Sergej Khackimullin - Fotolia

Manage Learn to apply best practices and optimize your operations.

Why the GRC platform is fading in importance

While GRC suites offer the promise of achieving governance, risk and compliance, their use can be problematic for companies. Here's a deeper look at the issues.

For more than two years, Skokie, Ill.-based Forsythe Hosting Solutions has been using LockPath Inc.'s Keylight enterprise governance, risk and compliance platform -- or GRC platform -- to manage its compliance needs.

The advantage of running a full-blown GRC suite is that it enables the company to manage those needs in one location, said Julia Hamilton, director of security compliance at Forsythe, which is a LockPath partner as well as a customer.

"It's a constantly changing environment," Hamilton said. "We have been able to use the platform to establish all our controls and, more importantly, to test our controls through a kind of distributed compliance model that allows people to respond through their workflows."

Forsythe is able to combine all of the requirements for the business from a compliance perspective within Keylight, she said.

"We have HR, we have contractual, we have vendor management, we have other controls under different regulatory schemes, as well as auditing schemes," Hamilton said. "Having it in one place benefits us because we can have a unified view of everything. But we can also test once and use several times. The [needs] are similar, so why replicate the work in different tools?"

IDC's take on the changing GRC platform demand

While Keylight is enabling Forsythe to meet its compliance requirements, the concept of the GRC platform in its current form is not sustainable for many companies, according to IDC's "Worldwide Governance, Risk, and Compliance Software Taxonomy, 2016" report.

"While products offer the promise of eased governance, risk and compliance efforts, the products can have the effect of shining light on process problems within the organization that could require tremendous effort to resolve," according to IDC, which is based in Framingham, Mass.

Because of that, GRC platforms have lost some support over the past several years, and the injection of analytic technologies has started to transform the GRC conversation, IDC noted.

GRC platforms vs. specialized risk software

At the moment, the GRC market is going through a bit of a renaissance, said IDC analyst Angela Gelnaw, one of the authors of the report. There's kind of an uptick in the next-generation GRC platform technology, she said.

"I would say the biggest players are still Archer and SAP. And IBM OpenPages is still a big one. So, the big guys are still out there," Gelnaw said.

However, there are other companies, such as SaaS vendor LockPath and MetricStream, which has reconfigured its platform and now has cloud-based and mobile offerings, changing where the market is going.

"At the end of the day, GRC is really all about managing risk, and there are a lot of different types of risk out there," she said. "And GRC platforms and GRC suites are one [set of tools] to help manage risk across an entire enterprise."

At the end of the day, GRC is really all about managing risk, and there are a lot of different types of risk out there.
Angela GelnawIDC analyst

But to an extent, most organizations -- especially highly regulated ones -- are still going to need specialized risk software to manage some of those other types, according to Gelnaw.

These niche applications then feed the data they collect into the GRC platform, which then manages risk and compliance across the enterprise. This enables the appropriate executives to get a single view of dangers to determine the company's risk level vs. appetite and then figure out what that means, according to Gelnaw.

"And then, the point solutions maybe go deeper into those various risk domains where the front-line person can manage that risk in the way that they need to," she said.

In search of a more agile GRC platform

Sam Abadir, director of product management at LockPath, said his company has been growing because compliance and risk are critical for companies to get right. He said analysts' reports on the market size show a lot of potential for vendors that minimize risk.

Abadir said the reason niche applications are "popping up" is because it takes a considerable amount of time to implement the platforms from a lot of the large GRC vendors.

"And these point solutions don't take a long time to [implement]," he said.

Abadir said that, although Keylight is a GRC platform, a company can implement it as a niche application and then very rapidly expand it into a platform that covers the entire enterprise, or it can start off by managing the entire enterprise or significant portions of it.

He believes that "the growth capabilities of a tool like this are significantly simpler than some other GRC platforms out there. And it … gives you more options than just dedicated point solutions."

GRC platforms still useful

According to Bruce McCuaig, director of governance, risk and compliance solution marketing at SAP, GRC platforms are alive and well.

"We're growing at 10% to 12% a year, and that's not a bad pace of growth," he said. "Our architecture is maybe a little bit different than some of our competitors. We have a suite -- not all of our solutions are integrated with each other, but they all share a common platform."

McCuaig said that SAP has been adding functionality to its platform, including fraud management, business integrity screening and tax compliance software. And the company is adding partnerships that provide it with business continuity management and regulatory compliance management.

"So, we're broadening, if anything," he said.

Rather than integrate all the individual solutions, SAP just integrates the data points from those individual solutions with business objectives and business strategy, he said.

"We can pull data in from any of our GRC solutions, we can pull data in from any part of our underlying ERP and we can pull data in externally if it relates to GRC data points in a strategic context," McCuaig said. "And we can visualize it, we can map it, we can drill down into individual organizations, we can compare over time, we can look at activities in any kind of organization, we can look at risk appetite, we can look at key risk indicators."

The idea is "to finally achieve a level of integration -- not application-level integration, but a business-level integration -- and to tie it to business performance," he said.

