skip to Main Content

GRC

Last Updated:
Analyst Coverage:

Regulations and standards make it possible for markets and societies to operate, based on trust. Investment in building trust in a brand or organisation is key to attracting customers or partners, but the value established in a brand may be lost if its foundations have weaknesses. Organisations need to be able to share credentials of their own trustworthiness, as measured against regulations/standards (i.e. their compliance) – as well as to assess that of partners of many types. Each organisation’s own stakeholders (e.g. investors, officers, employees, and customers) may also need to validate or sustain their trust in what they are part of.

Governance Risk and Compliance (GRC) solutions support three interlinked sets of requirements for dealing with three key elements of operating organisations, and measuring trustworthiness:

  • Governance: the principles and system by which an organisation is controlled and operates, and the mechanisms by which it, and its people, are held to account
  • Risks: factors that could impede the organisation’s attainment of its objectives
  • Compliance: the means of complying with applicable laws, regulations, policies and procedures, standards, and other rules, whether issued by governments and regulatory bodies, or adopted by choice.

GRC graphic

At the highest level, GRC solutions support the board’s requirement to report on compliance with organisational objectives (including constraints), and risks that might impede those objectives. Also, some laws and regulations require the existence of an organizational capability to manage risk, and accurately report compliance.

Compliance activities, and the need to analyse and understand risk, break down across many different operational areas that have particular requirements. GRC solutions support at least a selection of these, including:

  • IT Risk (e.g. security threats, data integrity, system availability)
  • Third-party/Supply chain – physical risks, plus digital e.g. API integration, cloud-based services
  • Environmental, Health and Safety (EHS)
  • Environmental and Social Governance (ESG)
  • Legal compliance and risk
  • Financial
  • HR
  • Business Continuity
  • Quality
  • Privacy

Major events this century have driven up the profile and importance of GRC. The events of 9/11 brought a huge focus on risk and business continuity, while the collapse of Enron, and other high-profile corporate fraud cases, caused governments and regulatory  bodies to start to increase control measures, and therefore the compliance burden on companies.  Because the sheer volume of compliance requirements has increased so enormously over the long period since, this burden is a major strategic and operational headache for organisation of all sizes and types, and management of all related issues is impossible without an ability to handle GRC issues.

The primary usage of GRC solutions is the analysis and reporting of risk and compliance information, and the support of tracking organisational objectives. Risk analysis can also support decisions in operational areas supported by the GRC solution – the GRC information should not be treated as solely the domain of risk practitioners.
However, GRC solutions do not act as the primary system of record, or support primary operational processes, for any operational area (except those with risk management and compliance roles). Taking an element of IT Risk Management as an example, other vendors’ security solutions deal with the processes to combat threats, while the GRC capability focuses on the organisational risk context of current and potential threats, and could assess the financial ramifications arising from the risks (a requirement that security solutions don’t support).

Organisational risk practices vary in maturity, scope, and specialist focus (also strongly influenced by vertical sector), so some GRC vendors provide solution options for different types of risk practice e.g. Enterprise Risk Management (ERM), Operational Risk Management (ORM), Third Party Risk Management (TPRM), IT Risk Management (ITRM). These solutions options would all address common requirements such as risk modelling and risk registers, but would each support function-specific processes and data as well.

Core data used within GRC solutions includes the following:

  • Organisational structure, to support analysis and accountability
  • Compliance obligations and reporting requirements
  • Templates for policies, standards and legislation
  • Assets, to enable identifying financial value associated, and processes that transmit risk to the asset
  • Risk registers, enabling risk management processes to analyse and take action about risks
  • Controls, recording the means of managing risks
  • Business processes
  • Risk modelling templates

Technology is mission-critical to the delivery of processes across any organisation. Many roles and functions that manage or support delivery of those services could not get the same breadth of benefit from any technology other than GRC:

