2016 GRC Market Analysis, Segmentation & TrendsState of the GRC Market
October 2016Michael Rasmussen, J.D., GRCP, CCEP
The GRC Pundit @ GRC 20/20 Research, LLCOCEG Fellow @ www.OCEG.orgDO NOT DISTRIBUTE, SUBSCRIBER PERSONAL USE ONLY
2© GRC 20/20 Research, LLC • ww.GRC2020.com
ü GRC 20/20 Research Briefings are copyrighted and protected material. Content cannot be reused or distributed without written permission from GRC 20/20 Research, LLC.
ü GRC Advisor Enterprise Subscribers get access to live and recorded Research Briefings for all employees for INTERNAL use only through the GRC 20/20 website. If they wish to have a recording to host internally there is a fee for this.
ü GRC Basic Subscribers pay for either individual access to specific GRC 20/20 Research Briefings. Individual access is for the individual only and slides or login are not to be shared with others or viewed as a group.
Terms & Conditions . . .
DO NOT DISTRIBUTE, SUBSCRIBER PERSONAL USE ONLY
3© GRC 20/20 Research, LLC • ww.GRC2020.com
Two Things to Note . . .
§ Organizations evaluating or considering GRC solutions are free to ask GRC 20/20 on our understanding and comparison of solutions in the market to meet your GRC requirements.
§ Inquiries are single focused questions that can be answered in under 30 minutes.
§ Complimentary inquiry is only available to organizations evaluating or considering GRC solutions for their internal use.
Complimentary Inquiry
§ GRC 20/20 has an extensive library of RFP requirements across a range of GRC capability areas presented in this presentation.
§ GRC 20/20 can be engaged in RFP development and support projects to streamline your process, gain perspectives learned from other organizations, and to keep solution providers honest in their responses.
RFP Development & Support
DO NOT DISTRIBUTE, SUBSCRIBER PERSONAL USE ONLY
4© GRC 20/20 Research, LLC • ww.GRC2020.com
Titelmasterformat durch Klicken bearbeiten
1) GRC Market Definition, Overview & Segmentation
2) GRC Market Drivers & Trends
3) GRC Market Sizing, Forecasting & Predictions
Our Objectives . . .
DO NOT DISTRIBUTE, SUBSCRIBER PERSONAL USE ONLY
5© GRC 20/20 Research, LLC • ww.GRC2020.com
Titelmasterformat durch Klicken bearbeiten
GRC is the integrated collection of capabilities that enable an organization to:
G) reliably achieve objectives R) while addressing uncertainty and C) acting with integrity.
SOURCE: OCEG GRC Capability Model
The Official Definition of GRC . . .
DO NOT DISTRIBUTE, SUBSCRIBER PERSONAL USE ONLY
6© GRC 20/20 Research, LLC • ww.GRC2020.com
Risk ManagementRisk management seeks to manage and understand uncertainty by assessing and monitoring risk within context to take action on risk through acceptance, avoidance, mitigation, or transfer.
GovernanceGovernance sets direction and strategy for the organization to reliably achieve objectives. Governance sets the context for risk management, without context risk management fails.
ComplianceCompliance aims to see that the organization acts with integrity in fulfilling its regulatory, contractual, and self-imposed obligations and values. Compliance follows through on risk treatment plans to assure that risk is being managed within limits and controls are in place and functioning.
Governance, Risk Management & Compliance in Context
DO NOT DISTRIBUTE, SUBSCRIBER PERSONAL USE ONLY
7© GRC 20/20 Research, LLC • ww.GRC2020.com
Are you truly aware of your risks?
“Never in all history have we harnessed such formidable technology. Every scientific advancement known to man has been incorporated into its design. The operational controls are sound and foolproof!”
E.J. Smith, Captain of the TitanicDO NOT DISTRIBUTE, SUBSCRIBER PERSONAL USE ONLY
8© GRC 20/20 Research, LLC • ww.GRC2020.com
Realize that everything connects to everything else.Leonardo da Vinci
DO NOT DISTRIBUTE, SUBSCRIBER PERSONAL USE ONLY
9© GRC 20/20 Research, LLC • ww.GRC2020.comThe Chaos of Interconnectedness
DO NOT DISTRIBUTE, SUBSCRIBER PERSONAL USE ONLY
10© GRC 20/20 Research, LLC • ww.GRC2020.com
The Organization Has to be Able to See . . . q The Tree. The individual area of riskq The Forest. The interconnectedness of risk
DO NOT DISTRIBUTE, SUBSCRIBER PERSONAL USE ONLY
11© GRC 20/20 Research, LLC • ww.GRC2020.com
Change is the Greatest Challenge Impacting GRC Management
contact Carole S. Switzer [email protected] for comments, reprints or licensing requests ©2012 OCEG visit www.oceg.org for other installments in the Anti-Corruption Illustrated Series
011100111001010100
External Risk ChangeMonitor change in the external risk environment to determine how uncertainty in economic, geo-political, environmental, industry, societal, and market forces affect current and needed policies.
MARKET FORCES
INDUSTRY
TECHNOLOGY
COMPETITIVEFORCESGEO-POLITICAL
SOCIETAL FORCES
contact Carole S. Switzer [email protected] for comments, reprints or licensing requests ©2012 OCEG visit www.oceg.org for other installments in the Anti-Corruption Illustrated Series
$
Internal Risk/Business ChangeMonitor changes to the internal environment to identify how changes to strategy, mergers & acquisitions, processes, technology, business relation-ships, and employees affect current and needed policies.
MERGERS &ACQUISITIONS
STRATEGY
PROCESSES
IT
EMPLOYEES
FINANCIALPOSITION
BUSINESSRELATIONSHIPS
contact Carole S. Switzer [email protected] for comments, reprints or licensing requests ©2012 OCEG visit www.oceg.org for other installments in the Anti-Corruption Illustrated Series
Regulatory/Legal ChangeMonitor change in the legal and regulatory environment to determine how pending legislation, court decisions, new/changing regulations, and enforcement actions affect current and needed policies.
COURT RULINGS
ENFORCEMENT
LEGISLATION
REGULATIONS
MONITOR
DO NOT DISTRIBUTE, SUBSCRIBER PERSONAL USE ONLY
12© GRC 20/20 Research, LLC • ww.GRC2020.com
Regulatory Activity in Financial Services 2008 to 2015
*Note: Tracked activity includes document changes, announcements, and enforcements by regulators.Average Daily Alerts = Total Alerts Year-on-Year / 261 Working Days
SOURCE: Thomson Reuters
DO NOT DISTRIBUTE, SUBSCRIBER PERSONAL USE ONLY
13© GRC 20/20 Research, LLC • ww.GRC2020.com
Inevitability of Failure: Too Many Approaches There are too many departments sending too many communications in different formats. GRC management is buried in documents, spreadsheets & emails.