Gartner shifts from GRC to integrated risk management

About four years ago, Gartner Inc. analysts began to realize that GRC was shifting based on client feedback, said John Wheeler, director of technology research and advisory services at the Stamford, Conn.-based firm.

At that time, Gartner covered the market of what it called enterprise GRC, i.e., focusing on those GRC suites. However, clients were saying the suites had become so hard to differentiate because they all said they could do everything, when, in fact, most of them only did a few things well or did everything in a very mediocre way, he said.

In addition, companies at that time were looking to move away from a compliance-driven approach and adopt more of a risk-based focus. The reason: They realized that simply meeting compliance mandates was futile and very costly as they were doing work in areas that may not be important to them, simply trying to meet the compliance mandate, according to Wheeler.

"So, they began to mature in more of a siloed fashion such that they were adopting these risk-based approaches in various risk management domains within the company," he said. "And so, we started to see more purpose-built solutions at that point in time. And we moved our coverage to align with that based on some survey research we did and created seven unique market segments related to GRC."

Wheeler said these seven market segments are operational risk management; IT risk management; vendor risk management; business continuity management; audit management; corporate compliance and oversight; and enterprise legal management.

Within the past two years, however, Gartner has noticed that companies have matured in those domains and now realize that they have to bring things together to provide a better understanding of risk to key stakeholders, senior executives and board regulators, according to Wheeler.

"So, that's why we've shifted away from the term governance, risk and compliance to integrated risk management," he said.

To meet the needs of customers, GRC vendors are, in part, opening up their platforms to integrate with business intelligence and corporate performance management platforms, according to Wheeler.

"They want to begin to provide information to those solutions on the risks related to given KPIs [key performance indicators] or performance goals to provide [companies] with a more balanced view of performance," he said.

Next Steps

GRC analytics in the digital age

Shared responsibility important for risk management

Find a balance between GRC and consumer risk protection

Dig Deeper on Financial compliance regulations

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

What are your thoughts on the importance of the GRC platform vs. niche applications?

I agree with most of what’s in this piece. 

The platforms are unwieldy for a lot of functions and GRC solutions have to become easier to use.  I’m seeing a shift away from platforms in some cases – vendors overloaded them with too many different functions.  A suite strategy is emerging with some vendors offering a portfolio of products, some of which may be on the platform and some not, depending on whether it makes sense or not.

For instance, is it really required to have BCM on a GRC platform.  Many of the GRC vendors think so, but the market has responded with an overwhelming ‘no!’  None of the GRC vendors have market leading BCM solutions that are built on their GRC platforms.

Should audit and compliance be on the same platform – it seems the market likes that, and the same goes for risk management. 

And what about third party risk management – well it depends.  If it’s the kind of third party risk management that CISO’s want, yes, having IT risk management and third party risk on the same platform appears to be a winner. 

But if the third party risk management is focused on anti-bribery, anti-money laundering, or on suppliers in a physical supply chain, it appears the market wants best-of-breed solutions.

And the regtech vendors are bringing to market niche solutions that fill the holes left by GRC platform vendors.

None of this is to say that GRC users don't want common dashboards for monitoring and reporting on a lot of related functions -- but even in the same enterprise different users want to take a look at different sets of activities. 

So, right now, savvy GRC users are applying BI solutions like Tableau to create those integrated views.  And they are bringing in other types of data -- not just risk and compliance data, but also financial management and business operations data.

French, what you describe in best of breed solutions is what I discussed in GRC 3.0 in 2012/13. That there is not any one platform that does everything. There can still be a central platform that connects the picture, but best of breed solutions make sense. 

One RFP I recently worked on wanted everything in one platform. I told them, given the breadth of their requirements, that this was not going to happen. They ended up with three platforms and integrating. This is GRC Architecture.

We are now in GRC 4.0 which is Agile GRC focused on lowering cost of ownership, having highly configurable and agile platforms without coding/customization, an engaging all levels of the organization from the back-office of GRC functions to the front-office of the organization. We are moving to GRC 5.0 - Cognitive GRC.

HOWEVER, the scenario you mention on BCM and GRC I differ. With the huge focus on operational resiliency, particularly in the United Kingdom, there is a critical need for a platform that addresses operational risk, business continuity, and vendor risk. This would be a core GRC platform that brings these areas together. To address operational resiliency you cannot think of operational risk and BCM as separate, but closely related and integrated. 
Would be of interest to point out that a number of the "platforms" like Archer and IBM OpenPages have very effective SaaS offerings that can be deployed to meet niche needs.  The ability to scale ( either in bandwidth or use cases met ) does not restrict the ability to react etc
The GRC Platform in its current form is the same platforms that Gartner has listed in the IRM Magic Quadrant and in the IRM Critical Capabilities. These are the same vendors with the same technology that Gartner calls IRM that they also attack as GRC. This is all smoke and mirrors. Technology evolves. We are in GRC 4.0 and moving to GRC 5.0. Gartner is misleading as it is the same vendors they promote as IRM that are GRC platforms. All of their 'Leaders' market GRC and some have GRC in their product name. And they call this market research? Just relabeling and confusing the market. The ironic thing is that the biggest issues and failures have occurred with those Gartner promotes as Leaders.