Customer Successes Are Making A Powerful Case For Broader IT GRC Adoption
Customer Successes Are Making A Powerful Case For Broader IT GRC Adoption
Countering the market challenges listed above, IT GRC vendors continue to demonstrate large and successful deployments in organizations that range in size and industry. Even as concerns grow over mounting regulations, cyberwarfare, privacy, and fraud, it will be these customer case success stories as much as anything else that will pave the way for the market to reach its potential. This will mean that a long line of other competitors will come to compete in the IT GRC market, but it also means that the vendors currently in the space are well-positioned to take advantage.
IT GRC And Enterprise GRC Are Much Closer, But Still Separate, Markets
Forrester continues to field inquiries from organizations interested in adopting a single GRC platform to manage risk and compliance efforts related to IT and enterprise domains. For many
of them, there are viable solutions; vendors historically focused on enterprise GRC are supporting content like the Unified Compliance Framework (UCF) and offering integration capabilities with security and IT management applications, while vendors historically focused on the IT GRC market are offering more enterprise-relevant content and delivering more product flexibility to support enterprise GRC functions.
However, even as the vendors demonstrate better capabilities and more implementations, the vast majority of vendor selection projects lean one direction or the other — reflecting the still substantial gap that exists in most organizations between the IT and enterprise GRC functions. Based on this distinction, Forrester conducted two simultaneous Wave evaluations: one for enterprise and one for IT.
There are minor modifications in the criteria for these two Forrester Waves. For example, the IT GRC Wave evaluates asset management instead of audit management capabilities, and many of the criteria have less demanding score requirements, because IT GRC is still a less mature market.
SECuRITy AnD RISk PROS ARE Only STARTInG TO REAlIzE ThE PROMISES OF IT GRC
The business case seems straightforward enough. When IT departments couldn’t maintain oversight and control of all their point control products, they turned to event management and monitoring tools to put that information into context and prioritize efforts. When these same departments became overloaded with alerts and alarms, GRC was the natural next step needed to put this information into context and prioritize efforts. The IT GRC market even had a broad set of test cases to learn from, as the enterprise GRC market had a few years’ head start and happily demonstrated the right and wrong ways to support risk and compliance functions with technology.
But even with all this promise, the IT GRC vendor market may only now be showing signs of meeting the growth and adoption numbers many have been expecting for the past four to five years.
This is true for three primary reasons:
1. IT GRC customer needs are often more complicated than those of their enterprise colleagues. While the enterprise GRC market got a shot in the arm from the control documentation and policy attestation aspects of Sarbanes-Oxley requirements, IT risk and compliance professionals
dealing with PCI, HIPAA, ISO certification, and privacy laws are typically looking for more sophisticated control mapping, asset management, and product integration functionality.
IT GRC vendors have responded well by integrating with security point solutions for risk
and control data aggregation and delivering complex control frameworks in the products to facilitate more efficient compliance reporting. However, these vendors have also had to respond to customers’ demands for fundamentals like usability, flexibility, and scalability, and as this list increases, these vendor development resources are stretched.
2. It’s more difficult to pinpoint a single use case to launch an IT GRC initiative. In addition to the range of strict regulatory requirements, IT security and risk professionals struggle with responsibilities such as security strategy, metrics, vulnerability management, third-party risk management, remediation management, business continuity planning, and a host of others. IT GRC platforms have capabilities that can support all of these functions, which makes for a compelling business case, but at the same time much more complicated vendor selection and implementation processes.
3. IT risk and compliance issues don’t usually get the executive visibility they deserve. Although many firms may list one or two IT risks among their corporate top 10, most heads of IT security and risk tell Forrester they struggle to get visibility with their corporate executives and boards (until there’s a breach, that is). Without the same executive pressure that comes along with Sarbanes-Oxley and other corporate compliance mandates, IT GRC implementations usually need to stand on more thorough business justification or cost/benefit analysis.
iT GRC And Enterprise GRC Are Much Closer But Still Separate Markets
iT GRC And Enterprise GRC Are Much Closer But Still Separate Markets
Forrester continues to field inquiries from organizations interested in adopting a single GRC platform to manage risk and compliance efforts related to IT and enterprise domains. For many of them, there are viable solutions — vendors historically focused on enterprise GRC are supporting content like the Unified Compliance Framework and offering integration capabilities with security and IT management applications, while vendors historically focused on the IT GRC market are offering more enterprise-relevant content and delivering more product flexibility to support enterprise GRC functions.
