SAP GRC Online Training | SAP GRC tutorials | SAP GRC TRAINING COURSE, USA
Let's nix the GRC world- OCEG Survey2014 on GRC industry-FixNix
-
Upload
fixnix-infosec-solutions-pvt-ltd -
Category
Software
-
view
626 -
download
4
description
Transcript of Let's nix the GRC world- OCEG Survey2014 on GRC industry-FixNix
An OCEG Benchmark on Current & Future GRC Technology Decisions
2014 GRC TECHNOLOGY STRATEGY SURVEYHOW ORGANIZATIONS APPROACH AND ADAPT THEIR TECHNOLOGY STRATEGY FOR GRC
About OCEG . . .OCEG is a nonprofit think tank that helps organizations achieve Principled Performance. We provide standards, resources and a hub around which many professionals collaborate including: board members, business executives and operators, risk executives, audit executives, compliance executives, financial executives, IT executives, and HR executives.
Our mission is to help organizations reliably achieve objectives while addressing uncertainty and acting with integrity - this is Principled Performance. We assist organizations in developing and implementing GRC capabilities that enable Principled Performance by providing authoritative resources for integrating the governance, assurance and management of performance, risk and compliance. OCEG’s global community exceeds 40,000 members and through collaborative effort we continue to advance methods and measurements of success on the path to Principled Performance.
For more information go to www.OCEG.org or contact us at [email protected]
The OCEG 2014 GRC Technology Strategy Survey was designed and analyzed by GRC 20/20 Research . . . GRC 20/20 Research, LLC (GRC 20/20) provides clarity of insight into governance, risk management, and compliance (GRC) solutions and strategies through objective market research, benchmarking, training, and analysis. We provide independent and objective insight into leading GRC practices and processes, including market dynamics and intelli-gence; risk, regulatory and technology trends; competitive landscapes; market sizing; expenditure priorities; and mergers and acquisitions.
For more information go to www.GRC2020.com or contact GRC 20/20 at [email protected].
INTRODUCTION IN SUMMARY REFERENCESFUTURE STATESURVEY DEMOGRAPHICS CURRENT STATE
3OCEG SURVEY • 2014 GRC Technology Strategy Survey • www.OCEG.org • ©2014 all rights reserved
Contents INTRODUCTION
GRC Technology Impacts GRC Maturity
SURVEY DEMOGRAPHICS Risk, Audit, Compliance & IT Express Themselves
CURRENT STATE How Organizations Currently Use GRC Technology
FUTURE STATE How Organizations Plan to Use GRC Technology
IN SUMMARY 5 Key Takeaways
REFERENCES OCEG Resources OCEG GRC Solution Category Descriptions OCEG GRC Solution Council Members Ful Survey Charts/Responses
Preface
If you’ve taken the time to read this survey, it’s likely you have a certain level of interest in governance, risk management, and compliance (GRC). There’s no shortage of information on the subject. An Internet search will throw up all sorts of tips, views and best practices designed to help those responsible for these areas.
OCEG is the framework body for GRC. We advocate Principled Performance and the role of GRC to enable organizations to reliably achieve objectives while addressing uncertainty and acting with integrity.
This OCEG survey is focused on GRC technology strategy in understanding the use of GRC technology in the current state of organizations and the planned future state of where the organizations GRC technology architecture is headed. At OCEG we want to see that GRC becomes part of your organisation’s DNA through the proper implementation and use of GRC technology.
We hope this survey report provides you with some valuable insights.
INTRODUCTION IN SUMMARY REFERENCESFUTURE STATESURVEY DEMOGRAPHICS CURRENT STATE
4OCEG SURVEY • 2014 GRC Technology Strategy Survey • www.OCEG.org • ©2014 all rights reserved
Governance, risk management, and compliance (GRC) is something every organization does — though not all do it well.. Every organization has some approach to governing the organization, managing risk, and approaching compliance with obligations such as regulations. It does not matter if an organization uses the label GRC; the simple truth is every organization does GRC in some form.
Some organizations have mature and structured processes and reporting on GRC that brings together an integrated and orchestrated view of GRC processes and information. Other organizations have fragmented approaches where some aspects of GRC are more mature than others but fail to have an overall coordinated strategy. For some organizations GRC approaches are ad hoc and reactive.
The use of technology for GRC depends on organization strategy. Some organizations look to develop an enterprise technology architecture (or platform) for GRC. Other organizaitons lack an enterprise coordinated strategy and have different departments going in different directions. Whether at an enterpise level or a department, GRC maturity depends on how well GRC processes, information, and technology enable the organization to be efficient, effective and agile to reliably achieve objectives [governance] while addressing uncertainty [risk management] and acting with integrity [compliance].
The proper selection and use of GRC technology is a primary factor in measuring GRC maturity within organizations. From one perspective, we all use technology in GRC. Pens and legal pads can be understood as technology — at one point pens were high tech. Today, GRC technology is commonly understood from the low-end of using documents, spreadsheets, and email to manage GRC information, processes and reporting to the high-end of a federated GRC architecture that integrates information and technology from across the enterprise in an ecosystem of GRC processes and information that works together as cogs in a machine automating GRC processes and reporting while providing accountability. There obviously is a wide range of approaches in between.
OCEG’s 2014 GRC Technology Strategy Survey takes aim at understanding organizations current use, planned future use, strategy, and satisfaction with their use of technology to support GRC within their organizations.
Michael Rasmussen OCEG Fellow & Co-Chair of OCEG GRC Solutions Council Chief GRC Pundit & Analyst @ GRC 20/20 Research, LLC [email protected] / [email protected]
INTRODUCTIONGRC Technology Strategy Impacts Maturity
INTRODUCTION IN SUMMARY REFERENCESFUTURE STATESURVEY DEMOGRAPHICS CURRENT STATE
5OCEG SURVEY • 2014 GRC Technology Strategy Survey • www.OCEG.org • ©2014 all rights reserved
A Word From Our Survey Sponsors
ACL delivers technology solutions that are transforming audit and risk management.
“The survey shows that strategy for GRC is changing and why it is such an incredibly exciting and opportunistic time to be a GRC professional. Four mega-forces in technology for GRC were screamed out loudly by the survey results: cloud, mobile, design, and data. It’s clear that those affecting major change in their organization’s approach to GRC are making applications powerful and collaborative with the cloud, extending their reach through mobile, driving insight and decisions using objective truth as manifest in the organization’s data, while ensuring software empowers (not frustrates). We are so proud to be a part of ushering in this change in GRC, through technology.” Dan Zitting, VP of Product Mgmt & Design, ACL
Convercent enables an effective compliance program with integrated management, mitigation and monitoring of compliance risk.
“The results of the survey provided a clear indication that the world of GRC technology is primed to leap forward in delivering GRC program effectiveness that’s both measurable and innovative. Too many organizations have a well-designed GRC program but lack the ability to apply it in a scalable way or to easily demonstrate its effectiveness, in large part because the technology, a critical enabler of an effective GRC program, is missing. We believe that the market is not only ready, but clamoring, for easy to-use-technology that is well designed and integrated, complete with native analytics and reporting. This survey validated that belief. We’re excited to be part of the journey.”
Michael Kleef, EVP of Marketing, Convercent
MetricStream delivers solutions for GRC and Quality Management Solutions for global corporations.
“MetricStream helps clients adopt a federated GRC architecture that aligns with business functions and adapts as their environment changes. As the survey demonstrates, GRC technology has advanced so much that it can seamlessly connect processes, systems, and departments across the global enterprise. It can capture information from across functions and systems, and aggregate this informa-tion to decision-makers to successfully manage risk and make decisions. As organizations realize these benefits, they are transforming their GRC technology strategies, and we are delighted to be part of this GRC Journey that our customers are on.” – Vinay Bapna, Associate VP of Marketing, MetricStream
The 2014 OCEG GRC Technology Strategy Survey is made possible through the support of the entire OCEG GRC Solutions Council and particularly the following survey sponsor members:
SURVEY DEMOGRAPHICS
INTRODUCTION IN SUMMARY REFERENCESFUTURE STATESURVEY DEMOGRAPHICS CURRENT STATE
7OCEG SURVEY • 2014 GRC Technology Strategy Survey • www.OCEG.org • ©2014 all rights reserved
Risk, Audit & Corporate Compliance/Ethics Top Responders
The 2014 OCEG GRC Technology Strategy Survey had 273 respondents that fell across a range of industries, geographies, and roles/departments in organizations.1
GRC happens within departments and across the enterprise. From a department perspective, GRC roles look to technology to assist them in managing GRC from a department perspective. An enterprise GRC perspective involves a GRC strategy, process, information and technology architecture that spans across departments.
The three primary roles responding to the survey (68% of responses) are risk management (25%), audit (22%), and corporate compliance/ethics (21%). These roles, combined with IT and Security, make up the most common roles that OCEG and GRC 20/20 see in enterprise technology strategies for GRC.
What is interesting to see is the 5% of respondents who define themselves as a Centralized GRC Group/Architecture role. This role is only about two years old and already seeing strong growth in organizations tasked to build and deploy information and technology architecture for enterprise GRC.1 The OCEG 2014 GRC Technology Strategy Survey also surveyed professional service firms and GRC technology/solution providers. The results in this report are just those
from those that purchase and use GRC solutions within their environment and do not include professional services firms or solution provider responses.
Risk Management Audit Corporate Compliance/Ethics Other GRC Roles
25% 22% 21% 32%
Other Roles Include . . . Information Technology (9%)
Centralized GRC Group/Architecture (5%)
Security (5%)
Business Management/Executive (5%)
Business Operations / Logistics (2%)
Finance / Accounting (2%)
Vendor/Supplier Management, Research, Corporate Social Responsibility, Legal (4%)
INTRODUCTION IN SUMMARY REFERENCESFUTURE STATESURVEY DEMOGRAPHICS CURRENT STATE
8OCEG SURVEY • 2014 GRC Technology Strategy Survey • www.OCEG.org • ©2014 all rights reserved
Equilibrium of GRC Operational & Decision-Maker Roles
Other
Professional
Manager
Executive
Senior Vice President
Vice President
Director
51% were Manager level and below
49% were Director level and above
3%
20%
28%
6%
7%
12%
24%
The survey results showed a nearly even split between GRC roles that were director level and above (49% of respondents) with those that were manager level down into professional/operational GRC roles (51%). This represents a balanced perspective on GRC technology strategy between decision makers and those using GRC solutions as part of their daily GRC operational roles.
