Sergej Khackimullin - Fotolia

Why the GRC platform is fading in importance

While GRC suites offer the promise of achieving governance, risk and compliance, their use can be problematic for companies. Here's a deeper look at the issues.

For more than two years, Skokie, Ill.-based Forsythe Hosting Solutions has been using LockPath Inc.'s Keylight enterprise governance, risk and compliance platform -- or GRC platform -- to manage its compliance needs.

The advantage of running a full-blown GRC suite is that it enables the company to manage those needs in one location, said Julia Hamilton, director of security compliance at Forsythe, which is a LockPath partner as well as a customer.

"It's a constantly changing environment," Hamilton said. "We have been able to use the platform to establish all our controls and, more importantly, to test our controls through a kind of distributed compliance model that allows people to respond through their workflows."

Forsythe is able to combine all of the requirements for the business from a compliance perspective within Keylight, she said.

"We have HR, we have contractual, we have vendor management, we have other controls under different regulatory schemes, as well as auditing schemes," Hamilton said. "Having it in one place benefits us because we can have a unified view of everything. But we can also test once and use several times. The [needs] are similar, so why replicate the work in different tools?"

IDC's take on the changing GRC platform demand

While Keylight is enabling Forsythe to meet its compliance requirements, the concept of the GRC platform in its current form is not sustainable for many companies, according to IDC's "Worldwide Governance, Risk, and Compliance Software Taxonomy, 2016" report.

"While products offer the promise of eased governance, risk and compliance efforts, the products can have the effect of shining light on process problems within the organization that could require tremendous effort to resolve," according to IDC, which is based in Framingham, Mass.

Because of that, GRC platforms have lost some support over the past several years, and the injection of analytic technologies has started to transform the GRC conversation, IDC noted.

GRC platforms vs. specialized risk software

At the moment, the GRC market is going through a bit of a renaissance, said IDC analyst Angela Gelnaw, one of the authors of the report. There's kind of an uptick in the next-generation GRC platform technology, she said.

"I would say the biggest players are still Archer and SAP. And IBM OpenPages is still a big one. So, the big guys are still out there," Gelnaw said.

However, there are other companies, such as SaaS vendor LockPath and MetricStream, which has reconfigured its platform and now has cloud-based and mobile offerings, changing where the market is going.

"At the end of the day, GRC is really all about managing risk, and there are a lot of different types of risk out there," she said. "And GRC platforms and GRC suites are one [set of tools] to help manage risk across an entire enterprise."

At the end of the day, GRC is really all about managing risk, and there are a lot of different types of risk out there.
Angela GelnawIDC analyst

But to an extent, most organizations -- especially highly regulated ones -- are still going to need specialized risk software to manage some of those other types, according to Gelnaw.

These niche applications then feed the data they collect into the GRC platform, which then manages risk and compliance across the enterprise. This enables the appropriate executives to get a single view of dangers to determine the company's risk level vs. appetite and then figure out what that means, according to Gelnaw.

"And then, the point solutions maybe go deeper into those various risk domains where the front-line person can manage that risk in the way that they need to," she said.

In search of a more agile GRC platform

Sam Abadir, director of product management at LockPath, said his company has been growing because compliance and risk are critical for companies to get right. He said analysts' reports on the market size show a lot of potential for vendors that minimize risk.

Abadir said the reason niche applications are "popping up" is because it takes a considerable amount of time to implement the platforms from a lot of the large GRC vendors.

"And these point solutions don't take a long time to [implement]," he said.

Abadir said that, although Keylight is a GRC platform, a company can implement it as a niche application and then very rapidly expand it into a platform that covers the entire enterprise, or it can start off by managing the entire enterprise or significant portions of it.

He believes that "the growth capabilities of a tool like this are significantly simpler than some other GRC platforms out there. And it … gives you more options than just dedicated point solutions."

GRC platforms still useful

According to Bruce McCuaig, director of governance, risk and compliance solution marketing at SAP, GRC platforms are alive and well.

"We're growing at 10% to 12% a year, and that's not a bad pace of growth," he said. "Our architecture is maybe a little bit different than some of our competitors. We have a suite -- not all of our solutions are integrated with each other, but they all share a common platform."

McCuaig said that SAP has been adding functionality to its platform, including fraud management, business integrity screening and tax compliance software. And the company is adding partnerships that provide it with business continuity management and regulatory compliance management.

"So, we're broadening, if anything," he said.

Rather than integrate all the individual solutions, SAP just integrates the data points from those individual solutions with business objectives and business strategy, he said.

"We can pull data in from any of our GRC solutions, we can pull data in from any part of our underlying ERP and we can pull data in externally if it relates to GRC data points in a strategic context," McCuaig said. "And we can visualize it, we can map it, we can drill down into individual organizations, we can compare over time, we can look at activities in any kind of organization, we can look at risk appetite, we can look at key risk indicators."

The idea is "to finally achieve a level of integration -- not application-level integration, but a business-level integration -- and to tie it to business performance," he said.

Gartner shifts from GRC to integrated risk management

About four years ago, Gartner Inc. analysts began to realize that GRC was shifting based on client feedback, said John Wheeler, director of technology research and advisory services at the Stamford, Conn.-based firm.

At that time, Gartner covered the market of what it called enterprise GRC, i.e., focusing on those GRC suites. However, clients were saying the suites had become so hard to differentiate because they all said they could do everything, when, in fact, most of them only did a few things well or did everything in a very mediocre way, he said.

In addition, companies at that time were looking to move away from a compliance-driven approach and adopt more of a risk-based focus. The reason: They realized that simply meeting compliance mandates was futile and very costly as they were doing work in areas that may not be important to them, simply trying to meet the compliance mandate, according to Wheeler.

"So, they began to mature in more of a siloed fashion such that they were adopting these risk-based approaches in various risk management domains within the company," he said. "And so, we started to see more purpose-built solutions at that point in time. And we moved our coverage to align with that based on some survey research we did and created seven unique market segments related to GRC."

Wheeler said these seven market segments are operational risk management; IT risk management; vendor risk management; business continuity management; audit management; corporate compliance and oversight; and enterprise legal management.

Within the past two years, however, Gartner has noticed that companies have matured in those domains and now realize that they have to bring things together to provide a better understanding of risk to key stakeholders, senior executives and board regulators, according to Wheeler.

"So, that's why we've shifted away from the term governance, risk and compliance to integrated risk management," he said.

To meet the needs of customers, GRC vendors are, in part, opening up their platforms to integrate with business intelligence and corporate performance management platforms, according to Wheeler.

"They want to begin to provide information to those solutions on the risks related to given KPIs [key performance indicators] or performance goals to provide [companies] with a more balanced view of performance," he said.

Next Steps

GRC analytics in the digital age

Shared responsibility important for risk management

Find a balance between GRC and consumer risk protection

Dig Deeper on Financial compliance regulations