  • The CEO, for whom any risk represents potential reward and/or danger, can use GRC to enable higher performance by being able to assess risks and know which are potentially damaging, or managed appropriately. This capability can translate into key business decisions such as M&A, business model adaptation, revenue resilience, and reputation protection.
  • The CISO – pivotal to protecting digital assets and services – needs to translate security investment and protection into business-oriented language, Understood in its organisational context via a GRC solution, risk is that language and GRC the translation mechanism. This capability can further help the CISO to be more agile in supporting partnership with business teams and external providers.
  • Legal teams, who need to validate future, current and historical compliance with rapidly-changing regulation and legislation.
  • Procurement teams, who enable organisations to make strategic decisions about external sourcing, but are increasingly concerned with complex supply chain compliance issues (e.g. EHS, privacy, anti-bribery and anti-slavery legislation).
  • Finance teams in many sectors, aware of the threats to business viability posed by cyber-attacks, have taken on coverage from cyber-insurance products. This relatively new area of the insurance market has expanded and matured rapidly, but due to the explosion in cyber-attacks the volume of claims has also grown. Market forecasts indicate that insurers will move to exclude more categories of security risk from coverage, leaving organisations with higher losses. Consequently, it is all the more vital to ensure that security protection is matching cyber-risks – an assessment that may be less accurate and up-to-date if GRC is not integrated with the enterprise’s security solutions.

A developing feature of legislation has been to hold executives liable for non-compliance. Penalties in legal cases have proven more severe for individuals depending on degrees of negligence i.e. demonstrable efforts towards compliance can mitigate fines. GRC solutions act as a system of record, not only for information proving compliance but for the processes supporting compliance, on which regulators may focus as much as on the information held.

More companies than ever are affected by conducting business in a globalised era. Operating in different geographies increases the variety and complexity of regulatory and legislative responsibilities, which would be a very significant overhead if not for GRC solutions enabling adoption of common, standardised processes across those obligations for compliance and risk management.

A feature of many recently-minted regulations and standards (e.g. GDPR) is the extension of compliance into supply chain. This means that organisations sourcing elements of their operations or services from third parties are required to ensure their partners comply with the same obligations as the primary organisation. The compliance obligation often extends to any relevant degree in the supply chain e.g. from a third- to a fourth-party, and so on. This has increased the focus on all parties being able to prove their integrity in the context of such obligations. Compliance with common regulations, laws, and standards is table stakes for contract bids, and as a marketing feature – meaning that service providers and others may themselves need the support of GRC capabilities to manage and accurately report on compliance status when required.

A major technology trend across all types of organisation, likely to accelerate hugely in the near future, is the adoption of AI. When embedded in organisational processes, some types of AI could introduce much more flexible and autonomous decision-making than previously used. In some sectors, this will introduce new complexity to the accountability for processes, some of which could be regulated (e.g. in financial contexts, or dealing with customers). Adequate levels of assurance can only be gained by incorporating a governance process in the training and development of AI.  Regulation is already approved in some domains (e.g. the EU AI Act), and is likely to affect some organisations via supply chains even if they are not accountable as first parties. While a distinct market in AI Governance solutions is already developing, GRC solutions will be needed to enable risk management and a compliance approach to operational AI.

While data governance solutions are a separate market from GRC, any organisation’s GRC programme is dependent on the data used by its processes and technologies being subject to the proper care. Many compliance requirements can only be met if the integrity, accuracy, timeliness, authenticity, and provenance of organisational data is assured, and issues like access to data, and data security, are under proper control. As AI grows in importance within organisations, the value, quality and reliability of its capabilities will depend on the data ingested into the models underpinning the AI – so data governance will assume even greater importance.

The GRC solution market emerged around 20 years ago, spurred by the need from enterprises affected for something to help them deal with the Sarbanes-Oxley (SOX) Act in the US. A decade or so later it was a mature market, with well-established vendors and solutions – but new factors have caused continued growth and investment nonetheless.