Ø Wasted resources through redundancy & overlapØ Excessive emails, documents, and paper trailsØ Poor visibility & reportingØ Files and documents out of syncØ Overwhelming complexityØ Lack of accountability
DO NOT DISTRIBUTE, SUBSCRIBER PERSONAL USE ONLY
14© GRC 20/20 Research, LLC • ww.GRC2020.com
The Winchester Mystery HouseØ 160 roomsØ 47 fireplacesØ 6 kitchensØ 10,000 windowsØ 65 doors to blank wallsØ 13 staircases abandonedØ 25 skylights – in floorsØ 147 builders/no architectsØ Built without a blueprintØ $5.5 million over 38 years
Confusing Conundrum of GRC Management Processes & Information
DO NOT DISTRIBUTE, SUBSCRIBER PERSONAL USE ONLY
15© GRC 20/20 Research, LLC • ww.GRC2020.com
Ø Inability to gain clear view of GRC dependencies;
Ø High cost of consolidating GRC information;
Ø Difficulty maintaining accurate GRC information;
Ø Failure to trend across GRC assessment periods;
Ø Redundant approaches limit correlation, comparison and integration of GRC information; and
Ø Lack of agility to respond timely to changing risks, regulations, laws, and situations.
. . . and we hope nothing fails
DO NOT DISTRIBUTE, SUBSCRIBER PERSONAL USE ONLY
16© GRC 20/20 Research, LLC • ww.GRC2020.com
Driv
ers
Drivers & Trends: Enterprise GRC
Exponential growth in regulatory, risk and business change is making scattered GRC processes and information constantly behind and exposing the organization.
1Constant Change
The growing array of 3rd party relationships with increased regulatory and risk exposure is bearing down on organizations to include in GRC strategies.
2Growing Relationships
Many organizations still find they are encumbered by silos of information that is disconnected, and often have several disconnected GRC platforms in different areas.
3Scattered Information& Platforms
Those that have implemented a GRC platform in the past decade are often finding that the solution is out of date and cumbersome to use when compared to the new generation of solutions.
4Growing Beyond Initial GRC Platforms
There is growing demand and need for the integration of external content and intelligence feeds into the GRC architecture.
5Need for External GRC Content
Tren
ds No platform does everything. Organizations are looking toward an information and technology architecture that integrates GRC, though there often is one central core platform.
1GRC Architecture
Enterprise GRC Platforms are no longer self-contained solutions to manage GRC workflow and tasks, they require strong integration capabilities into a range of business systems.
2
Integration
In a GRC architecture approach, organizations are looking toward a common hub and core for Enterprise GRC but allow for best of breed solutions where they make sense.
3Best of Breed Where it Makes Sense
There is growing demand in RFPs for GRC solutions to have business process modeling capabilities to visually layout and document how business processes function in a GRC context.
4Business Process Modeling
Enterprise GRC is no longer for the back-office, but needs to be intuitive and easy to use for the front-office. New releases are showing improved user interface and mobility options.
5GRC Mobility & Engagement
DO NOT DISTRIBUTE, SUBSCRIBER PERSONAL USE ONLY
17© GRC 20/20 Research, LLC • ww.GRC2020.com
Varying Levels of GRC Management
Top-down federated GRC management strategy across the entire organization.Enterprise
Division or business unit management strategy
Management being done at a department, function, or process level
DepartmentFunctionProcess
Managed in context of a specific focus, regulation, or issues
RiskRegulation
Issue
Division Business Unit
DO NOT DISTRIBUTE, SUBSCRIBER PERSONAL USE ONLY
18© GRC 20/20 Research, LLC • ww.GRC2020.com
What is Your Approach to GRC Management?
§ An integrated approach that balances GRC management centralization with distributed participation and collaboration
Federated GRC Management
§ Disconnected departments managing GRC related activities in different ways with little or no collaboration with other departments
Distributed GRC Management
DO NOT DISTRIBUTE, SUBSCRIBER PERSONAL USE ONLY
19© GRC 20/20 Research, LLC • ww.GRC2020.com
GRC by Design: Federated GRC Management Architecture
DO NOT DISTRIBUTE, SUBSCRIBER PERSONAL USE ONLY
20© GRC 20/20 Research, LLC • ww.GRC2020.com
A Variety of Frameworks Comprise GRC Activities in the Organization
DO NOT DISTRIBUTE, SUBSCRIBER PERSONAL USE ONLY
21© GRC 20/20 Research, LLC • ww.GRC2020.com
GRC Capability Model v3.0: Iterative Cycles of Change & Improvement
What – has to be done?Who – is going to do it?Why – does he/she do it?How – will it be done?When – will it be done?Where – will it be done?Why – is it done like this?
KAI“CHANGE”
ZEN“GOOD”
DO NOT DISTRIBUTE, SUBSCRIBER PERSONAL USE ONLY
22© GRC 20/20 Research, LLC • ww.GRC2020.com
GRC Strategy Within Organizations
GRC Strategy
GRC Technology
GRC Information
GRC Process
DO NOT DISTRIBUTE, SUBSCRIBER PERSONAL USE ONLY
23© GRC 20/20 Research, LLC • ww.GRC2020.com
360° GRC Contextual Analytics & Intelligence Capabilities
Integrated and mapped together to provide context
Analyzed to understand relationships
Action Items
Distributed & DisconnectedGRC Data PointsDO NOT DISTRIBUTE, SUBSCRIBER PERSONAL USE ONLY
24© GRC 20/20 Research, LLC • ww.GRC2020.com
GRC Information Architecture Provides 360° Contextual Intelligence
Strategic
Financial
Operational
Preventive
Corrective
Detective
Complaint
Investigation
Event
Strategic
ProcessDepartment
Regulatory
Values
Contractual
Code of Conduct
Training & Awareness
Policies & Procedures
Owner
Employee
Subject Matter Expert
Controls
Risks
Issues
Roles
Objectives
Policies
Obligations
OrganizationEntity
Asset
Process
process optimizationAll non-value-added activities are eliminated and value-added activities are streamlined to reduce lag time and undesirable variation.
better capital allocationIdentifying areas where there are redundancies or inefficiencies allows financial and human capitalto be allocated more effectively.
higher quality informationIntegrating GRC information allows management to make more intelligent decisions, more rapidly.
.
protected reputationReputation is protected and enhanced because risks are managed more effectively.
improved effectivenessOverall effectiveness is improved as gaps are closed, unnecessary redundancy is reduced, and GRC activities are allocated to the right individuals and departments.
reduced costsReduced costs help to improve return on investments made in GRC activities.