However, even as the vendors demonstrate better capabilities and more implementations, the vast majority of vendor selection projects lean one direction or the other — reflecting the still substantial gap that exists in most organizations between the IT and enterprise GRC functions. Based on this distinction, Forrester conducted two simultaneous GRC platform Wave evaluations: one for enterprise and one for IT.
There are minor modifications in the criteria for these two Waves. For example, the enterprise GRC Wave evaluates audit management instead of asset management capabilities, and many of the criteria have more demanding score requirements to reflect the greater maturity of that market.
Customers stretch the functions of GRC & validate the platform approach- Forrester
CuSTOMERS STRETCh ThE FuNCTiONS OF GRC AND VAliDATE ThE PlATFORM APPROACh
In early 2011, we fielded an unexpected customer question: “Will enterprise GRC software deployments ever be on par with ERP?” While this was little more than amusing speculation, the question reflects the effectiveness with which GRC software has extended its reach into customer organizations — and the extent of potential growth that remains. And while it’s unlikely that the average GRC implementation will reach the scope and scale of the average ERP implementation any time soon, several trends point to GRC software’s increasing importance and expanding corporate presence:
1. GRC metrics are increasingly seen as key indicators of business performance and stability.
At a steady pace, stakeholders including regulators, rating agencies, business partners, and investors have been asking for more and more intimate details about the risk and compliance posture of the companies with which they associate. Internally, different functions within these businesses are using risk and compliance data more often to evaluate the status of third-party relationships, process quality, and other aspects of business for which performance can be measured. In a survey of 121 reference customers supplied by vendors for this Forrester Wave evaluation, respondents reported using their GRC system to track metrics such as “project fitness,” “process efficiency opportunities,” and “board approval of the direction of travel.”
2. GRC customers are continuously finding new use cases for the software they license. Users of GRC software are responsible for almost as much innovation as the GRC software vendors themselves. Applying standard capabilities such as risk and control documentation, policy management, workflow, and reporting, customers are molding their GRC platforms to support a variety of relevant domains. Beyond the 18 core GRC functions we asked about in our survey, customer references reported supporting “other” functions such as the management of “consultant activities,” “enterprise process catalogs,” and “affiliate oversight.”
3. GRC vendors are focusing more on their underlying platform technology. To meet the increasingly diverse demands of GRC clients, vendors are actually beginning to shift away from packaged applications. Now they’re focusing much more of their efforts on delivering platforms that customers can reconfigure and adjust to meet their needs. For that reason, this Forrester Wave evaluates capabilities such as workflow flexibility, user interface flexibility, data model extensibility, and ability to support new and changing market requirements.
The GRC Vendor landscape is Actually Growing More DiverseConsidering it’s nearing the decade mark in its evolution, the GRC market defies the logic of vendor consolidation and functional standardization that we might expect. Although there have been significant acquisitions, they have mainly taken the acquired vendor products in different directions: more focused on IT infrastructure (e.g., RSA Archer), regulatory content (e.g., Thomson Reuters Paisley), or business analytics (e.g., IBM OpenPages). In addition, vendors from relevant market segments such as environmental risk and compliance, hotline and case management, information security, and business process management continue to reach for GRC market footholds in order to take advantage of still untapped potential.
Excerpts of Gartner GRC Oct’2012 report
Magic Quadrant for Enterprise Governance, Risk and Compliance Platforms
The enterprise governance, risk and compliance platform market has matured to a strategic focus on enterprise risk management. Many vendors are looking toward the next market phase, which includes adding or integrating with business analytics and scorecarding capabilities.
The EGRC platform market derives from the need for many entities to improve the oversight of corporate governance — including financial reporting compliance, ERM and related audits. Many organizations also want to consolidate other GRC activities into a common platform. Therefore, an EGRC platform must solve the immediate GRCM needs associated with corporate governance, and also enable an enterprise to pursue consolidation and integration of a diverse set of operational, IT, legal and finance GRC activities.
GRCM is defined as the automation of the management, measurement, remediation and reporting of controls and risks against objectives, in accordance with rules, regulations, standards, policies and business decisions. Many enterprises typically consider a GRCM application to satisfy a specific requirement, such as SOX compliance, an industry-specific regulation or ORM for a business process. However, enterprises often have other GRCM activities in mind, such as audit management, additional regulations (see “Hype Cycle for Regulations and Related Standards, 2010”), IT governance, remediation management and policy management, which they eventually may integrate into a more consolidated EGRC approach. In a 2012 Gartner survey of 211 EGRC platform users, the four leading uses were audit management (45%), ERM (40%), ORM (40%), compliance with SOX or similar laws (33%), and IT risk management (25%).