Often the perspectives on GRC technology can vary between the decision-makers (purchasers) of GRC technology and the manager/operational GRC roles that use the technology throughout every day. Having this evenly distributed balance of respondents provides an equilibrium to the survey results.
INTRODUCTION IN SUMMARY REFERENCESFUTURE STATESURVEY DEMOGRAPHICS CURRENT STATE
9OCEG SURVEY • 2014 GRC Technology Strategy Survey • www.OCEG.org • ©2014 all rights reserved
Distributed Organization Structure, Size & Industries
Organizations responding represented a distributed balance of size and structure. A variety of industries were represented in the responses with financial services having the strongest representation.
Utilities Healthcare Finance, Banking, & Insurance
Manufacturing Business Services
Telecom
40.3% of oranizations responding were from publicly traded organizations
11.6% of organizations responding were from government organizations
9.7% of organizations responding were from non-profit, educational, or state-owned organizations
38% 38.4% of organizations responding were from privately held organizations
40%
10%
12%
13.3% of oranizations responding have between 1 and 500 employees
24.3 of organizations responding have betweem 501 and 2,500 employees
26.6% of organizations responding have between 2,501 and 10,000 employees
36.0% of organizations responding have more than 10,001 employees
36%
13%
24%
27%
Others
CURRENT STATE
INTRODUCTION IN SUMMARY REFERENCESFUTURE STATESURVEY DEMOGRAPHICS CURRENT STATE
11OCEG SURVEY • 2014 GRC Technology Strategy Survey • www.OCEG.org • ©2014 all rights reserved
Utilization of GRC Technology in the Environment:
46% Utilized
51% Under-Utilized
3% Unsure 3% Unsure
Utilization of GRC Technology in the Environment:
Organizations reported they have mixed success with their current use of technology for GRC. The current stae of affairs shows a near even breakout with 46% of organizations claiming that their GRC technology is well utilized, with slightly more at 51% stating that GRC technology in their environment is underutilized. This indicates that approximately half of the organizations responding feel they could do better in how they use their current technology for GRC within their environments.
Contrasted with how GRC solutions are deployed, this reveals some enlightening perspectives. The majority of GRC solutions being used are department or issue-focused (81%) and are stand alone solutions not integrated with other GRC technology solutions (80%). This aligns with GRC 20/20’s market research that indicates that over 80% of GRC technology spending is on department and issue (e.g., risk, regulation) GRC needs and less than 20% of spend is on enterprise GRC that spans across departments in the organization.
Non-integrated, stand alone GRC solutions
80% GRC solutions are department or issue focused
81%
INTRODUCTION IN SUMMARY REFERENCESFUTURE STATESURVEY DEMOGRAPHICS CURRENT STATE
12OCEG SURVEY • 2014 GRC Technology Strategy Survey • www.OCEG.org • ©2014 all rights reserved
Misaligned Technology to Meet Current GRC Needs
27% Aligned
70% Unaligned
3% Unsure 3% Unsure
Alignment of Technology with Current GRC Needs:
Building on the mixed utilization of GRC technology used currently within organizations is the surmounting concern that the GRC technology deployed does not meet the current needs of the organization (70%), with a minority (27%) stating that GRC technology is meeting their current needs.
The challenge is that risk and regulation has grown very complex. Many industries have seen regulatory change double in the past five years. Business operates in dynamic risk environments with intersecting risks that are managed in silos that do not talk to each other. The business itself is dynamically changing as employees, processes, strategy, financial position, technology and relationships change. External risks bear down on the organization from market, geo-political, environmental, and more. The complex web of supplier, agent, vendor, and other 3rd party relationships impact the organization. Risk and regulatory reporting requirements have grown in complexity and often involve a complex web of data integration and analytics.
This misalignment is an indicator that organizations are discovering they need a very agile and dynamic GRC information and technology architecture that can integrate with distributed systems and content feeds and provide advanced analytics on the state of GRC and its impact on the organization’s strategy, performance, objectives, and integrity.
INTRODUCTION IN SUMMARY REFERENCESFUTURE STATESURVEY DEMOGRAPHICS CURRENT STATE
13OCEG SURVEY • 2014 GRC Technology Strategy Survey • www.OCEG.org • ©2014 all rights reserved
BOTTOM LINE: Document/Email Approaches Challenge GRC
30% 30% of organizations have one or more commercial GRC solutions
Spre
adsh
eets
,
Doc
umen
ts, &
Emai
l
Solu
tion
Built
In
-Hou
se b
y IT
Com
mer
cial
G
RC S
olut
ion
2+ C
omm
erci
al
GRC
Sol
utio
ns 53%
53% of organizations state their primary GRC technology is spreadsheets, documents, and email
24%
6%
17%
53%
No wonder organizations see such misalignment in GRC technology to meet their current needs — the bastion of GRC technology in use is in the form of spreadsheets, emails, and documents. This approach is very labor intensive and inconsistent which causes reporting errors and complexity, frustrates the line of business, lacks proper workflow and task management, and is simply not defensible.
Regulators and stakeholders are increasingly holding organizations accountable for audit trails and integrity in processes that documents, spreadsheets, and email approaches simply cannot provide by themselves. They are important tools in the toolbox but organizations are realizing they need something more.
The impact on FTE’s is particularly significant. One financial services organization stated that 80% of their GRC staff resources were nothing more than document reconciles for reporting. Their task was to reconcile and report on thousands of assesments and surveys for GRC in documents and spreadsheets that were distributed by email. A mess they are aggressively trying to correct.
FUTURE STATE
INTRODUCTION IN SUMMARY REFERENCESFUTURE STATESURVEY DEMOGRAPHICS CURRENT STATE
15OCEG SURVEY • 2014 GRC Technology Strategy Survey • www.OCEG.org • ©2014 all rights reserved
Organizational Alignment to Take Action on Future GRC
GRC change is afoot! Where organizations earlier indicated that they had lacked alignment (70% of responders stating they were unaligned on current GRC technology implementation), organizations report that they are deepening collaboration and communication across the enterprise for future GRC technology strategy and alignment (62% state they are aligned).
This is further evidenced by the fact that 44% of respondents state they have an enterpise GRC strategy going forward that spans departments. This is strenthened by another 35% of organizations indicating that they may not quite be set on an enterprise decision but have multiple departments involved in GRC technology decisions.
Enterprise decision across departments
Multiple department decision, but not quite enterprise
Single department decision
Group decision focused on specific issue
Unsure or Other
44%
35%
8% 3%
10%
Organizational Strategy to Select GRC Solutions Going Forward:
62% Aligned
34% Unaligned
3% Unsure 3% Unsure
Organizational Alignment to Take Action on Future GRC Solution Initiatives:
INTRODUCTION IN SUMMARY REFERENCESFUTURE STATESURVEY DEMOGRAPHICS CURRENT STATE
16OCEG SURVEY • 2014 GRC Technology Strategy Survey • www.OCEG.org • ©2014 all rights reserved
GRC Technology Spending Increasing Steadily
Keeping pace with a dynamic risk and regulatory environment is demonstrating broad growth in GRC technology spending in 2014 (64%, of which 18% state that spending is increasing over 25% from 2013.
Contrast that with only 14% of respondents indicating that GRC technology spend is decreasing. This is a very positive outlook for GRC technology with such a small percentage cutting budgets in a tight and demanding economic environment.
25% Increase from 1% to 10% 21% Increase from
11% to 25% 18% Increase over 25% 64% Increased
Spending
14% Decreased Spending
3% Unsure 22% No Change in Spending
5% Decrease from 1% to 10% 5% Decrease from
11% to 25% 4% Decrease over 25%
INTRODUCTION IN SUMMARY REFERENCESFUTURE STATESURVEY DEMOGRAPHICS CURRENT STATE
17OCEG SURVEY • 2014 GRC Technology Strategy Survey • www.OCEG.org • ©2014 all rights reserved
Organization Plans to Purchase GRC Technology
In context of the broad increase in GRC technology spending in 2014, 41% of the spending is going toward new GRC technology (the assumption is the rest is on increased spending and implementation of existing GRC technology).
Beyone 2014, 27% of organizations indicate they will be acquiring new technology in one to two years (2015), and 31% plan on acquiring new GRC technology in two to three years (2016).
Imm
edia
te
Purc
hase
1 to
6
Mon
ths
7 to
12
Mon
ths
1 to
2 Y
ears
Mor
e th
an 2
Ye
ars
41% Organizations that indicate they plan to purchase new GRC technology in 2014
12% 13% 16% 31% 27%
INTRODUCTION IN SUMMARY REFERENCESFUTURE STATESURVEY DEMOGRAPHICS CURRENT STATE
18OCEG SURVEY • 2014 GRC Technology Strategy Survey • www.OCEG.org • ©2014 all rights reserved
Crossroads In GRC Architecture Perspectives
Prefer a centralized GRC Platform for the entire enterprise
Prefer a federated GRC Architecture that allows best of breed integration
Decentralized and non-integrated GRC solution strategy
Undecided 17%
36%
27%
21%
Strategic Direction for GRC Architecture:
When it comes to future directions for GRC architecture organizations are at a three way intersection of roads leading to different destinations, with some (17%) undecided in which direction to head.
One road leads to a centralized GRC platform that over one-third (36%) state is their GRC technology destination. This is where the organization standardizes one primary GRC platform for the organization.
The second road is a destination of a federated GRC architecture in which organizations on this journey (27%) acquire best of breed GRC solutions that offer the greatest value to the organization and integrate these systems where and when it makes sense to do so. Often federated GRC architectures will have a centralized GRC platform as a hub that other GRC technology feeds into for enterprise reporting and coordination of GRC activities and processes.
The third road is a centralized and non-integrated GRC strategy in which these organizations (21%) purchase best of breed solutions to meet their specific department or issue-focused (e.g., risk, regulation) needs and do not see a need to integrate technology for enterprise reporting and coordination.