DO NOT DISTRIBUTE, SUBSCRIBER PERSONAL USE ONLY
25© GRC 20/20 Research, LLC • ww.GRC2020.com
% of GRC 20/20 Inquiries Related to Enterprise GRC Strategies
2012 Inquiries14% of Inquiries Were Related to Enterprise GRC Strategies
2013 Inquiries19% of Inquiries Were Related to Enterprise GRC Strategies
2014 Inquiries25% of Inquiries Were Related to Enterprise GRC Strategies
2015 Inquiries28% of Inquiries Were Related to Enterprise GRC Strategies
DO NOT DISTRIBUTE, SUBSCRIBER PERSONAL USE ONLY
26© GRC 20/20 Research, LLC • ww.GRC2020.com
Inquiries Received by Role
28%Corpo ra te Comp l i ance
20%IT/Secu r i t y
24%Risk Managemen t
15%Audi t
13%Othe r
DO NOT DISTRIBUTE, SUBSCRIBER PERSONAL USE ONLY
27© GRC 20/20 Research, LLC • ww.GRC2020.com
EUROPE
28%
47%
4%
6%
3%
8%
Inquiries Received by Geography
NORTH AMERICA
CENTRAL/SOUTH AMERICAMIDDLE EAST
OCEANIA
ASIA
4%
AFRICA
DO NOT DISTRIBUTE, SUBSCRIBER PERSONAL USE ONLY
28© GRC 20/20 Research, LLC • ww.GRC2020.com
3 Manufacturing
1 Financial Services
2 Utilities
4 Retail
5 Life Sciences
Survey Respondents, Top Industries RespondingTop 5 Industries Asking Inquiries
DO NOT DISTRIBUTE, SUBSCRIBER PERSONAL USE ONLY
29© GRC 20/20 Research, LLC • ww.GRC2020.com
Inquiries by Organization Size
Large Enterprise
10,001+ Employees
36%
Medium Enterprise
1,001 to 10,000 Employees
56%
Small Enterprise
1 to 1,000 Employees
8%
DO NOT DISTRIBUTE, SUBSCRIBER PERSONAL USE ONLY
30© GRC 20/20 Research, LLC • ww.GRC2020.com
INTEGRATION: Impact of Non-Integration & Inconsistency
In what ways is your organization adversely impacted by redundant or inconsistent processes for governance, assurance and/or management of performance, risk and compliance?
Difficulty auditing and providing assurance of compliance and/or risk management / 27%
Unnecessary cost due to redundant processes or systems / 22%
Inadequate controls to ensure compliance and risk management / 17%
Difficulty reconciling data / 15%
1
2
3
4
DATA: all 296 respondents, another 10% stated they were not adversely impacted, and 9% were unsure.
DO NOT DISTRIBUTE, SUBSCRIBER PERSONAL USE ONLY
31© GRC 20/20 Research, LLC • ww.GRC2020.com
GRC Technology Purchasing Plans
50%
9%
7%
6%
13%
15%
Look to ERP Provider for GRC
GRC Platform(s)
Waiting for GRC Tech to Mature
Best of BreedGRC Solutions
Unsure
No New GRC Tech
Which best describes your
organization's plan with regard to new
technology solutions for GRC?
24%
52%
12%
12%In-House
Development
Purchasing New GRC SolutionsUnsure
How would you characterize your
organization's strategy for procuring
technology solutions for GRC?
Expanding Use of Existing GRC Solutions
290 respondents from organization using or considering GRC solutions/technology
DO NOT DISTRIBUTE, SUBSCRIBER PERSONAL USE ONLY
32© GRC 20/20 Research, LLC • ww.GRC2020.com
Top 8 Objectives in Acquiring New GRC Technology
Increase GRC Analytics & Visibility
Improve Consistency of GRC Information
Reduce GRC Complexity
Regulatory Compliance Requirements
57%
51%
38%
37%
Reduce Risk in the Organization
Improve Performance In the Organization
Lower or Avoid GRC Costs
Increase Reliability of GRC
36%
33%
27%
15%
290 respondents from organization using or considering GRC solutions/technology
DO NOT DISTRIBUTE, SUBSCRIBER PERSONAL USE ONLY
33© GRC 20/20 Research, LLC • ww.GRC2020.com
Top 8 Criteria Looking for in New GRC Purchases
Ease of Use
Price
Functionality
Configurability
53%
41%
40%
39%
Industry Focus
Customer Service
Integration Capabilities
Company Stability/Viability
26%
23%
21%
16%
290 respondents from organization using or considering GRC solutions/technology
DO NOT DISTRIBUTE, SUBSCRIBER PERSONAL USE ONLY
34© GRC 20/20 Research, LLC • ww.GRC2020.com
GRC Budgets Increasing in 2016
19%
17%
19%
19%
3%1%1%
21%
Spending Staying Same as Last Year
25%+ GRC Spending Increase
25%+ GRC Spending Decrease
Unsure
Do you see overall GRC spending (on all aspects, not just
technology) in 2016 increasing or decreasing in
your organization?
10% to 25% GRC Spending Increase
Up to 10% GRCSpending Increase
10% to 25% GRC Spending DecreaseUp to 10% GRC Spending Decrease
290 respondents from organization using or considering GRC solutions/technology
DO NOT DISTRIBUTE, SUBSCRIBER PERSONAL USE ONLY
35© GRC 20/20 Research, LLC • ww.GRC2020.com
Top 8 GRC Purchase Areas – Organizations of All Sizes
Risk Management & Analytics
Compliance Management
Audit Management & Analytics
Enterprise GRC Platforms
42%
37%
36%
35%
IT GRC Management
Policy Management
Business Continuity Management
Internal Control Management
30%
25%
24%
22%
290 respondents from organization using or considering GRC solutions/technology
DO NOT DISTRIBUTE, SUBSCRIBER PERSONAL USE ONLY
36© GRC 20/20 Research, LLC • ww.GRC2020.com
Top 8 Spending Increases in Large Organizations
Compliance Management
IT GRC Management
Risk Management & Analytics
Automated Control Monitoring & Enforcement
64%
59%
58%
58%
Quality Management
Enterprise GRC Platforms
Business Continuity Management
Policy & Training Management
58%
56%
53%
52%
290 respondents from organization using or considering GRC solutions/technology
DO NOT DISTRIBUTE, SUBSCRIBER PERSONAL USE ONLY
37© GRC 20/20 Research, LLC • ww.GRC2020.com
Top 8 Spending Increases in Medium Organizations
Enterprise GRC Platforms
Risk Management & Analytics
IT GRC Management
Audit Management & Analytics
71%
68%
57%
52%
Compliance Management
Strategy & Performance Management
Policy & Training Management
Automated Control Monitoring & Enforcement
51%
51%
49%
44%
290 respondents from organization using or considering GRC solutions/technology
DO NOT DISTRIBUTE, SUBSCRIBER PERSONAL USE ONLY
38© GRC 20/20 Research, LLC • ww.GRC2020.com
Top 8 Spending Increases in Small Organizations
Risk Management & Analytics
Strategy & Performance Management
Compliance Management
Enterprise GRC Platforms
62%
56%
54%
53%
IT GRC Management
Issue Reporting & Management
Policy & Training Management
Quality Management
50%
48%
45%
44%
290 respondents from organization using or considering GRC solutions/technology
DO NOT DISTRIBUTE, SUBSCRIBER PERSONAL USE ONLY
39© GRC 20/20 Research, LLC • ww.GRC2020.com
Titelmasterformat durch Klicken bearbeiten
A market consists of all actual and potential customers with a specific need, which the company tries to satisfy with their product.Scharf / Schubert (1995)
DO NOT DISTRIBUTE, SUBSCRIBER PERSONAL USE ONLY
40© GRC 20/20 Research, LLC • ww.GRC2020.com
The GRC Market: Technology, Information,& Professional Services
843 technology solution providers that offer solutions related to GRC
GRC Technology Solutions
112 providers with 384 content/intelligence solutions across a range of GRC areas
GRC Intelligence & Content Solutions
1,000+ professional service firms offering services related to GRC
GRC Professional Services Solutions
DO NOT DISTRIBUTE, SUBSCRIBER PERSONAL USE ONLY
41© GRC 20/20 Research, LLC • ww.GRC2020.com
GRC Technology Segment Description
Enterprise GRC Capability to manage an integrated architecture across multiple GRC areas in a structured strategy, process, information and technology architecture.