The primary one was a wave of privacy legislation across many countries and regions, which brought compliance obligations to a broader range of enterprises, as well as a strong boost for them to adopt more mature risk management. Market activity has been re-energised and ranged from many innovative start-ups, free from legacy technology (e.g. ‘no-code’ solutions such as those from ReadiNow and RiskPoint), to substantial PE investment, and mergers/acquisitions between already-established GRC vendors. Players such as Diligent, Riskonnect, NAVEX Global, and SAI360 have increased their capabilities and market shares considerably via acquisitions. Their large-scale competitor MetricStream is an exception to the norm, in having developed its extensive solution without acquiring functional elements. A number of forecasts put the CAGR in the GRC market, to 2032, at 15%+.

Emerging vendors typically develop a specialism in a GRC market sub-segment at first, before expanding their solution to address a steadily broader range of requirements from the considerable total scope of GRC. In this way, they can expand their footprint within existing customers as well as attract new customers who may value a broader match to their overall requirements

While broad functional coverage within a solution provides easier integration and visibility across the whole enterprise’s risk management and compliance activities (i.e. a ‘platform’), it is still common for organisations to be using multiple GRC solutions. This can occur due to reasons such as disconnected historical adoption to address narrower requirements, and M&A bringing together user areas from previously separate companies.

Almost all GRC vendors are pure-play specialists in this solution area. Even the largest and most successful have not strategically stepped into other market spaces, focusing instead on developing their solutions to meet fast-growing requirements, and use better technology as that becomes mature. IBM and ServiceNow are the only sizeable exceptions. The most-adjacent markets in terms of user base and functionality are those of Security, and Data Governance, but vendors in those adjacent markets remain almost entirely separate from GRC. Indeed, the only major GRC solution owned by a security specialist, Archer, was spun off by RSA Security to become independent.

There is one notable crossover from the data governance and data management solutions space (OneTrust), which launched to serve data privacy requirements arising from GDPR and similar legislation, and has extended its focus to serve broader GRC requirements, and become a recognised player.

Solutions

  • 4CRiskAI logo
  • CYSTEL logo
  • Diligent logo
  • MetricStream logo
  • NAVEX logo
  • SERVICENOW logo
  • SURECLOUD logo

These organisations are also known to offer solutions:

  • Archer
  • CoreStream
  • LogicGate
  • OneTrust
  • Riskonnect
  • SAI360

Research

SureCloud GRC InBrief (cover Nov 2024)

SureCloud GRC

SureCloud’s range of GRC capabilities should be of interest to cyber-intensive organisations looking to minimise complexity and cost in their GRC operations.
4cRISK InBrief (Oct 2024 cover thumb)

AI Platform and GRC Support Solutions, by 4CRisk

4CRisk provides innovative AI-based functions that boost efficiency and insight when applied to specific organisational risk management and compliance use cases.
NAVEX InBrief (cover thumb Oct 2024)

NAVEX One

NAVEX One integrates technology, content, and data integration/insight into GRC processes, with a strength and heritage focus on HR-related compliance.
DILIGENT InBrief (cover thumb Oct 2024)

Diligent One

Diligent One combines risk, compliance, audit, ESG, and other GRC capabilities, which link with board-oriented governance/operations to offer extensive GRC insight and value.
MetricStream GRC InBrief cover

ConnectedGRC, by MetricStream

ConnectedGRC by MetricStream addresses a broad range of complex and interconnected organisational GRC-related challenges in today’s dynamic business environment.
00002863 - CYSTEL InBrief (cover)

Quantum Cyber GRC, by Cystel

Training and tools to enable planning and navigation of the organisational change needed to combat the threat to encryption protection from quantum computing.
00002859 - Experian data gov technology Spotlight (cover)

Experian continue to incorporate data governance technology into their portfolio

Experian continue to incorporate data governance technology Intozetta into their portfolio, including AI capabilities.
00002858 - SERVICENOW InBrief (cover thumbnail)

Integrated Risk Management, by ServiceNow

This Bloor InBrief piece covers the ServiceNow Integrated Risk Management (IRM) solution set, which supports a broad range of common GRC requirements.
Back To Top