Most enterprises are also looking for solutions that support their strategies for more controls automation, including reporting from CCM of ERP and other controls automation in the IT infrastructure that can be integrated into the EGRC platform. As a consequence, a trend of the convergence of CCM with the EGRC platform is emerging, and there is also a slow trend toward the convergence of IT GRCM and EGRC platform solutions. Some EGRC platform vendors are also starting to add content and capabilities to meet industry-specific operational GRC needs, such as Basel II/III, Solvency II, EH&S compliance, healthcare compliance, and NERC/FERC compliance. Overall, EGRC platform vendors are adding capabilities across a wide spectrum of financial, IT, operational and legal needs.
Despite the efforts of EGRC platform vendors to satisfy as many GRC needs as possible, they tend to focus on cross-industry requirements, and many industry-specific GRC solutions will remain. For lack of a better term, these are called “operational GRC.” One operational GRC market that is growing rapidly is the energy trading and risk management (ETRM) platform market (see “Magic Quadrant for Energy Trading and Risk Management Platforms”). Another example of operational GRC is the broad marketplace for financial services risk management solutions (see “A Banker’s Guide to Credit, Market and Operational Risk Management Software Functionality”). Rather than try to replicate the capabilities of these specialized solutions, EGRC platform vendors most often are trying to integrate with them.
IT GRCM Offerings of EGRC Platform Vendors
EGRC platforms serve organizations that take an enterprise approach to compliance and risk management, and that want to have all business units — including the IT organization — on the same GRCM solution. Most vendors with EGRC platforms offer modest IT governance automation functions. At a minimum, EGRC vendors offer the capability to document, survey and report IT risks and controls, but some may lack IT-specific content. Some vendors also provide support for an IT asset repository, IT policy management and the automated collection of IT controls data. Organizations with a primary interest in IT-centric GRCM requirements should be aware that most EGRC platforms balance financial, operational and IT requirements at the expense of IT-centric depth.
Gartner is monitoring the potential convergence of IT GRCM and EGRC functions, such that this differentiation would become generally irrelevant to the market; however, this has not yet happened in 2012. The most significant limiting factor is the divergence of requirements between top-down and bottom-up approaches. In many cases, organizations are buying two separate tools, indicating that this difference is more substantial than just vendor marketing and different buying centers.
This divergence is based on the differences in management and reporting requirements for top-down versus bottom-up approaches. Top-down requirements tend to be led by ERM teams addressing business executive requirements, as opposed to bottom-up requirements, which are typically led by IT or information security operations teams. The vendors continue to add functions that overlap top-down and bottom-up requirements, but convergence will only happen when organizations stop buying multiple tools to address diverging requirements, and agree on one tool to address both approaches comprehensively.
Some EGRC platform vendors qualify as IT GRCM vendors. BWise, MetricStream and OpenPages are EGRC platform vendors that have added IT GRCM capabilities. RSA, The Security Division of EMC is also an EGRC platform vendor, but it started in the IT GRCM market.
Key Trends Affecting the EGRC Platform Market
The EGRC platform is evolving on the basis of several trends, which include:
- Increased demands on internal audit organizations as they cope with increasing regulatory requirements, ERM oversight and demands for more business performance audits
- An increasing regulatory focus on anti-corruption and bribery in the aftermath of the financial crisis
- ERM to support transparency objectives of regulators and decision making by business leaders
- Risk analytics to support integration of risk management and performance management
- Regulatory content services and change management to deal with regulatory proliferation
- The SOX knock-on effect, as organizations find that auditors and regulators worldwide are raising the bar on internal controls even when the law is not as stringent as U.S. SOX (for example, Law 262 in Italy)
- Consolidation, with a shift from dominance of the market by smaller best-of-breed players to one dominated by larger, well-established vendors
- Supplier risk management to ensure that third parties do not present unacceptable compliance and risk challenges
- Social risk management issues emerging from social marketing strategies and the need to ensure compliance with privacy and advertising regulations
- Operational technology and critical infrastructure protection increases the variety and volume of risk and controls data
The latter three trends do not yet have much influence on the market, but they present a big data problem that will require a much greater investment in complex risk analytics and could lead to a significant transformation of the GRC market during the next three to four years. Specifically, as GRC adapts to social, supply chain and operational technology requirements, the volume of use cases will expand beyond what is reasonable to be included directly on the platform. With the proliferation of use cases, the platform will need to integrate with many more external data sources and applications, thus reversing what has been the evolution during the past six years to support most GRC use cases directly on the platform. Thus, the platform will fade in market positioning importance, but will remain foundational as an enabler for new GRC-related markets.