Audit Management Capability to manage audit planning, staff, documentation, execution/field work, findings, reporting, and analytics..
Automated Control Capability to automate the detection and enforcement of internal controls in business processes, systems, records, transactions, documents, and information.
Business Continuity Management Capability to manage, maintain, and test continuity and disaster plans, and implement these plans expected and unexpected disruptions to all areas of operation.
Compliance Management Capability to manage an overall compliance program, document and manage change to obligations, assess compliance, remediate non-compliance, and report.
Environmental Management Capability to document, monitor, assess, analyze, record, and report on environmental activities and compliance.
Health & Safety Management Capability to manage, document, monitor, assess, report, and address incidents related to the health and safety of the workforce and workplace,
Internal Control Management Capability to manage, define, document, map, monitor, test, assess, and report on internal controls of the organization.
IT GRC Management Capability to govern IT in context of business objectives and manage IT process, technology, and information risk and compliance.
Issue Reporting & Management Capability to notify on issues and incidents and manage, document, resolve, and report on the range of complaints, issues, incidents, events, investigations, and cases.
Legal Management Capability to manage, monitor, and report on the organization’s legal operations, processes, matters, risks, and activities.
Physical Security Management Capability to manage risk and losses to individuals and physical assets, facilities, inventory, and other property..
Policy & Training Management Capability to mange the development, approval, distribution, communication, forms, maintenance, and records of policies, procedures and related awareness activities.
Quality Management Capability to manage, assess, record, benchmark, and track activity, issues, failures, recalls, and improvement related to product and service quality.
Risk Management Capability to identify, assess, measure, treat, manage, monitor, and report on risks to objectives, divisions, departments, processes, assets, and projects.
Strategy & Performance Management Capability to govern, define, and manage strategic, financial, and operational objectives and related performance and risk activities.
Third Party Management Capability to govern, manage, and monitor the array of 3rd party relationships in the enterprise, particularly risk and compliance challenges these relationships bring.
GRC Technology Market Segment Definitions
DO NOT DISTRIBUTE, SUBSCRIBER PERSONAL USE ONLY
42© GRC 20/20 Research, LLC • ww.GRC2020.com
GRC Intelligence Segment Description
Audit Content & Intelligence Content providers of audit templates, forms, and intelligence.
Business Continuity Content & Intelligence Content providers of business continuity templates, forms, and intelligence
Compliance Content & Intelligence Content providers of regulatory libraries, regulatory intelligence, compliance forms and templates.
Environmental Content & Intelligence Content providers of environmental intelligence, forms, and templates.
Health & Safety Content & Intelligence Content providers of health & safety libraries, content, forms, and templates.
Internal Control Content & Intelligence Content providers of internal control libraries, forms, and templates.
IT GRC Content & Intelligence Content providers of IT GRC/security control libraries, threat and vulnerability intelligence, forms, and templates.
Legal Content & Intelligence Content providers of legal databases, libraries, legislation tracking, forms, templates, and spend intelligence.
Policy & Training Content & Intelligence Content providers of policy libraries, training courses, and policy and training related content, forms, and templates.
Risk Management Content & Intelligence Content providers of risk intelligence feeds, risk libraries, loss data, risk forms, and templates.
Third Party Management Content & Intelligence Content providers of third party management intelligence, due diligence, watch lists, negative news, ratings, monitoring, forms, and templates
Issue Specific Content & Intelligence Content providers of content and intelligence related to specific issues, regulations, and risks (e.g., bribery/corruption, conflict minerals, labor)
Industry Specific Content & Intelligence Content providers of industry specific content and intelligence.
GRC Intelligence Market Segment Definitions
DO NOT DISTRIBUTE, SUBSCRIBER PERSONAL USE ONLY
43© GRC 20/20 Research, LLC • ww.GRC2020.com
GRC Professional Services Segment Description
Audit Services Services focused on external audits as well as internal audit staffing and management.
Consulting Services Services focused on GRC related management and strategy consulting.
Legal Services Services focused on legal matters and advice related to GRC.
Outsourced Services Services that are outsourced such as specific GRC functions, monitoring, certification, etc.
Systems Integration Services Services focused on implementation, build out, and development of GRC related information and technology architecture and solutions.
GRC Professional Services Market Segment Definitions
DO NOT DISTRIBUTE, SUBSCRIBER PERSONAL USE ONLY
44© GRC 20/20 Research, LLC • ww.GRC2020.com
Platforms
SolutionsTools
GRC Technology Market: Types of Technology
Platforms provide a breadth of capabilities that span solution areas in a segment enabling them to be a platform to manage a GRC segment extensively.
Platforms
Solutions are technologies that are more focused in what they do. They tend to solve specific problems and come at a segment from a narrower perspective. They can compliment a platform or run independently from it.
Solutions
ToolsTools are technologies that assist or enable a segment, but do not fit adequately in any of the definitions for platforms or solutions. Every GRC segment has a Miscellaneous Tools category to catch all the related technologies that assist and add value, but do not have enough market presence in a segment to get their own solution or platform identification.
DO NOT DISTRIBUTE, SUBSCRIBER PERSONAL USE ONLY
45© GRC 20/20 Research, LLC • ww.GRC2020.com
Central Hub of GRC Information
PROVIDE
COMMUNICATIONEffective communication greases the wheels of any initiative by ensuring that everyone knows what’s happening, why, and where they fit.
CCO
The RIGHT PEOPLE withthe RIGHT ACCESS to
the RIGHT INFO at the RIGHT TIME
INTERNALAUDIT
EXTERNALEXPERTS
GOVERNMENT
CCO
HOTLINE / HELPLINEAre there any red flags?
Are things going according to plan?
What’s changed?
What’s on the horizon?
What do we need to focus on?
I can help you assess the program. We can
help too!
What do I need to do?
Why change something that’s working?
How does it impact me?
Wheredo I fit? What if I have
(or see) a problem?
DO NOT DISTRIBUTE, SUBSCRIBER PERSONAL USE ONLY
46© GRC 20/20 Research, LLC • ww.GRC2020.com
Technology Provides Automation and Tracking
?
COLLABORATION
AUDIT TRAIL
NFORCE munication, policies aren’t always fol-
NUMBER OF FAILURES:3 POLICY VIO-
LATIONS:0EXCEPTIONS AND DEVIA-
TIONS
I haven’t seen any violations.
This needs to be done differently.