INTRODUCTION IN SUMMARY REFERENCESFUTURE STATESURVEY DEMOGRAPHICS CURRENT STATE
19OCEG SURVEY • 2014 GRC Technology Strategy Survey • www.OCEG.org • ©2014 all rights reserved
Top 10 GRC Technology Spending Priorities
The OCEG GRC Technology Solutions Guide details twenty-seven categories of GRC technology. When survey respondents were presented with these twenty-seven categories to list their top GRC technology priorities to acquire, they listed the following top ten as their most critical needs:
INTRODUCTION IN SUMMARY REFERENCESFUTURE STATESURVEY DEMOGRAPHICS CURRENT STATE
20OCEG SURVEY • 2014 GRC Technology Strategy Survey • www.OCEG.org • ©2014 all rights reserved
49%
46%
44%
34%
27%
FUTURE: Top criteria for acquiring new solutions for GRC:
Ease of Use
Price
Functionality
Configurability
Industry Expertise
53%
45%
34%
33%
19%
PAST: Top criteria that influenced choice of current GRC solutions:
Price
Ease of Use
Functionality
Configurability
Customer Service, Financial Stability,
Local Office, Integration
Ease of Use Top Critera on Future GRC Technology
For the most part, the top criteria for evaluating GRC technology have remained the same between criteria used in the past with the criteria for future GRC purchases. However, the one element that has moved to be the highes priority is ‘ease of use.’ Organizations show that they want GRC solutions that are practical and engaging to use. This is particularly important for GRC as it continues to move communications to the front-lines of the organization.
It is also an indicator that organizations have frustration with complex GRC technology that is non-intuitive and difficult to use.
INTRODUCTION IN SUMMARY REFERENCESFUTURE STATESURVEY DEMOGRAPHICS CURRENT STATE
21OCEG SURVEY • 2014 GRC Technology Strategy Survey • www.OCEG.org • ©2014 all rights reserved
Factors That Influence Changing GRC Technology
What drives organizations to change the GRC technology they currently use?
The primary driver of change is lack of functionality in their current GRC technology (40% of respondents indicated). Business is dynamic and the GRC challenges today requires advanced intelligence, integration, analytics, and holistic situational awareness of dynamic business, risk, and regulatory environments. GRC technology that was satisfactory a few years ago may be inadequate to meet the needs of GRC today and into the future.
Other factors driving change in GRC technology, but not as prominent as lack of functionality include::
A centralized GRC strategy to bring the organization to a single GRC platform (17%).
Poor customer service in support and quality of current GRC solutions (16%).
Migration to GRC solutions that are lower cost to aquire, implement, and maintain in the environment (6%).
Reduction in budget forcing change driving organizations to implement technology to reduce overhead (5%).
What is the single most important factor when changing GRC solutions?
Lack of Functionality
40%
17% Internal Move to One Platform
16% Poor Customer Service
Lower Cost Competitor
6%
Reduction in Budget
5%
INTRODUCTION IN SUMMARY REFERENCESFUTURE STATESURVEY DEMOGRAPHICS CURRENT STATE
22OCEG SURVEY • 2014 GRC Technology Strategy Survey • www.OCEG.org • ©2014 all rights reserved
Primary Goals in New GRC Technology Adoption
Business changes, regulations change, risks change — in that context GRC technology changes to meet the needs of dyanmic, distributed, and disrupted business. When looking for new GRC technology, organizations indicate that the primary goals they aim to achieve are:
Complex risk and regulatory environments demand advanced capabilities of risk data integration and analytics to provide full situational awareness of risk (53%).
Organizations are realizing that good GRC requires good information, there is increasing focus on the integrity and consistency of GRC information (43%).
Regulatory change has more than doubled in several industries over the past five years (e.g., banking, insurance, healthcare) and drives the organization to GRC technologies that enable regulatory intelligence and agility (41%).
When deploying new GRC technologies the organization is driven to reduce costs while increasing the peformance of business operations (both 39%).
53%
43%
41%
39%
39%
Increase analytics & rapid visibility of risk
Improve consistency of information
Meet new regulatory requirements
Reduce costs
Improve performance
INTRODUCTION IN SUMMARY REFERENCESFUTURE STATESURVEY DEMOGRAPHICS CURRENT STATE
23OCEG SURVEY • 2014 GRC Technology Strategy Survey • www.OCEG.org • ©2014 all rights reserved
GRC Deployment: to SaaS or not to SaaS
In today’s software world there are two primary deployment models to decide on when purchasing GRC solutions. One is the traditional software model in which the organization purchases a perpetual license to the software and yearly maintenance. In this model the software is installed in the organization’s data center. The other model is a Software as a Service (SaaS) model that is showing the strongest growth in adoption in the software world. In this model the organization pays an annual subscription fee and the software is hosted for them in the Cloud and not in the organization’s own data center. There are hybrids to these approaches, as well as different types of SaaS models.
When it comes to buying behavior of those acquiring GRC solutions, there is roughly one-third (32%) that have a strong SaaS preference, while a little larger group (41%) prefer the older traditional software model. When combined with those who have no preference (about1/3rd), roughly 2/3rds of buyers are open to SaaS and 2/3rds of buyers are open to traditional software.
The acceptance, and particularly preference, of SaaS as the deployment model for GRC solutions is growing fast and most likely will over take traditional software preference in the next one to two years.
32% Prefer SaaS
59% SaaS & No Preference
41% Traditional On Premise
68% Traditional & No Preference
VS
2 3
Nearly 2/3rd of the market are open to SaaS GRC Solutions 1/3rd of the market strongly prefer SaaS GRC Solutions
2 3
Just over2/3rd of the market are open to traditional software GRC Solutions Over 1/3rd of the market strongly prefer traditional software GRC Solutions
IN SUMMARY
INTRODUCTION IN SUMMARY REFERENCESFUTURE STATESURVEY DEMOGRAPHICS CURRENT STATE
25OCEG SURVEY • 2014 GRC Technology Strategy Survey • www.OCEG.org • ©2014 all rights reserved
Tone down and control spreadsheets, documents & email for GRC Spreadsheets, documents, and email for GRC are not going to be entirely eliminated but certainly need to be better controlled. These are tools on every desktop and they have a purpose. However, better technology needs to be used to overcome the pervasive use of spreadsheets, documents, and emails to do assessments, send surveys, communicate tasks, and do reporting — otherwise they are a nightmare that leads to the inevitability of failure as it drains FTE time, things get missed, and reporting takes a long time.
Understand that GRC is more than one technology As defined in the OCEG GRC Solutions Guide and integrated into this survey — GRC technology is diverse. There is no such thing as a one stop shop for GRC. An organization may standardize on a core backbone for GRC integration, analytics, management, and reporting but to truly do GRC requires a range of technology investments and integration.
Define your GRC architecture strategy We reviewed the three architecture models for GRC: decentralized, centralized, and federated. A decentralized strategy typically points to departments doing their own things and no enterprise coordination of GRC. A centralzied strategy often leads to one platform that tries to do all things and forces much of the organization to the lowest common denominator. A federated strategy strikes a good balance between centralized and decentralized by allowing for best of breed solutions where they make sense but integration between these systems or to a common backbone to enable enterprise GRC management and reporting.
Keep up with change The greatest challenge for GRC is a dynamic business environment in which the business, risk, and regulatory environments are in a constant state of change. Agility is critical to align GRC with the business and technology should enable the organization to keep current with changing environments.
Delivering GRC engagement through intuitive and easy to use technology The number one criteria organizations are looking for in GRC today and into the future is ease of use. GRC is complex as it is and technology should not add to that complexity but simplify it and make it easy for every level of the organization to enage in GRC.
1
2
3
4
5 Key Takeaways
5
REFERENCES: ABOUT OCEG
INTRODUCTION IN SUMMARY REFERENCESFUTURE STATESURVEY DEMOGRAPHICS CURRENT STATE
27OCEG SURVEY • 2014 GRC Technology Strategy Survey • www.OCEG.org • ©2014 all rights reserved
OCEG GRC Solutions Category Definitions
Audit and Assurance Management systems are used to manage audit cycles – this includes audit planning, resource scheduling/calendaring, work paper management, and audit process management. They also support a risk-based approach to audit planning to prioritize audits based on the risk to the business.
Board and Entity Management technology enables corporate governance processes, frameworks, policies, structure, and activities in support of the overall coordination of an organization’s board and management responsibilities in accordance with legal, fiduciary, legal structure, and operational requirements. This includes the ability to provide for board collaboration, communications, reporting, board paper management, and voting.
Brand and Reputation Management systems track, report and manage responses to an organization’s activities and customer, employee, partner and shareholder opinions about those activities. This area of technology is rapidly expanding to encompass solutions to monitor risk to brand and reputation across social media applications.
Business Continuity Management systems model, record and direct the responsibilities, plans, actions and execution of continuity and disaster plans, testing of operating procedures, alternatives, information back-ups, data recovery and restoration processes during expected and unexpected disruptions to all areas of operation.
Compliance Management systems support the overall coordination of legal, regulatory, contractual, and corporate policy obligations and responsibilities with associated compliance tasks and records. This includes the ability to monitor, document, and manage changes to the regulatory environment and other obligations; to document all obligations of the organization; to perform compliance assessments against obligations; and report on the state of compliance.
Contract Management tools provide the ability to create, manage, store, change, deliver and append all business-related contracts (with suppliers and clients) and apply organizational policies and procedures, as well as specific legal and local regulatory criteria, to their administration.
The following categories are from the OCEG GRC Solutions Guide 2.1. This guide is collaboratively developed and maintained by the members of the OCEG GRC Solutions Council.
