Risk Management (ERM), Operational Risk Management (ORM), Third Party Risk Management (TPRM), IT Risk Management (ITRM). These solutions options would all address common requirements such as risk modelling and risk registers, but would each support function-specific processes and data as well.

Core data used within GRC solutions includes the following:

• Organisational structure, to support analysis and accountability
• Compliance obligations and reporting requirements
• Templates for policies, standards and legislation
• Assets, to enable identifying financial value associated, and processes that transmit risk to the asset
• Risk registers, enabling risk management processes to analyse and take action about risks
• Controls, recording the means of managing risks
• Business processes
• Risk modelling templates

Technology is mission-critical to the delivery of processes across any organisation. Many roles and functions that manage or support delivery of those services could not get the same breadth of benefit from any technology other than GRC:

• The CEO, for whom any risk represents potential reward and/or danger, can use GRC to enable higher performance by being able to assess risks and know which are potentially damaging, or managed appropriately. This capability can translate into key business decisions such as M&A, business model adaptation, revenue resilience, and reputation protection.
• The CISO – pivotal to protecting digital assets and services – needs to translate security investment and protection into business-oriented language, Understood in its organisational context via a GRC solution, risk is that language and GRC the translation mechanism. This capability can further help the CISO to be more agile in supporting partnership with business teams and external providers.
• Legal teams, who need to validate future, current and historical compliance with rapidly-changing regulation and legislation.
• Procurement teams, who enable organisations to make strategic decisions about external sourcing, but are increasingly concerned with complex supply chain compliance issues (e.g. EHS, privacy, anti-bribery and anti-slavery legislation).
• Finance teams in many sectors, aware of the threats to business viability posed by cyber-attacks, have taken on coverage from cyber-insurance products. This relatively new area of the insurance market has expanded and matured rapidly, but due to the explosion in cyber-attacks the volume of claims has also grown. Market forecasts indicate that insurers will move to exclude more categories of security risk from coverage, leaving organisations with higher losses. Consequently, it is all the more vital to ensure that security protection is matching cyber-risks – an assessment that may be less accurate and up-to-date if GRC is not integrated with the enterprise’s security solutions.

A developing feature of legislation has been to hold executives liable for non-compliance. Penalties in legal cases have proven more severe for individuals depending on degrees of negligence i.e. demonstrable efforts towards compliance can mitigate fines. GRC solutions act as a system of record, not only for information proving compliance but for the processes supporting compliance, on which regulators may focus as much as on the information held.

More companies than ever are affected by conducting business in a globalised era. Operating in different geographies increases the variety and complexity of regulatory and legislative responsibilities, which would be a very significant overhead if not for GRC solutions enabling adoption of common, standardised processes across those obligations for compliance and risk management.

A feature of many recently-minted regulations and standards (e.g. GDPR) is the extension of compliance into supply chain. This means that organisations sourcing elements of their operations or services from third parties are required to ensure their partners comply with the same obligations as the primary organisation. The compliance obligation often extends to any relevant degree in the supply chain e.g. from a third- to a fourth-party, and so on. This has increased the focus on all parties being able to prove their integrity in the context of such obligations. Compliance with common regulations, laws, and standards is table stakes for contract bids, and as a marketing feature – meaning that service providers and others may themselves need the support of GRC capabilities to manage and accurately report on compliance status when required.

A major technology trend across all types of organisation, likely to accelerate hugely in the near future, is the adoption of AI. When embedded in organisational processes, some types of AI could introduce much more flexible and autonomous decision-making than previously used. In some sectors, this will introduce new complexity to the accountability for processes, some of which could be regulated (e.g. in financial contexts, or dealing with customers). Adequate levels of assurance can only be gained by incorporating a governance process in the training and development of AI.  Regulation is already approved in some domains (e.g. the EU AI Act), and is likely to affect some organisations via supply chains even if they are not accountable as first parties. While a distinct market in AI Governance solutions is already developing, GRC solutions will be needed to enable risk management and a compliance approach to operational AI.

While data governance solutions are a separate market from GRC, any organisation’s GRC programme is dependent on the data used by its processes and technologies being subject to the proper care. Many compliance requirements can only be met if the integrity, accuracy, timeliness, authenticity, and provenance of organisational data is assured, and issues like access to data, and data security, are under proper control. As AI grows in importance within organisations, the value, quality and reliability of its capabilities will depend on the data ingested into the models underpinning the AI – so data governance will assume even greater importance.

The GRC solution market emerged around 20 years ago, spurred by the need from enterprises affected for something to help them deal with the Sarbanes-Oxley (SOX) Act in the US. A decade or so later it was a mature market, with well-established vendors and solutions – but new factors have caused continued growth and investment nonetheless.

The primary one was a wave of privacy legislation across many countries and regions, which brought compliance obligations to a broader range of enterprises, as well as a strong boost for them to adopt more mature risk management. Market activity has been re-energised and ranged from many innovative start-ups, free from legacy technology (e.g. ‘no-code’ solutions such as those from ReadiNow and RiskPoint), to substantial PE investment, and mergers/acquisitions between already-established GRC vendors. Players such as Diligent, Riskonnect, NAVEX Global, and SAI360 have increased their capabilities and market shares considerably via acquisitions. Their large-scale competitor MetricStream is an exception to the norm, in having developed its extensive solution without acquiring functional elements. A number of forecasts put the CAGR in the GRC market, to 2032, at 15%+.

Emerging vendors typically develop a specialism in a GRC market sub-segment at first, before expanding their solution to address a steadily broader range of requirements from the considerable total scope of GRC. In this way, they can expand their footprint within existing customers as well as attract new customers who may value a broader match to their overall requirements

While broad functional coverage within a solution provides easier integration and visibility across the whole enterprise’s risk management and compliance activities (i.e. a ‘platform’), it is still common for organisations to be using multiple GRC solutions. This can occur due to reasons such as disconnected historical adoption to address narrower requirements, and M&A bringing together user areas from previously separate companies.

Almost all GRC vendors are pure-play specialists in this solution area. Even the largest and most successful have not strategically stepped into other market spaces, focusing instead on developing their solutions to meet fast-growing requirements, and use better technology as that becomes mature. IBM and ServiceNow are the only sizeable exceptions. The most-adjacent markets in terms of user base and functionality are those of Security, and Data Governance, but vendors in those adjacent markets remain almost entirely separate from GRC. Indeed, the only major GRC solution owned by a security specialist, Archer, was spun off by RSA Security to become independent.

There is one notable crossover from the data governance and data management solutions space (OneTrust), which launched to serve data privacy requirements arising from GDPR and similar legislation, and has extended its focus to serve broader GRC requirements, and become a recognised player.