ENFORCEMENT
MANAGEMENT REPORTING
0
0
11
1
1
1
01
0
0
0
11
1
0
0
1
1
0
0
0
0
1
1
0
1
0
0
11
1
1
1
01
0
0
0
1
1
0
0
0
0
1
1
0
1
0
0
11
1
0
0
1
1
0
0
1
1
01
0
0
0
1
1
0
0
0
0
1
1
0
1
0
0
11
1
1
01
0
0
110
10
0
10
0
0
11
1
1
010
10
0
10
0
0
11 0
10
1
1
010
10
0
10
1 0 10 11 00 0 1 100 0
WORKFLOW & TASKS
0
111
111
011
000
111
11
0
1
1
000
00
1
1
000
10
111
111
011
00
0
1
1
000
00
1
1
000
1 0
111
111
011
00
1110
1
1
000
00
1000
1
011
00
0
1
1
000
00
1
1
000
1
111
1
011
000
111
11
0
1
1
000
00
1
1
000
1
0110
1000
0
1000
0
111
111
011
000
111
11
0
1
1
000
00
1
1
000
11
011
00
0
1
1
000
00
1
1
000
1 0
111
111
011
000
111
11
0
1
1
000
00
1
1
000
11
011
00
0
1
1
000
00
1
1
000
1 111
00
0
1
000
00
11
1 0 10 11 00 0 1 0100 0 0 10 0 1 0 11 001 1 1 0 10 000 0 00 0
Integration Visibility Global Reach Availability
0
DATATECH
00 11 000111
0111
00 110111
0111
00 11 000111
0111
110111
0111
000
0
111
111
1
001
000
0
111
0
110
0
110
000
0
11111
1
001
0
110
000
0
111
111
1
001
000
0
111
0
110
0
110
111
1
001
0
110
0
110
00110111
0111
000
0
111
111
1
001
0
110
0
110
1111111111111
1
0000000000001111
0000000000
1100 0
Accountability
Automation
Repository
Consistency
DO NOT DISTRIBUTE, SUBSCRIBER PERSONAL USE ONLY
47© GRC 20/20 Research, LLC • ww.GRC2020.com
Defensible GRC
1 32
76
4
5 8
VERSION (DATE/TIME)
!
ASK & RESOLVE QUESTIONS
MANAGE EXCEPTIONS
UNDERSTAND CONTEXT PROVIDE AUDITABLE RECORDS
DEMONSTRATE SEQUENCE
MEET REQUIREMENTS
REPEATABLE CYCLE
SYSTEM OF RECORD
DO NOT DISTRIBUTE, SUBSCRIBER PERSONAL USE ONLY
48© GRC 20/20 Research, LLC • ww.GRC2020.com
360° Contextual Analytics & Intelligence Capabilities
Integrated and mapped together to provide context
Analyzed to understand relationships
Action Items
Distributed & DisconnectedData PointsDO NOT DISTRIBUTE, SUBSCRIBER PERSONAL USE ONLY
49© GRC 20/20 Research, LLC • ww.GRC2020.com
Preference of SaaS or Traditional Software for GRC
49
S31% Prefer SaaS
39% Do Not Prefer
3% Unsure21% Neutral
9% Don’t Know
Do you prefer SaaS GRC (hosted externally) or traditional software (internally hosted)?
All Responses
45% Prefer SaaS
27% Do Not Prefer
3% Unsure22% Neutral
6% Don’t Know
Those Leading GRC Strategy
290 respondents from organization using or considering GRC solutions/technology
DO NOT DISTRIBUTE, SUBSCRIBER PERSONAL USE ONLY
50© GRC 20/20 Research, LLC • ww.GRC2020.com
Preference of SaaS or Traditional Software for GRC, by Size
50
Do you prefer SaaS GRC (hosted externally) or traditional software (internally hosted)?
S37% Prefer SaaS
32% Do Not Prefer
3% Unsure24% Neutral
7% Don’t Know
Small Organizations
25% Prefer SaaS
13% Do Not Prefer
3% Unsure53% Neutral
9% Don’t Know
Large Organizations
32% Prefer SaaS
23% Do Not Prefer
3% Unsure36% Neutral
9% Don’t Know
Medium Organizations
290 respondents from organization using or considering GRC solutions/technology
DO NOT DISTRIBUTE, SUBSCRIBER PERSONAL USE ONLY
51© GRC 20/20 Research, LLC • ww.GRC2020.com
On-Premise (Traditional) Cloud Hosted Solution Cloud SaaS Multi-Tenet
Overview Installed in local data center in a client-server model,most solutions support web-browser interfaces, but some still require a thick client (application installed on user computers).
Implementation of a traditional on-premise implementation in a 3rd party data center and adds a layer of online delivery
Cloud delivering with a single code-base (multi-tenant).
Deployment Installed on your own hardware in your own data center. Each instance of the application requires its own hardware, software, and network connectivity.
Installed on a 3rd party’s hardware in a 3rd party’s data center, delivered over Internet. Each instance of the application requires its hardware, software, and network connectivity (may be virtual).
Single code base supports all a solution provider’s clients in a common data center, delivered over Internet.
Implementation 6 months or more 3 to 6 months 2 to 12 weeks
Customization Often expensive and time-consuming. High risk of issues with upgrades due to customization.
Same as On-Premise Tends to be highly configurable and avoids customization, low-risk of issues on upgrades.
Upgrades Once a year or more Same as On-Premise Typically quarterly, so new features are rolled out regularly.
IT Support Provided by customer Mixture of customer and 3rd party hosting provider Included in subscription and provided by solution provider
Technology Requirements Requires IT to support a specific operating environment for the server application and database.
Same as on-premise. Delivered by web browser over the Internet and tends to be operating system and browser agnostic.
Accountability Solution provider is responsible for providing software updates and patches, IT is responsible for maintaining software and hardware.
Solution provider is responsible for software updates and patches as well as maintenance of software and hardware.
Solution provider is responsible for software updates and patches as well as maintenance of software and hardware.
Deployment Models
DO NOT DISTRIBUTE, SUBSCRIBER PERSONAL USE ONLY
52© GRC 20/20 Research, LLC • ww.GRC2020.com
Basic, Common & Advanced Solutions
Techology Capabilitieslow high
high
low
Value
to O
rgan
izatio
nAdvanced§ Solutions that go beyond
common features and distinguish themselves with a varying array of advanced capabilities.
Common§ Solutions with features that are
commonly found in the market across primary competitors in the segment.