INTRODUCTION IN SUMMARY REFERENCESFUTURE STATESURVEY DEMOGRAPHICS CURRENT STATE
28OCEG SURVEY • 2014 GRC Technology Strategy Survey • www.OCEG.org • ©2014 all rights reserved
OCEG GRC Solutions Category Definitions, continued
Control Activity, Monitoring, and Assurance systems provide the ability to define, document, map, monitor, test, assess, and report on controls within the organization, including process and systems documentation; manual and automated controls; the limitations or conditions applied to amounts and parties in a transaction; user access, rights, and responsibilities; and accounts, workflows, and process initiation. This category of software is also often referred to as Continuous Control Monitoring (CCM) or Automated Controls. This includes the capability to test, on a continuing or periodic basis, data and activity against defined rules to identify and report potential errors, the failure of controls, or inappropriate actions – including tests of business transactions, network activity, intrusion attempts, the sharing of confidential information or intellectual property, systems access, etc. Also included in this area is the ability to do GRC data analytics, monitoring, and mining.
Corporate Social Responsibility tools help document the objectives, measure performance, assign responsibilities, recommend and monitor actions, organize contextual news feeds, support internal and external reporting, and communicate relative to an organization’s perceived relationship with the local and broader community, focused on the impact to its reputation, brand, and market growth.
Discovery/eDiscovery Management tools assist in managing and communicating discovery holds and uncovering, segmenting, organizing and storing electronic forms of evidence that can be used in an investigation, both before and after the occurrence of the related events, including tools that separate potential discovery documents from their original locations and repositories. This category of technology also includes systems for retention management that integrate with content/document systems to manage the storage, disposition, and retention of information.
Environmental Monitoring and Reporting systems and related applications help monitor, analyze, record, and report organizational activity focused on compliance with environmental laws and regulations, related corporate policy related to managing environmental controls and conditions, and assessing the environmental impact of the corporation’s operations, strategies, and plans.
Environmental, Health, and Safety applications help manage the regulatory and policy-based guidelines and processes for protecting and reporting on the workforce, workplace, resources-under-management and external environment impacted by an organization’s activities.
The following categories are from the OCEG GRC Solutions Guide 2.1. This guide is collaboratively developed and maintained by the members of the OCEG GRC Solutions Council.
INTRODUCTION IN SUMMARY REFERENCESFUTURE STATESURVEY DEMOGRAPHICS CURRENT STATE
29OCEG SURVEY • 2014 GRC Technology Strategy Survey • www.OCEG.org • ©2014 all rights reserved
OCEG GRC Solutions Category Definitions, continued
Finance/Treasury Risk Management solutions provide an array of applications and systems used to identify and manage the risk factors, causes and response procedures in an organization’s financial and treasury management. These include risk technology focused on specific areas such as liquidity, credit, market, and commodity risk management that help identify risk and execute historical review, simulation, interpretation and projection of impacts on an organization’s financial assets given the potential consequences of events and the likelihood of events occurring sequentially or simultaneously.
Fraud & Corruption Detection, Prevention & Management systems assist in the identification, response to, control, and reduction of incidents involving investigation, misuse, theft or misapplication of an organization’s resources and assets by employees and/or third parties. Technology includes tools for data collection, monitoring, mining, and analysis as well as emerging technologies, such as social network analysis, social media sourcing, third party due diligence and statistical modeling. This category of solutions includes software that addresses such issues as anti-corruption/bribery compliance, fraud, and Anti-Money Laundering (AML).
Global Trade Compliance/International Dealings systems document, manage, and provide required reporting on relevant regulations for the exchange of capital, goods and services across international boundaries.
Hotline/Helpline systems provide information intake and response systems to provide a confidential, independent resource for all employees and others to report observations related to issues as well as potential acts of fraud, theft, inappropriate or illegal behavior, negligence or other impropriety committed by employees, partners or contractors as well as seek clarification/guidance on conduct, policies, and procedures.
Information/IT Risk & Security Management systems implement the frameworks and principles that govern risk, security, controls and compliance-guided elements in the planning, development, acquisition, delivery, use, integration, evaluation and retirement of information and technology resources.
The following categories are from the OCEG GRC Solutions Guide 2.1. This guide is collaboratively developed and maintained by the members of the OCEG GRC Solutions Council.
INTRODUCTION IN SUMMARY REFERENCESFUTURE STATESURVEY DEMOGRAPHICS CURRENT STATE
30OCEG SURVEY • 2014 GRC Technology Strategy Survey • www.OCEG.org • ©2014 all rights reserved
OCEG GRC Solutions Category Definitions, continued
Insurance and Claims Management platforms record and administer an organization’s corporate Insurance, liability and warranty coverage levels and documents (including property and casualty, product liability, directors’ and officers’, and related areas of core coverage) and help execute the related claims, process the forms and monitor claims administration procedures across jurisdictions.
Intellectual Property Management systems help identify, capture, organize and protect the organization’s portfolio of intellectual property (copyrights, trademarks, patents, trade secrets and all related intangible assets with inherent value) and enable the legal reuse and sharing of intellectual property created by third parties.
Issue and Investigations Management is used to manage investigations, issues, incidents, events, or cases: they specifically provide consistent documentation and processes for the management of events — from reporting, to managing and documenting the investigation, to recording the loss and business impact.
Matter Management systems administer the collection of facts related to events and legal cases under investigation, for use in verifying their circumstances, in order to provide valid information for testing by independent parties with the confidence that the information provided is related to these events.
Physical Security & Loss Management systems enhance physical asset and individual protection, and the authorization and monitoring of access to an organization’s facilities and property. This category of technology also includes systems to manage physical loss and theft.
Policy Management, Communication, & Training systems that mange the development, record, organization, modification, maintenance, communication, training, and administration of policies, procedures, standards, and guidelines in response to new or changing requirements or principles, and correlate them to one another. This also includes systems used to train individual learning and understanding of policy and risk areas to employees and extended business relationships.
Privacy Management systems and tools help to identify, capture, segment, and secure access to and use of personally identifying information across information sources, applications and users in compliance with applicable laws and regulations. Privacy technology is broader than security technology as it encompasses the accuracy and use of private information and not just the protection of it.
The following categories are from the OCEG GRC Solutions Guide 2.1. This guide is collaboratively developed and maintained by the members of the OCEG GRC Solutions Council.
INTRODUCTION IN SUMMARY REFERENCESFUTURE STATESURVEY DEMOGRAPHICS CURRENT STATE
31OCEG SURVEY • 2014 GRC Technology Strategy Survey • www.OCEG.org • ©2014 all rights reserved
OCEG GRC Solutions Category Definitions, continued
Quality Management and Monitoring systems record, benchmark, track and manage activity related to product and service quality assessments and certifications, production failures, product recalls, design and delivery improvements and their related regulatory guidelines.
Reporting and Disclosure applications include solutions for assembling and distributing financial, operational, regulatory information to management, the board, regulators and shareholders. These solutions provide visibility and transparency related to business outcomes. Some solutions may support formats and templates required by regulators and agencies for required reporting.
Risk Management systems support the identification, assessment, evaluation and response, and monitoring of risks and opportunities of risk across the organization. This includes the ability to monitor changes in the external and internal contexts to alert an organization to changing risk conditions (e.g., geo-political, economic, competitor, technology, and natural disaster) that can impact business. These systems help identify specific causes and execute historical review, simulation, interpretation and projection of impacts on an organization’s operations or assets given the potential consequences of events and the likelihood of events occurring sequentially or simultaneously. This category includes enterprise risk management systems, operational risk management systems, as well as specialized risk applications.
Strategy, Performance, and Business Intelligence include solutions for identifying and managing corporate strategies, goals, and objectives and cascading them through the organization; optimizing operational and financial performance against those objectives; and providing valuable information for decision-making and reporting purposes.
Third Party/Vendor Risk & Compliance solutions govern, record, and maintain the communication, attestation, and assessment of code of conduct, contractual compliance, risk and compliance self-assessments, and audits across extended business relationships (e.g., supply-chain/value-chain, contractors, outsourcers, service providers, consultants, staffing agencies).
The following categories are from the OCEG GRC Solutions Guide 2.1. This guide is collaboratively developed and maintained by the members of the OCEG GRC Solutions Council.
INTRODUCTION IN SUMMARY REFERENCESFUTURE STATESURVEY DEMOGRAPHICS CURRENT STATE
32OCEG SURVEY • 2014 GRC Technology Strategy Survey • www.OCEG.org • ©2014 all rights reserved
OCEG’s GRC Standards Library
OCEG’s GRC Standards Library helps to jump-start and improve your approach to achieving Principled Performance.
INTRODUCTION IN SUMMARY REFERENCESFUTURE STATESURVEY DEMOGRAPHICS CURRENT STATE
33OCEG SURVEY • 2014 GRC Technology Strategy Survey • www.OCEG.org • ©2014 all rights reserved
OCEG’s GRC Certification, Surveys & Illustrations
OCEG has a range of resources that help organizations understand, apply, and communicate Principled Performance and GRC.
Certifications
Surveys OCEG One-Minute Polls on Focused Subjects
GRC Maturity
GRC Metrics & Measurement
GRC Technology Strategy
GRC Illustrated OCEG has developed over 60 GRC illustrations that are infographics to help organizations
understand and communicate Principled Performance and GRC.
GGovernance
AAudit
PmPerformance
RmRisk
CmCompliance
Management
$$
$$
OPPORTUNITY
TECHNOLOGY
PERFORMANCERISK
COMPLIANCE
THREAT
I need to keep moving towards my objectives. I’ll take a shortcut.
STOP
Don’t cross either of these boundaries. They represent promises we’ve made!
OBJECTIVESI can help provide assurance to management and the board that important things are getting done -- the way we think they are!
What does our performance scorecard look like relative to risk and compliance?
VOLUNTARY BOUNDARIES are defined by management and include values, contractual obligations and other promises.
MANDATORY BOUNDARIES are defined by external forces including government laws and regulation.
What business model is required to reliably achieve objectives while addressing uncertainty and acting with integrity?
What are our mission, vision and values?
Here is our business model and operating plan to achieve these objectives.
• Objectives• Business Model• Budget & Resources• Risk Appetite• Performance Metrics
RIS
K
RE
WA
RD
As we drive toward objectives, we must stay within boundaries.
Sometimes uncertainty presents opportunities that we can seize.
Sometimes uncertainty threatens our objectives and we must take action
...and address uncertainty.
©2014 OCEG®
[email protected] for reprints or licensing requests
1 CapabilitiesThink of capabilities as “tools” to use for many different purposes. Develop capabilities that can be leveraged by all of your governance, management and audit systems. This way, when you improve the capability, allsystems benefit.