Basic§ Solutions that have the basic
elements needed, but are not as feature rich as solutions that have a lot of market traction.
high
low
Cost
to Im
plem
ent
DO NOT DISTRIBUTE, SUBSCRIBER PERSONAL USE ONLY
53© GRC 20/20 Research, LLC • ww.GRC2020.comGRC Engagement: Bringing GRC to the Front Lines of the Organization
DO NOT DISTRIBUTE, SUBSCRIBER PERSONAL USE ONLY
54© GRC 20/20 Research, LLC • ww.GRC2020.com
GRC Collaboration: Providing Collaboration on GRC Across the Organization
DO NOT DISTRIBUTE, SUBSCRIBER PERSONAL USE ONLY
55© GRC 20/20 Research, LLC • ww.GRC2020.com
GRC Operationalization: Integrating GRC Across Systems & Processes
DO NOT DISTRIBUTE, SUBSCRIBER PERSONAL USE ONLY
56© GRC 20/20 Research, LLC • ww.GRC2020.com
GRC Intelligence: Integration of Actionable Content
DO NOT DISTRIBUTE, SUBSCRIBER PERSONAL USE ONLY
57© GRC 20/20 Research, LLC • ww.GRC2020.com
DO NOT DISTRIBUTE, SUBSCRIBER PERSONAL USE ONLY
58© GRC 20/20 Research, LLC • ww.GRC2020.com
DEMOGRAPHICS: Countries Responding (by company headquarters)
71%
3%
16%
6%
2%
1%
1%
Overall Market by Geography
DO NOT DISTRIBUTE, SUBSCRIBER PERSONAL USE ONLY
59© GRC 20/20 Research, LLC • ww.GRC2020.com
GRC Intelligence Market
GRC Technology
Market
GRC Intelligence & Technology Market Overlap
DO NOT DISTRIBUTE, SUBSCRIBER PERSONAL USE ONLY
60© GRC 20/20 Research, LLC • ww.GRC2020.com
GRC Technology Market: Enterprise GRC Platforms & Architecture
Enterprise GRC Platform & Architecture
Enterprise GRC Platforms
GRC Data Integration Solutions
GRC Analytics & Reporting Solutions
Enterprise GRC Platforms & Architecture technologiesdeliver a range of cross-department functionality across GRC functional areas into an integrated technology ecosystem. For some this is single GRC platform for the entire organization. For others it is an integrated architecture in which there can be a core platform but often extends and integrates into a range of other solutions and data sources.
To be an Enterprise GRC Platform requires a single platform architecture that has multi-department (e.g., enterprise wide) use across the following areas, at a minimum:
– Enterprise/Operational Risk Management, – Compliance Management– Internal Control Management– Issue Management (e.g., incident, case, investigations) – NOTE: most Enterprise GRC Platforms offer a range of
additional module beyond these.
Organization & Process Modeling Solutions
Miscellaneous GRC Platform & Architecture Tools
DO NOT DISTRIBUTE, SUBSCRIBER PERSONAL USE ONLY
61© GRC 20/20 Research, LLC • ww.GRC2020.com
Four Critical Capabilities Areas that Define an Enterprise GRC Platform
Risk Management
Internal ControlManagement
Issue Reporting & Management
ComplianceManagement
Enterprise
GRCDO NOT DISTRIBUTE, SUBSCRIBER PERSONAL USE ONLY
62© GRC 20/20 Research, LLC • ww.GRC2020.com
AuditManagement
Business Continuity
Management
Compliance Management
Health & Safety Management
?IT
GRC
InternalControl
Management
IssueManagement
AutomatedControls
Policy Management
Quality Management
RiskManagement
Third Party Management
What Are the Critical Components of Your GRC Platform?
EnvironmentalManagement
LegalManagement
Physical Security
Management
Strategy & PerformanceManagement
???
????
100%of Enterprise GRC RFPs
1 to 49%of Enterprise GRC RFPs
50 to 99%of Enterprise GRC RFPs
DO NOT DISTRIBUTE, SUBSCRIBER PERSONAL USE ONLY
63© GRC 20/20 Research, LLC • ww.GRC2020.com
2016 GRC Technology Market Size: How Big is Big?
CCuurrrreenntt MMaarrkkeett SSiizzee ffoorr EEnntteerrpprriissee GGRRCC PPllaattffoorrmmss
BBrrooaaddeerr MMaarrkkeett SSiizzee –– GGRRCC CCoonntteenntt && TTeecchhnnoollooggyyWhen considering a broader view of the GRC EcoSystem includingHealth & Safety, Matter Management, Environmental, IT GRC, and moreNNOOTTEE:: does not include all of IT Secuirty of Physical Security Market
BBrrooaaddeesstt VViieeww ooff tthhee MMaarrkkeettIncluding Physical Security, IT Security, Identity & Access, eDiscovery, Third Party Lifecycle, and more
Note, this is the market for enterprise GRC platforms, many vendors providing these platforms are also selling to specific areas
$$110000++BB $$1133..66 BB $$11..33 BB
DO NOT DISTRIBUTE, SUBSCRIBER PERSONAL USE ONLY
64© GRC 20/20 Research, LLC • ww.GRC2020.com
Enterprise GRC Platform Spending
64
Do you plan to spend more/same/less on GRC solutions in the following categories over the next 3 years?
S61% Spending More
7% Spending Less
3% Unsure32% Same
Don’t Knows Filtered Out
Across All Organizations
290 respondents from organization using or considering GRC solutions/technology
Small Organizations§ 53% Spending More
§ 44% Same
§ 3% spending Less
Medium Organizations§ 71% Spending More
§ 27% Same
§ 2% spending Less
Large Organizations§ 56% Spending More
§ 28% Same
§ 16% spending Less
53%
71%
56%
DO NOT DISTRIBUTE, SUBSCRIBER PERSONAL USE ONLY
65© GRC 20/20 Research, LLC • ww.GRC2020.com
GRC Technology Market: Audit Management & Analytic
Audit Management & Analytic
Audit Management Platforms
Audit Analytic Solutions
Miscellaneous Audit Tools
Audit Management & Analytic technologies are used by auditors to manage and perform audits.
– Audit management solutions are used to manage audit cycles – this includes audit planning, resource scheduling/calendaring, work paper management, audit execution, audit process management, and audit reporting. They also support a risk-based approach to audit planning to prioritize audits based on the risk to the business.
– Audit analytic solutions utilize data analytics and and continuous auditing (automated control enforcement & monitoring) to extract insights from operational and financial data to assist in audits and provide assurance.
DO NOT DISTRIBUTE, SUBSCRIBER PERSONAL USE ONLY
66© GRC 20/20 Research, LLC • ww.GRC2020.com
Audit Management & Analytics Spending
66
Do you plan to spend more/same/less on GRC solutions in the following categories over the next 3 years?
S46% Spending More
6% Spending Less
3% Unsure48% Same
Don’t Knows Filtered Out
Across All Organizations
290 respondents from organization using or considering GRC solutions/technology
Small Organizations§ 39% Spending More
§ 57% Same
§ 4% spending Less
Medium Organizations§ 52% Spending More
§ 44% Same
§ 4% spending Less
Large Organizations§ 45% Spending More
§ 48% Same
§ 7% spending Less
39%
52%
45%
DO NOT DISTRIBUTE, SUBSCRIBER PERSONAL USE ONLY
67© GRC 20/20 Research, LLC • ww.GRC2020.com
GRC Technology Market: Automated Control Enforcement & MonitoringAutomated Control Enforcement & Monitoring
Transactions Control Solutions
Fraud & Corruption Control Solutions
Automated Control Enforcement & Monitoring technologies provide to automatically and continuously monitor, enforce, test, assess, and report on controls within the organization. This category of software is also often referred to as Continuous Control Monitoring (CCM) or Automated Controls. This includes the capability to test, on a continuing or periodic basis, data and activity against defined rules to identify and report potential errors, the failure of controls, or inappropriate actions – including tests of business transactions, network activity, intrusion attempts, the sharing of confidential information or intellectual property, systems access, etc. Also included in this area is the ability to do GRC data analytics, monitoring, and mining.
Configuration Control Solutions
Segregation of Duty Control Solutions
Master Data Control Solutions
Identity & Access Control Solutions
Process Control Solutions
End User Computing Control Solutions
Social Media Monitoring Solutions
Miscellaneous Automated Control ToolsDO NOT DISTRIBUTE, SUBSCRIBER PERSONAL USE ONLY
68© GRC 20/20 Research, LLC • ww.GRC2020.com
Automated Control Monitoring & Enforcement Spending
68
Do you plan to spend more/same/less on GRC solutions in the following categories over the next 3 years?
S48% Spending More
6% Spending Less
3% Unsure46% Same
Don’t Knows Filtered Out
Across All Organizations
290 respondents from organization using or considering GRC solutions/technology
Small Organizations§ 39% Spending More
§ 57% Same
§ 4% spending Less
Medium Organizations§ 44% Spending More
§ 53% Same
§ 3% spending Less
Large Organizations§ 58% Spending More
§ 33% Same
§ 9% spending Less
39%
44%
58%
DO NOT DISTRIBUTE, SUBSCRIBER PERSONAL USE ONLY
69© GRC 20/20 Research, LLC • ww.GRC2020.com
GRC Technology Market: Business Continuity Management
Business Continuity Management
Continuity Planning & Management Platforms
Crisis Response Solutions
Disaster Recovery Solutions
Business Continuity technologies model, record and direct the responsibilities, plans, actions and execution of continuity and disaster plans, testing of operating procedures, alternatives, information back-ups, data recovery and restoration processes during expected and unexpected disruptions to all areas of operation.
Miscellaneous Business Continuity Tools
DO NOT DISTRIBUTE, SUBSCRIBER PERSONAL USE ONLY
70© GRC 20/20 Research, LLC • ww.GRC2020.com
Business Continuity Management Spending
70
Do you plan to spend more/same/less on GRC solutions in the following categories over the next 3 years?
S45% Spending More
7% Spending Less
3% Unsure48% Same
Don’t Knows Filtered Out
Across All Organizations
290 respondents from organization using or considering GRC solutions/technology
Small Organizations§ 42% Spending More
§ 52% Same
§ 6% spending Less
Medium Organizations§ 41% Spending More
§ 56% Same
§ 3% spending Less
Large Organizations§ 53% Spending More
§ 35% Same
§ 12% spending Less
42%
41%
53%
DO NOT DISTRIBUTE, SUBSCRIBER PERSONAL USE ONLY
71© GRC 20/20 Research, LLC • ww.GRC2020.com
GRC Technology Market: Compliance Management
Compliance Management
Compliance Management Platforms
Compliance Assessment Solutions
Stakeholder & Regulatory Interaction Solutions
Compliance Management technologies support the overall coordination of legal, regulatory, contractual, values, ethics, and corporate obligations and responsibilities with associated compliance documentation, assessments, tasks, and records. This includes the ability to monitor, document, and manage changes to the regulatory environment and other obligations; to document all obligations of the organization; to perform compliance assessments against obligations; manage regulator and stakeholder interactions on compliance; and report on the state of compliance to regulators and stakeholders.
Compliance Forms, Reporting & Filing Solutions
Social Responsibility & Reporting Solutions
Regulatory Change Management Solutions
Miscellaneous Compliance Tools
DO NOT DISTRIBUTE, SUBSCRIBER PERSONAL USE ONLY
72© GRC 20/20 Research, LLC • ww.GRC2020.com
Compliance Management
Compliance Management solutions provide the capability to manage an overall compliance program, document and manage change to obligations, assess compliance, remediate non-compliance, and report. This enables organizations to manage:§ Compliance management process of projects, staff,
resources, projects/assessments, compliance risk, reporting, as well as related compliance forms & workflow.
§ Obligation management to document compliance obligations (e.g., regulations, contracts, values) and manage change to obligations and their impact on the organization.
§ Assess, document, and report on compliance through compliance assessments and reporting.
§ Provide a defensible record of compliance of who did what, when, how, and why at any given point in time.
§ Integrate with policy and issue management as these are core areas of a compliance program.
Solution Area Definition
q Manage overall compliance management program planning, staff, projects/assessments, and activities
q Maintain a register of all compliance obligations that is mapped to policies, risks, controls, subject matter experts.
q Manage change to obligations as regulations, enforcement actions, standards, and related sources change.
q Provide for assessments and evidence of complianceq Model and manage compliance riskq Have a defensible audit trail of compliance to demonstrate a
effective compliance programq Compliance attestations and regulatory reportingq Document regulatory and stakeholder interactionsq Manage and process compliance related formsq Provide regulatory intelligence feedsq Remediate issues of non-complianceq Manage compliance exceptions and exemptions
Critical Capabilities
DO NOT DISTRIBUTE, SUBSCRIBER PERSONAL USE ONLY
73© GRC 20/20 Research, LLC • ww.GRC2020.com
Compliance Management Spending
73
Do you plan to spend more/same/less on GRC solutions in the following categories over the next 3 years?
S56% Spending More
7% Spending Less
3% Unsure36% Same
Don’t Knows Filtered Out
Across All Organizations
290 respondents from organization using or considering GRC solutions/technology
Small Organizations§ 54% Spending More
§ 41% Same
§ 5% spending Less
Medium Organizations§ 51% Spending More
§ 44% Same
§ 5% spending Less
Large Organizations§ 64% Spending More
§ 25% Same
§ 11% spending Less
54%
51%
64%
DO NOT DISTRIBUTE, SUBSCRIBER PERSONAL USE ONLY
74© GRC 20/20 Research, LLC • ww.GRC2020.com
Market Maturity: Compliance & Ethics Management
Innovators Early Adopters Majority Late Majority Reinvent/Laggard
Small Expanding High Peaked Renew/Decline
Very High High High Medium Rising/Low
Low Expanding High Flattening Strong/Moderate
Low Increasing Moderate High Varies
RReevv
eennuuee
NNeeww GGrroowwtthh MMaattuurriittyy SSaattuurraattiioonnDDeecclliinnee oorr
RReenneewweedd GGrroowwtthh
AAuuddiieennccee
MMaarrkkeett
PPrriiccee
SSaalleess
CCoommppeettiittiioonn
RReenneewweedd GGrroowwtthh
Comp
lianc
e Ma
nage
ment
DO NOT DISTRIBUTE, SUBSCRIBER PERSONAL USE ONLY
75© GRC 20/20 Research, LLC • ww.GRC2020.com
$4000MM
$2000MM
$535MM
Theoretical Addressable MarketTotal addressable market size if every
organization purchased a solution.