ALIGN PROACT DETECT RESPOND MEASURE
LEVERAGECOMMON CAPABILITIES
INTERACT
LEVERAGECOMMON CAPABILITIES
LEVERAGECOMMON CAPABILITIES
Set mission/vision/values; define objectives in light of opportunities, risks and requirements; align strategies with resources and processes.
Proactively identify changes in risks and requirements, incentivize positive conduct, and prevent unproductive or improper conduct.
Detect when desirable andundesirable events occurusing a mix of techniques,both push-pull andmanual-automated.
Reward desirable conduct and outcomes and remediate anything undesirable. Adjust capabilities when necessary in response to findings.
Assess critical aspects of capabiltiies; measure performance relative to risk and compliance.
Establish technology and information systems to communicate up, down andacross the organization and with external stakeholders.
I can provide better assurance now that we have a uniform way to measure and report.
Now that we are using our resources more effectively, we're more competitive and our outcomes are better than ever.
PathwayBy orchestrating integrated governance, audit and management systems, an organization can reliably achieve objectives, while addressing uncertainty and acting with integrity.
3
SystemsCore governance, audit and management systems are the backbone of an organization. They leverage common capabilities for multiple purposes.
2
Pathway to Principled PerformanceGRC Illustrated
INTRODUCTION IN SUMMARY REFERENCESFUTURE STATESURVEY DEMOGRAPHICS CURRENT STATE
34OCEG SURVEY • 2014 GRC Technology Strategy Survey • www.OCEG.org • ©2014 all rights reserved
OCEG’s GRC Solutions Council
Members of OCEG’s GRC Solutions Council collaborate to develop educational materials onthe benefits of advancing GRC processes and technologies, as well as key resources to assist companies in maturing GRC strategy.
Affiliate Member:
REFERENCES: SURVEY RESPONSES
INTRODUCTION IN SUMMARY REFERENCESFUTURE STATESURVEY DEMOGRAPHICS CURRENT STATE
36OCEG SURVEY • 2014 GRC Technology Strategy Survey • www.OCEG.org • ©2014 all rights reserved
GRC Technology Survey 2013 Report
1Value Count Percent
Publicly Traded 104 40%
Privately Held 99 38%
Government Agency/Organization 30 12%
Non-profit organization 17 7%
Educational Organization 5 2%
State Owned Enterprises/Crown Corporations 3 1%
StatisticsTotal Responses 258
INTRODUCTION IN SUMMARY REFERENCESFUTURE STATESURVEY DEMOGRAPHICS CURRENT STATE
37OCEG SURVEY • 2014 GRC Technology Strategy Survey • www.OCEG.org • ©2014 all rights reserved
GRC Technology Survey 2013 Report
2Value Count Percent
Risk Management 65 25%
Audit 58 22%
Corporate Compliance/Ethics 53 21%
Information Technology 23 9%
Centralized GRC Group/Architecture 14 5%
Security 12 5%
Management (Executive / Corporate) 12 5%
Other 6 2%
Business Operations / Logistics 6 2%
Finance / Accounting 5 2%
Vendor/Supplier Management 1 0%
INTRODUCTION IN SUMMARY REFERENCESFUTURE STATESURVEY DEMOGRAPHICS CURRENT STATE
38OCEG SURVEY • 2014 GRC Technology Strategy Survey • www.OCEG.org • ©2014 all rights reserved
GRC Technology Survey 2013 Report
3
Research 1 0%
Corporate Social Responsibility 1 0%
Legal 1 0%
StatisticsTotal Responses 258
INTRODUCTION IN SUMMARY REFERENCESFUTURE STATESURVEY DEMOGRAPHICS CURRENT STATE
39OCEG SURVEY • 2014 GRC Technology Strategy Survey • www.OCEG.org • ©2014 all rights reserved
GRC Technology Survey 2013 Report
4Value Count Percent
Top Level Executive 15 6%
Senior Vice President 17 7%
Vice President 32 12%
Director 61 24%
Manager 72 28%
Professional 51 20%
Administrative 4 2%
Other 6 2%
StatisticsTotal Responses 258
INTRODUCTION IN SUMMARY REFERENCESFUTURE STATESURVEY DEMOGRAPHICS CURRENT STATE
40OCEG SURVEY • 2014 GRC Technology Strategy Survey • www.OCEG.org • ©2014 all rights reserved
GRC Technology Survey 2013 Report
5Value Count Percent1 - 500 34 13%
501 - 1,000 25 10%
1,001 - 2,500 37 14%
2,501 - 5,000 33 13%
5,001 - 10,000 35 14%
10,001 - 25,000 36 14%
25,000+ 56 22%
StatisticsTotal Responses 256
INTRODUCTION IN SUMMARY REFERENCESFUTURE STATESURVEY DEMOGRAPHICS CURRENT STATE
41OCEG SURVEY • 2014 GRC Technology Strategy Survey • www.OCEG.org • ©2014 all rights reserved
GRC Technology Survey 2013 Report
6Value Count PercentExcellent 11 6%
Good 36 20%
Fair 74 42%
Poor 50 28%
Don't Know 5 3%
StatisticsTotal Responses 176
INTRODUCTION IN SUMMARY REFERENCESFUTURE STATESURVEY DEMOGRAPHICS CURRENT STATE
42OCEG SURVEY • 2014 GRC Technology Strategy Survey • www.OCEG.org • ©2014 all rights reserved
GRC Technology Survey 2013 Report
7Value Count PercentStrongly Agree 19 11%
Somewhat Agree 61 35%
Somewhat Disagree 58 33%
Strongly Disagree 32 18%
Don't Know 6 3%
StatisticsTotal Responses 176
INTRODUCTION IN SUMMARY REFERENCESFUTURE STATESURVEY DEMOGRAPHICS CURRENT STATE
43OCEG SURVEY • 2014 GRC Technology Strategy Survey • www.OCEG.org • ©2014 all rights reserved
GRC Technology Survey 2013 Report
8Value Count Percent
Strongly Agree 75 43%
Somewhat Agree 66 38%
Somewhat Disagree 22 13%
Strongly Disagree 10 6%
Don't Know 3 2%
StatisticsTotal Responses 176
INTRODUCTION IN SUMMARY REFERENCESFUTURE STATESURVEY DEMOGRAPHICS CURRENT STATE
44OCEG SURVEY • 2014 GRC Technology Strategy Survey • www.OCEG.org • ©2014 all rights reserved
GRC Technology Survey 2013 Report
9Value Count PercentStrongly Agree 71 40%
Somewhat Agree 71 40%
Somewhat Disagree 14 8%
Strongly Disagree 17 10%
Don't Know 3 2%
StatisticsTotal Responses 176
INTRODUCTION IN SUMMARY REFERENCESFUTURE STATESURVEY DEMOGRAPHICS CURRENT STATE
45OCEG SURVEY • 2014 GRC Technology Strategy Survey • www.OCEG.org • ©2014 all rights reserved
GRC Technology Survey 2013 Report
10Value Count Percent
Yes, we have one GRC solution for the entire organization 41 23%
Yes, we have multiple GRC solutions that we use across the organization 60 34%
Yes, we have a GRC solution in my department but I am unaware of what other departments are doing 17 10%
No, we do not have any GRC solutions being used in our organization 56 32%
Don't Know 2 1%
StatisticsTotal Responses 176
INTRODUCTION IN SUMMARY REFERENCESFUTURE STATESURVEY DEMOGRAPHICS CURRENT STATE
46OCEG SURVEY • 2014 GRC Technology Strategy Survey • www.OCEG.org • ©2014 all rights reserved
GRC Technology Survey 2013 Report
11
In each of the following categories, how has your organization approached GRC technology solutions?
NOTE: Definitions for each of these categories can be found at http://www.oceg.org/resources/grc-technology-solutions/ (select all that apply):
Spreadsheets, Documents, and
Emails
Solution Built and Supported In-House by IT
Commercial GRC Software for this
Category
Two or More Commercial GRC
Software Solutions for this Category
Don't Know Responses
Audit and Assurance Management
57%99
12%20
37%64
6%11
8%14 173
Board and Entity Management 46%79
12%20
13%23
2%4
32%55 172
Brand and Reputation Management
44%75
5%9
6%10
2%4
47%81 172
Business Continuity Management
50%86
15%25
23%39
3%5
20%35 172
Compliance Management 59%102
12%21
28%48
8%14
10%18 173
Contract Management 47%80
20%34
22%37
6%10
18%31 172
Control Activity, Monitoring, and Assurance
52%89
14%24
27%47
8%13
16%28 171
Corporate Social Responsibility 41%70
5%8
9%16
2%3
46%79 171
Discovery/eDiscovery Management
34%58
9%16
13%22
6%10
45%77 172
Environmental Monitoring and Reporting
42%72
8%13
13%23
4%6
40%69 171
Environmental, Health, and 44% 9% 14% 3% 38% 171
INTRODUCTION IN SUMMARY REFERENCESFUTURE STATESURVEY DEMOGRAPHICS CURRENT STATE
47OCEG SURVEY • 2014 GRC Technology Strategy Survey • www.OCEG.org • ©2014 all rights reserved
GRC Technology Survey 2013 Report
12
Safety 76 16 24 5 65
Finance/Treasury Risk Management
39%67
20%34
25%44
8%14
24%42 173
Fraud & Corruption Detection, Prevention & Management
48%83
12%21
20%34
9%15
26%45 173
Global Trade Compliance/International
Dealings32%54
8%14
12%20
4%6
51%88 171
Hotline/Helpline 27%46
21%36
31%54
3%6
26%44 172
Information/IT Risk & Security 38%65
27%46
34%58
8%13
17%30 173
Insurance and Claims Management
36%62
15%25
14%24
5%8
41%71 172
Intellectual Property Management
38%66
11%19
7%12
1%1
49%85 172
Issue and Investigations Management
45%77
12%21
25%42
5%9
24%41 171
Matter Management 29%49
4%7
13%22
3%5
54%93 171
Physical Security & Loss Management
43%74
17%29
17%29
3%6
34%58 172
Policy Management, Communication, & Training
47%80
24%42
25%43
6%11
15%26 172
Privacy Management 41%70
13%22
15%25
3%6
40%68 172
Quality Management and Monitoring
40%70
18%31
17%29
6%11
34%59 173
INTRODUCTION IN SUMMARY REFERENCESFUTURE STATESURVEY DEMOGRAPHICS CURRENT STATE
48OCEG SURVEY • 2014 GRC Technology Strategy Survey • www.OCEG.org • ©2014 all rights reserved
GRC Technology Survey 2013 Report
13
Reporting and Disclosure 50%85
15%26
23%40
3%5
26%45 171
Risk Management 54%94
20%35
31%53
6%10
14%25 173
Strategy, Performance, and Business Intelligence
42%73
12%20
17%29
7%12
35%61 172
Third Party/Vendor Risk & Compliance
49%85
12%20
24%42
6%11
23%40 172
Other 21%34
3%5
3%5
1%1
74%121 164
INTRODUCTION IN SUMMARY REFERENCESFUTURE STATESURVEY DEMOGRAPHICS CURRENT STATE
49OCEG SURVEY • 2014 GRC Technology Strategy Survey • www.OCEG.org • ©2014 all rights reserved
GRC Technology Survey 2013 Report
14
What has been your company’s average annual spend on GRC solutions in the following categories over the past three years (include license fees, maintenance fees, subscription fees and consulting fees)?
No Spend
$1 to $25,000
$25,001 to $100,000
$100,001 to $500,000
$500,001 to $999,999
>$1,000,000
Don't Know Responses
Audit and Assurance Management 19%32
17%30
15%25
7%12
2%4
0%0
40%69 172
Board and Entity Management 22%37
11%19
5%8
3%5
0%0
1%1
59%99 169
Brand and Reputation Management 23%39
10%17
3%5
2%4
2%3
1%1
59%100 169
Business Continuity Management 21%35
13%21
7%12
6%10
1%2
0%0
52%88 168
Compliance Management 15%26
14%24
14%23
8%14
1%2
3%5
44%75 169
Contract Management 19%32
15%25
6%10
4%7
1%1
1%2
54%91 168
Control Activity, Monitoring, and Assurance
19%32
13%22
7%12
7%12
1%1
1%2
52%87 168
Corporate Social Responsibility 24%41
10%17
4%6
0%0
1%2
1%1
60%101 168
Discovery/eDiscovery Management 23%38
9%15
4%6
2%3
1%2
0%0
62%104 168
Environmental Monitoring and Reporting
26%43
8%13
3%5
2%3
1%1
1%1
61%102 168
Environmental, Health, and Safety 22%37
11%18
4%7
2%3
2%3
1%1
59%99 168
INTRODUCTION IN SUMMARY REFERENCESFUTURE STATESURVEY DEMOGRAPHICS CURRENT STATE
50OCEG SURVEY • 2014 GRC Technology Strategy Survey • www.OCEG.org • ©2014 all rights reserved
GRC Technology Survey 2013 Report
15
Finance/Treasury Risk Management 17%28
10%17
6%10
4%7
2%3
2%3
60%100 168
Fraud & Corruption Detection, Prevention & Management
18%31
15%25
4%7
5%8
1%1
2%3
55%93 168
Global Trade Compliance/International Dealings
24%40
9%15
4%7
1%1
0%0
1%2
61%103 168
Hotline/Helpline 18%30
15%26
9%15
4%6
2%3
0%0
53%89 169
Information/IT Risk & Security 12%21
12%20
9%15
12%21
2%4
3%5
49%83 169
Insurance and Claims Management 23%39
9%15
3%5
3%5
0%0
3%5
59%99 168
Intellectual Property Management 25%41
10%17
1%1
1%2
1%2
1%1
62%103 167
Issue and Investigations Management 22%37
11%19
5%8
4%7
1%1
2%4
55%92 168
Matter Management 27%45
8%13
2%4
1%1
1%1
1%1
61%103 168
Physical Security & Loss Management 17%28
11%19
8%14
3%5
1%1
2%3
58%96 166
Policy Management, Communication, & Training
15%26
18%31
8%13
6%10
1%2
0%0
51%86 168
Privacy Management 24%41
11%19
5%8
1%2
1%2
0%0
57%96 168
Quality Management and Monitoring 21%35
11%19
4%6
4%7
4%6
1%1
56%94 168
Reporting and Disclosure 20%34
11%19
9%15
1%2
1%1
1%2
57%95 168
INTRODUCTION IN SUMMARY REFERENCESFUTURE STATESURVEY DEMOGRAPHICS CURRENT STATE
51OCEG SURVEY • 2014 GRC Technology Strategy Survey • www.OCEG.org • ©2014 all rights reserved
GRC Technology Survey 2013 Report
16
Risk Management 16%27
17%28
11%18
9%15
0%0
2%4
46%77 169
Strategy, Performance, and Business Intelligence
20%33
10%16
6%10
5%8
1%1
1%2
58%98 168
Third Party/Vendor Risk & Compliance 19%32
17%28
9%15
3%5
1%1
1%1
51%85 167
INTRODUCTION IN SUMMARY REFERENCESFUTURE STATESURVEY DEMOGRAPHICS CURRENT STATE
52OCEG SURVEY • 2014 GRC Technology Strategy Survey • www.OCEG.org • ©2014 all rights reserved
GRC Technology Survey 2013 Report
17Value Count Percent
A centralized "GRC Platform" for the entire enterprise across all relevant categories to your business 62 36%
A federated "GRC Platform" for certain categories and "best of breed" solutions in others 46 27%
A distributed range of "best of breed" solutions in different categories that operate independently of each other 36 21%
Other 7 4%
Don't Know 22 13%
StatisticsTotal Responses 173
INTRODUCTION IN SUMMARY REFERENCESFUTURE STATESURVEY DEMOGRAPHICS CURRENT STATE
53OCEG SURVEY • 2014 GRC Technology Strategy Survey • www.OCEG.org • ©2014 all rights reserved
GRC Technology Survey 2013 Report
18
Value Count PercentBrand name 25 15%
Price 91 53%
Customer service 33 19%
They have a local office 17 10%
They are a large, financially stable company 33 19%
They specialize in my industry 33 19%
Best functionality in the area I oversee 58 34%
Ability to configure the software without vendor support & charges 57 33%
Ease of use 77 45%
Ability to integrate with existing ERP system 33 19%
Mobile functionality 6 4%
I can buy all the functionality/modules I need from the same provider 22 13%
Total Responses 171
INTRODUCTION IN SUMMARY REFERENCESFUTURE STATESURVEY DEMOGRAPHICS CURRENT STATE
54OCEG SURVEY • 2014 GRC Technology Strategy Survey • www.OCEG.org • ©2014 all rights reserved
GRC Technology Survey 2013 Report
19Value Count PercentInternet search 101 59%
GRC software report 94 55%
Intermediary (eg: accounting firm, insurance co, law firm etc) 50 29%
GRC software advisor 64 38%
Referral from a friend / colleague 64 38%
Industry exhibition, web forum 66 39%
Response to an advertisement 14 8%
StatisticsTotal Responses 170
INTRODUCTION IN SUMMARY REFERENCESFUTURE STATESURVEY DEMOGRAPHICS CURRENT STATE
55OCEG SURVEY • 2014 GRC Technology Strategy Survey • www.OCEG.org • ©2014 all rights reserved
GRC Technology Survey 2013 Report
20Value Count Percent
No new technology solutions are needed 36 24%
We are waiting until the market matures before taking action or looking at new technology solutions for GRC needs 27 18%
We will primarily make use of boutique vendors and point solutions to meet GRC needs 34 23%
We will look primarily to our ERP provider(s) to help meet GRC needs 12 8%
Don't know 18 12%
Other 21 14%
StatisticsTotal Responses 148
INTRODUCTION IN SUMMARY REFERENCESFUTURE STATESURVEY DEMOGRAPHICS CURRENT STATE
56OCEG SURVEY • 2014 GRC Technology Strategy Survey • www.OCEG.org • ©2014 all rights reserved
GRC Technology Survey 2013 Report
21Value Count Percent
We are buying new point solutions to resolve specific GRC issues 44 30%
We are looking first to our existing environment for solutions can be used or repurposed 63 43%
We are extending our existing enterprise architectures with add-on solutions offered by our current enterprise software vendors 28 19%
We are extending our existing enterprise architectures by developing customized solutions 23 16%
Don't know 21 14%
StatisticsTotal Responses 148
INTRODUCTION IN SUMMARY REFERENCESFUTURE STATESURVEY DEMOGRAPHICS CURRENT STATE
57OCEG SURVEY • 2014 GRC Technology Strategy Survey • www.OCEG.org • ©2014 all rights reserved
GRC Technology Survey 2013 Report
22Value Count PercentLower or avoid costs 51 34%
Increase reliability 19 13%
Improve performance 58 39%
Improve consistency of information 64 43%
Increase analytics and rapid visibility to risk 79 53%
Reduce complexity 49 33%
Reduce risks 58 39%
Regulatory compliance 60 41%
StatisticsTotal Responses 148
INTRODUCTION IN SUMMARY REFERENCESFUTURE STATESURVEY DEMOGRAPHICS CURRENT STATE
58OCEG SURVEY • 2014 GRC Technology Strategy Survey • www.OCEG.org • ©2014 all rights reserved
GRC Technology Survey 2013 Report
23Value Count Percent
Audit and Assurance Management 34 23%
Board and Entity Management 5 3%
Brand and Reputation Management 4 3%
Business Continuity Management 18 12%
Compliance Management 44 30%
Contract Management 13 9%
Control Activity, Monitoring, and Assurance 31 21%
Corporate Social Responsibility 1 1%
Discovery/eDiscovery Management 3 2%
Environmental Monitoring and Reporting 2 1%
Environmental, Health, and Safety 3 2%
Finance/Treasury Risk Management 12 8%
Fraud & Corruption Detection, Prevention & Management 15 10%
INTRODUCTION IN SUMMARY REFERENCESFUTURE STATESURVEY DEMOGRAPHICS CURRENT STATE
59OCEG SURVEY • 2014 GRC Technology Strategy Survey • www.OCEG.org • ©2014 all rights reserved
GRC Technology Survey 2013 Report
24
Hotline/Helpline 9 6%
Information/IT Risk & Security 31 21%
Insurance and Claims Management 3 2%
Intellectual Property Management 3 2%
Issue and Investigations Management 14 10%
Matter Management 2 1%
Physical Security & Loss Management 2 1%
Policy Management, Communication, & Training 28 19%
Privacy Management 4 3%
Quality Management and Monitoring 5 3%
Reporting and Disclosure 17 12%
Risk Management 48 33%
Strategy, Performance, and Business Intelligence 13 9%
Third Party/Vendor Risk & Compliance 15 10%
Other 7 5%
Don't Know 42 29%
StatisticsTotal Responses 147
INTRODUCTION IN SUMMARY REFERENCESFUTURE STATESURVEY DEMOGRAPHICS CURRENT STATE
60OCEG SURVEY • 2014 GRC Technology Strategy Survey • www.OCEG.org • ©2014 all rights reserved
GRC Technology Survey 2013 Report
25Value Count Percent
Strongly Agree 17 14%
Somewhat Agree 60 48%
Somewhat Disagree 32 26%
Strongly Disagree 12 10%
Don't Know 4 3%
StatisticsTotal Responses 125
INTRODUCTION IN SUMMARY REFERENCESFUTURE STATESURVEY DEMOGRAPHICS CURRENT STATE
61OCEG SURVEY • 2014 GRC Technology Strategy Survey • www.OCEG.org • ©2014 all rights reserved
GRC Technology Survey 2013 Report
26Value Count PercentSaaS 40 32%
Internally hosted 51 41%
No preference 25 20%
Don't Know 9 7%
StatisticsTotal Responses 125
INTRODUCTION IN SUMMARY REFERENCESFUTURE STATESURVEY DEMOGRAPHICS CURRENT STATE
62OCEG SURVEY • 2014 GRC Technology Strategy Survey • www.OCEG.org • ©2014 all rights reserved
GRC Technology Survey 2013 Report
27Value Count Percent
Annual subscription contract with no upfront license fee 24 19%
License with an annual maintenance contract 53 42%
No preference 37 30%
Don't Know 11 9%
StatisticsTotal Responses 125
INTRODUCTION IN SUMMARY REFERENCESFUTURE STATESURVEY DEMOGRAPHICS CURRENT STATE
63OCEG SURVEY • 2014 GRC Technology Strategy Survey • www.OCEG.org • ©2014 all rights reserved
GRC Technology Survey 2013 Report
28Value Count Percent
Lower cost competitor 7 6%
Internal requirement for One-Stop-Shop 21 17%
Poor customer service (e.g. support line, product upgrades) 20 16%
Lack of functionality 50 40%
Reduction in compliance budget 6 5%
Other 11 9%
Don't Know 10 8%
StatisticsTotal Responses 125
INTRODUCTION IN SUMMARY REFERENCESFUTURE STATESURVEY DEMOGRAPHICS CURRENT STATE
64OCEG SURVEY • 2014 GRC Technology Strategy Survey • www.OCEG.org • ©2014 all rights reserved
GRC Technology Survey 2013 Report
29
What is the timeframe that you expect for your organization to implement new or additional GRC solutions?
Immediately 1 to 6 months
7 to 12 months
1 to 2 years
More than 2 years
Don't Know Responses
Audit and Assurance Management 6%8
7%9
7%9
17%21
17%21
46%57 125
Board and Entity Management 2%3
2%2
5%6
6%8
14%17
71%89 125
Brand and Reputation Management 2%2
1%1
4%5
5%6
12%15
77%96 125
Business Continuity Management 3%4
9%11
7%9
18%22
11%14
52%65 125
Compliance Management 6%7
11%14
11%14
17%21
11%14
44%55 125
Contract Management 3%4
8%10
6%7
9%11
11%14
63%79 125
Control Activity, Monitoring, and Assurance 3%4
10%13
6%7
15%19
12%15
54%67 125
Corporate Social Responsibility 2%2
2%2
0%0
9%11
8%10
80%100 125
Discovery/eDiscovery Management 2%3
3%4
3%4
4%5
11%14
76%95 125
Environmental Monitoring and Reporting 2%2
2%3
2%2
8%10
6%8
80%100 125
Environmental, Health, and Safety 3%4
2%2
2%3
10%12
8%10
75%94 125
INTRODUCTION IN SUMMARY REFERENCESFUTURE STATESURVEY DEMOGRAPHICS CURRENT STATE
65OCEG SURVEY • 2014 GRC Technology Strategy Survey • www.OCEG.org • ©2014 all rights reserved
GRC Technology Survey 2013 Report
30
Finance/Treasury Risk Management 3%4
6%8
4%5
10%12
10%12
67%84 125
Fraud & Corruption Detection, Prevention & Management
2%3
2%2
7%9
13%16
11%14
65%81 125
Global Trade Compliance/International Dealings
2%2
2%3
2%3
4%5
10%13
79%99 125
Hotline/Helpline 6%8
2%3
3%4
4%5
12%15
72%90 125
Information/IT Risk & Security 5%6
6%7
11%14
15%19
12%15
51%64 125
Insurance and Claims Management 2%2
1%1
2%2
4%5
13%16
79%99 125
Intellectual Property Management 2%2
3%4
2%2
6%8
9%11
78%98 125
Issue and Investigations Management 3%4
4%5
6%8
8%10
10%13
68%85 125
Matter Management 2%3
4%5
2%3
2%2
10%12
80%100 125
Physical Security & Loss Management 5%6
2%2
2%3
5%6
10%13
76%95 125
Policy Management, Communication, & Training
4%5
6%8
10%12
13%16
10%13
57%71 125
Privacy Management 2%3
3%4
7%9
6%8
9%11
72%90 125
Quality Management and Monitoring 2%3
3%4
6%7
10%12
10%12
70%87 125
Reporting and Disclosure 3%4
5%6
7%9
5%6
8%10
72%90 125
INTRODUCTION IN SUMMARY REFERENCESFUTURE STATESURVEY DEMOGRAPHICS CURRENT STATE
66OCEG SURVEY • 2014 GRC Technology Strategy Survey • www.OCEG.org • ©2014 all rights reserved
GRC Technology Survey 2013 Report
31
Risk Management 8%10
10%13
8%10
17%21
9%11
48%60 125
Strategy, Performance, and BusinessIntelligence
6%8
3%4
7%9
4%5
9%11
70%88 125
Third Party/Vendor Risk & Compliance 5%6
2%3
10%12
10%13
6%7
67%84 125
INTRODUCTION IN SUMMARY REFERENCESFUTURE STATESURVEY DEMOGRAPHICS CURRENT STATE
67OCEG SURVEY • 2014 GRC Technology Strategy Survey • www.OCEG.org • ©2014 all rights reserved
GRC Technology Survey 2013 Report
32
What do you estimate your company’s budget on GRC solutions per year will be (once your company decides to implement such software) in the following areas?
No Spend
$1 to $25,000
$25,001 to $100,000
$100,001 to $500,000
$500,001 to $999,999
>USD $1,000,000
Don't Know
We do not have a budget
Responses
Audit and Assurance Management
7%9
21%26
10%12
9%11
1%1
0%0
30%38
22%28 125
Board and Entity Management 10%13
11%14
6%7
0%0
0%0
0%0
40%50
33%41 125
Brand and Reputation Management
13%16
10%13
2%2
1%1
0%0
1%1
39%49
34%43 125
Business Continuity Management 7%9
8%10
10%13
6%7
1%1
0%0
39%49
29%36 125
Compliance Management 6%7
14%17
12%15
10%12
0%0
1%1
34%42
25%31 125
Contract Management 11%14
7%9
9%11
6%7
0%0
1%1
40%50
26%33 125
Control Activity, Monitoring, and Assurance
10%12
14%18
6%7
5%6
1%1
0%0
34%43
30%38 125
Corporate Social Responsibility 14%18
10%12
2%2
1%1
0%0
0%0
41%51
33%41 125
Discovery/eDiscovery Management
15%19
8%10
4%5
1%1
0%0
0%0
38%47
34%43 125
Environmental Monitoring and Reporting
14%17
9%11
2%2
2%2
0%0
0%0
40%50
34%43 125
Environmental, Health, and Safety 13% 10% 3% 3% 0% 0% 37% 34% 124
INTRODUCTION IN SUMMARY REFERENCESFUTURE STATESURVEY DEMOGRAPHICS CURRENT STATE
68OCEG SURVEY • 2014 GRC Technology Strategy Survey • www.OCEG.org • ©2014 all rights reserved
GRC Technology Survey 2013 Report
33
16 12 4 4 0 0 46 42
Finance/Treasury Risk Management
10%12
6%8
9%11
2%3
3%4
0%0
41%51
29%36 125
Fraud & Corruption Detection, Prevention & Management
11%14
10%12
8%10
2%2
0%0
1%1
38%47
31%39 125
Global Trade Compliance/International
Dealings14%18
7%9
2%3
1%1
0%0
0%0
42%52
34%42 125
Hotline/Helpline 12%15
12%15
6%8
2%2
0%0
0%0
38%47
30%38 125
Information/IT Risk & Security 8%10
10%13
9%11
9%11
2%2
0%0
36%45
26%33 125
Insurance and Claims Management
11%14
6%8
2%3
1%1
2%2
1%1
41%51
36%45 125
Intellectual Property Management 14%17
8%10
2%2
0%0
2%2
0%0
40%50
35%44 125
Issue and Investigations Management
12%15
8%10
8%10
2%3
1%1
0%0
38%47
31%39 125
Matter Management 14%18
5%6
2%3
2%2
0%0
0%0
39%49
38%47 125
Physical Security & Loss Management
11%14
8%10
5%6
2%2
0%0
0%0
38%48
36%45 125
Policy Management, Communication, & Training
10%12
10%13
9%11
2%2
0%0
2%2
37%46
31%39 125
Privacy Management 10%13
10%12
5%6
1%1
0%0
0%0
41%51
34%42 125
Quality Management and Monitoring
14%18
5%6
6%8
3%4
0%0
0%0
38%47
34%42 125
INTRODUCTION IN SUMMARY REFERENCESFUTURE STATESURVEY DEMOGRAPHICS CURRENT STATE
69OCEG SURVEY • 2014 GRC Technology Strategy Survey • www.OCEG.org • ©2014 all rights reserved
GRC Technology Survey 2013 Report
34
Reporting and Disclosure 13%16
4%5
9%11
2%3
2%2
1%1
38%47
32%40 125
Risk Management 9%11
10%12
10%13
8%10
2%3
0%0
32%40
29%36 125
Strategy, Performance, and Business Intelligence
12%15
6%7
6%8
2%2
1%1
1%1
40%49
33%41 124
Third Party/Vendor Risk & Compliance
11%14
10%12
3%4
5%6
1%1
0%0
38%48
32%40 125
Value Count PercentInternet search 58 46%
GRC software report 83 66%
Intermediary (eg: accounting firm, insurance co, law firm etc) 36 29%
GRC software advisor 49 39%
INTRODUCTION IN SUMMARY REFERENCESFUTURE STATESURVEY DEMOGRAPHICS CURRENT STATE
70OCEG SURVEY • 2014 GRC Technology Strategy Survey • www.OCEG.org • ©2014 all rights reserved
GRC Technology Survey 2013 Report
35
Referral from a friend / colleague 52 42%
Industry exhibition, web forum 52 42%
Response to an advertisement 9 7%
Other 11 9%
StatisticsTotal Responses 125
INTRODUCTION IN SUMMARY REFERENCESFUTURE STATESURVEY DEMOGRAPHICS CURRENT STATE
71OCEG SURVEY • 2014 GRC Technology Strategy Survey • www.OCEG.org • ©2014 all rights reserved
GRC Technology Survey 2013 Report
36
Value Count PercentBrand name 10 8%
Price 57 46%
Customer service 32 26%
They have a local office 8 6%
They are a large, financially stable company 21 17%
They specialize in my industry 34 27%
Best functionality in the area I oversee 55 44%
Ability to configure the software 43 34%
Ease of use 61 49%
Ability to integrate with existing ERP system 27 22%
Mobile functionality 3 2%
I can buy all the functionality/modules I need from the same provider 15 12%
StatisticsTotal Responses 125
INTRODUCTION IN SUMMARY REFERENCESFUTURE STATESURVEY DEMOGRAPHICS CURRENT STATE
72OCEG SURVEY • 2014 GRC Technology Strategy Survey • www.OCEG.org • ©2014 all rights reserved
GRC Technology Survey 2013 Report
37Value Count Percent
Peer feedback and recommendations 77 62%
Whitepapers 61 49%
Datasheets (short, 2 page overview) 25 20%
Webinars 28 22%
Product Demos 84 67%
Product Trials 50 40%
2 minute overview videos 7 6%
Blogs and other forms of social media 4 3%
Community forums and websites 23 18%
StatisticsTotal Responses 125
INTRODUCTION IN SUMMARY REFERENCESFUTURE STATESURVEY DEMOGRAPHICS CURRENT STATE
73OCEG SURVEY • 2014 GRC Technology Strategy Survey • www.OCEG.org • ©2014 all rights reserved
GRC Technology Survey 2013 Report
38Value Count PercentAudit 12 10%
Compliance 8 7%
Finance 25 22%
Information Technology 22 19%
Legal 3 3%
Risk Management 24 21%
Other 22 19%
StatisticsTotal Responses 116
INTRODUCTION IN SUMMARY REFERENCESFUTURE STATESURVEY DEMOGRAPHICS CURRENT STATE
74OCEG SURVEY • 2014 GRC Technology Strategy Survey • www.OCEG.org • ©2014 all rights reserved
GRC Technology Survey 2013 Report
39Value Count PercentAudit 11 9%
Compliance 10 9%
Finance 15 13%
Information Technology 22 19%
Legal 7 6%
Risk Management 32 28%
Other 19 16%
StatisticsTotal Responses 116
INTRODUCTION IN SUMMARY REFERENCESFUTURE STATESURVEY DEMOGRAPHICS CURRENT STATE
75OCEG SURVEY • 2014 GRC Technology Strategy Survey • www.OCEG.org • ©2014 all rights reserved
GRC Technology Survey 2013 Report
40
Do you plan to spend more / same / less on GRC solutions in the following categories over the next 3 years?
More Same Less Don't Know Responses
Audit and Assurance Management 28%32
24%28
4%5
44%51 116
Board and Entity Management 14%16
20%23
6%7
60%70 116
Brand and Reputation Management 10%12
18%21
5%6
66%77 116
Business Continuity Management 23%27
16%18
7%8
54%63 116
Compliance Management 37%43
13%15
7%8
43%50 116
Contract Management 20%23
18%21
6%7
56%65 116
Control Activity, Monitoring, and Assurance 31%36
11%13
5%6
53%61 116
Corporate Social Responsibility 10%12
19%22
6%7
65%75 116
Discovery/eDiscovery Management 10%12
17%20
5%6
67%78 116
Environmental Monitoring and Reporting 12%14
16%18
5%6
67%78 116
Environmental, Health, and Safety 11%13
18%21
5%6
66%76 116
Finance/Treasury Risk Management 16% 22% 7% 55% 116
INTRODUCTION IN SUMMARY REFERENCESFUTURE STATESURVEY DEMOGRAPHICS CURRENT STATE
76OCEG SURVEY • 2014 GRC Technology Strategy Survey • www.OCEG.org • ©2014 all rights reserved
GRC Technology Survey 2013 Report
41
18 26 8 64
Fraud & Corruption Detection, Prevention & Management 28%32
17%20
5%6
50%58 116
Global Trade Compliance/International Dealings 9%11
16%19
7%8
67%78 116
Hotline/Helpline 10%12
22%25
6%7
62%72 116
Information/IT Risk & Security 34%39
15%17
5%6
47%54 116
Insurance and Claims Management 9%11
22%25
7%8
62%72 116
Intellectual Property Management 8%9
19%22
9%10
65%75 116
Issue and Investigations Management 18%21
19%22
7%8
56%65 116
Matter Management 9%11
17%20
7%8
66%77 116
Physical Security & Loss Management 10%12
22%25
5%6
63%73 116
Policy Management, Communication, & Training 32%37
15%17
6%7
47%55 116
Privacy Management 16%18
21%24
5%6
59%68 116
Quality Management and Monitoring 17%20
17%20
6%7
59%69 116
Reporting and Disclosure 17%20
21%24
6%7
56%65 116
Risk Management 35% 17% 7% 41% 116
INTRODUCTION IN SUMMARY REFERENCESFUTURE STATESURVEY DEMOGRAPHICS CURRENT STATE
77OCEG SURVEY • 2014 GRC Technology Strategy Survey • www.OCEG.org • ©2014 all rights reserved
GRC Technology Survey 2013 Report
42
41 20 8 47
Strategy, Performance, and Business Intelligence 22%26
20%23
5%6
53%61 116
Third Party/Vendor Risk & Compliance 28%32
15%17
5%6
53%61 116
INTRODUCTION IN SUMMARY REFERENCESFUTURE STATESURVEY DEMOGRAPHICS CURRENT STATE
78OCEG SURVEY • 2014 GRC Technology Strategy Survey • www.OCEG.org • ©2014 all rights reserved
GRC Technology Survey 2013 Report
43Value Count Percent
Same as last year 21 18%
Increase of up to 10% 24 21%
Increase of 10% to 25% 20 17%
Increase of greater than 25% 17 15%
Decrease of up to 10% 5 4%
Decrease of 10% to 25% 5 4%
Decrease of greater than 25% 4 3%
Don't Know 20 17%
StatisticsTotal Responses 116
INTRODUCTION IN SUMMARY REFERENCESFUTURE STATESURVEY DEMOGRAPHICS CURRENT STATE
79OCEG SURVEY • 2014 GRC Technology Strategy Survey • www.OCEG.org • ©2014 all rights reserved
GRC Technology Survey 2013 Report
44Value Count Percent
Strongly Agree 9 8%
Somewhat Agree 44 38%
Somewhat Disagree 27 23%
Strongly Disagree 29 25%
Don't Know 7 6%
StatisticsTotal Responses 116
INTRODUCTION IN SUMMARY REFERENCESFUTURE STATESURVEY DEMOGRAPHICS CURRENT STATE
80OCEG SURVEY • 2014 GRC Technology Strategy Survey • www.OCEG.org • ©2014 all rights reserved
GRC Technology Survey 2013 Report
45Value Count Percent
In the official IT budget 23 20%
In the GRC budgets 19 16%
In the business functions (sales & marketing, HR, product development, finance, etc.) 16 14%
Split between the IT, GRC and/or business budgets 27 23%
My organization has not budgeted resources for any GRC enabling technology for 2014 17 15%
Don't Know 14 12%
StatisticsTotal Responses 116
INTRODUCTION IN SUMMARY REFERENCESFUTURE STATESURVEY DEMOGRAPHICS CURRENT STATE
81OCEG SURVEY • 2014 GRC Technology Strategy Survey • www.OCEG.org • ©2014 all rights reserved
GRC Technology Survey 2013 Report
46Value Count Percent
Strongly Agree 8 7%
Somewhat Agree 36 31%
Somewhat Disagree 35 30%
Strongly Disagree 29 25%
Don't Know 8 7%
StatisticsTotal Responses 116
INTRODUCTION IN SUMMARY REFERENCESFUTURE STATESURVEY DEMOGRAPHICS CURRENT STATE
82OCEG SURVEY • 2014 GRC Technology Strategy Survey • www.OCEG.org • ©2014 all rights reserved
GRC Technology Survey 2013 Report
47Value Count Percent
Enterprise 51 44%
Multiple departments 41 35%
Single Department 12 10%
Group/Issue 3 3%
Don't Know 9 8%
StatisticsTotal Responses 116
www.OCEG.org
4835 E. Cactus Road, Suite 225
Scottsdale, Arizona 85254
United States of America
@OCEG
+1 (602) 234-9278
Contact us