2016 Estimated Market SizeCalculation of known and estimated revenues in current year with trajectory projected to end of year.
$435MMCalculation of known and estimated revenues of solutions in this market segment for 2015
2015 Market SizePoint where market slows to below
10% annual growth.
Saturated Market Size
Market Size & Growth: Compliance & Ethics Management
NOTES:§ Compliance & Ethics Management is a concern across industries, and has a good size
market projection as a result.§ The Copmliance & Ethics Management market is just starting to move beyond
spreadsheets, documents, and emails and is in a strong growth phase for technology22001144 22001155 22001166 22001177 22001188
Size $365MM $435MM $535MM $658MM $809MMCAGR 19% 23% 23% 23%
DO NOT DISTRIBUTE, SUBSCRIBER PERSONAL USE ONLY
76© GRC 20/20 Research, LLC • ww.GRC2020.com
Miscellaneous Environmental Tools
GRC Technology Market: Environmental Management
Environmental Management
Environmental Management Platforms
Air, Water, Waste Management Solutions
Energy & Carbon Management Solutions
Environmental Management technologies help monitor, analyze, record, and report organizational activity focused on compliance with environmental laws and regulations, related corporate policy related to managing environmental controls and conditions, and assessing the environmental impact of the corporation’s operations, strategies, and plans.
Land Use & Permit Solutions
Sustainability & Environmental Reporting Solutions
Chemical Management Solutions
DO NOT DISTRIBUTE, SUBSCRIBER PERSONAL USE ONLY
77© GRC 20/20 Research, LLC • ww.GRC2020.com
Environmental Management Spending
77
Do you plan to spend more/same/less on GRC solutions in the following categories over the next 3 years?
S31% Spending More
7% Spending Less
3% Unsure62% Same
Don’t Knows Filtered Out
Across All Organizations
290 respondents from organization using or considering GRC solutions/technology
Small Organizations§ 23% Spending More
§ 73% Same
§ 4% spending Less
Medium Organizations§ 30% Spending More
§ 67% Same
§ 3% spending Less
Large Organizations§ 43% Spending More
§ 43% Same
§ 14% spending Less
23%
30%
43%
DO NOT DISTRIBUTE, SUBSCRIBER PERSONAL USE ONLY
78© GRC 20/20 Research, LLC • ww.GRC2020.com
GRC Technology Market: Health & Safety
Health & Safety Management
Health & Safety Management Platforms
Health & Safety Forms & Document Solutions
Occupational Safety Solutions
Health & Safety technologies manage the regulatory and policy-based guidelines and processes for protecting and reporting on the workforce, workplace, resources-under-management and external environment impacted by an organization’s activities.
Health & Safety Incident Solutions
Hazard Analysis Solutions
Chemical Management & Labeling Solutions
Miscellaneous Health & Safety Tools
DO NOT DISTRIBUTE, SUBSCRIBER PERSONAL USE ONLY
79© GRC 20/20 Research, LLC • ww.GRC2020.com
Health & Safety Management Spending
79
Do you plan to spend more/same/less on GRC solutions in the following categories over the next 3 years?
S37% Spending More
12% Spending Less
3% Unsure51% Same
Don’t Knows Filtered Out
Across All Organizations
290 respondents from organization using or considering GRC solutions/technology
Small Organizations§ 33% Spending More
§ 50% Same
§ 17% spending Less
Medium Organizations§ 32% Spending More
§ 57% Same
§ 11% spending Less
Large Organizations§ 45% Spending More
§ 45% Same
§ 10% spending Less
33%
32%
45%
DO NOT DISTRIBUTE, SUBSCRIBER PERSONAL USE ONLY
80© GRC 20/20 Research, LLC • ww.GRC2020.com
EH&S Management
EH&S technologies manage the regulatory and policy-based guidelines and processes for protecting and reporting on the workforce, workplace, resources-under-management and external environment impact of an organization’s activities. This enables organizations to manage:§ EH&S management process of projects, staff, resources,
projects/assessments, compliance risk, reporting, as well as related compliance forms & workflow.
§ Obligation management to document EH&S compliance obligations (e.g., regulations, contracts, values) and manage change to obligations and their impact on the organization.
§ Assess, document, and report on EH&S through compliance and reporting.
§ Provide a defensible record of EH&S compliance of who did what, when, how, and why at any given point in time.
§ Document issues and managing issues through to resolution.
Solution Area Definition
q Manage overall EH&S management program planning, staff, projects/assessments, and activities
q Maintain a register of all EH&S compliance obligations that is mapped to policies, risks, controls, subject matter experts.
q Manage change to obligations as regulations, enforcement actions, standards, and related sources change.
q Provide for assessments and evidence of EH&S complianceq Model and manage EH&S riskq Have a defensible audit trail of EH&S compliance to
demonstrate an effective programq Track EH&S compliance attestations and regulatory
reportingq Document regulatory and stakeholder interactionsq Manage and process EH&S related formsq Provide regulatory intelligence feedsq Report & remediate issues of EH&Sq Manage exceptions and exemptions
Critical Capabilities
DO NOT DISTRIBUTE, SUBSCRIBER PERSONAL USE ONLY
81© GRC 20/20 Research, LLC • ww.GRC2020.com
Market Maturity: Environmental, Health & Safety Management
Innovators Early Adopters Majority Late Majority Reinvent/Laggard
Small Expanding High Peaked Renew/Decline
Very High High High Medium Rising/Low
Low Expanding High Flattening Strong/Moderate
Low Increasing Moderate High Varies
RReevv
eennuuee
NNeeww GGrroowwtthh MMaattuurriittyy SSaattuurraattiioonnDDeecclliinnee oorr
RReenneewweedd GGrroowwtthh
AAuuddiieennccee
MMaarrkkeett
PPrriiccee
SSaalleess
CCoommppeettiittiioonn
RReenneewweedd GGrroowwtthh
EH&S
Ma
nage
ment
DO NOT DISTRIBUTE, SUBSCRIBER PERSONAL USE ONLY
82© GRC 20/20 Research, LLC • ww.GRC2020.com
$3,350MM
$1,500MM
$861MM
Theoretical Addressable MarketTotal addressable market size if every
organization purchased a solution.
2016 Estimated Market SizeCalculation of known and estimated revenues in current year with trajectory projected to end of year.
$768MMCalculation of known and estimated revenues of solutions in this market segment for 2015
2015 Market SizePoint where market slows to below
10% annual growth.
Saturated Market Size
Market Size & Growth: Environmental, Health & Safety Management
NOTES:§ EH&S is a more established segment than others§ EH&S is not as much of a concern in every industry so it lowers total addressable
market size when compared to Compliance & Ethics Management§ Verdantix reports a 2016 market size of $932MM, the difference in GRC 20/20’s sizing
is that Verdantix allocates all software revenues of players in EH&S to EH&S while GRC 20/20 splits these revenues in some other segments
§ There will be market share consolidation as this market continues M&A activity as we have seen for the past several years
22001144 22001155 22001166 22001177 22001188
Size $686MM $768MM $861MM $964MM $1,079MMCAGR 12% 12% 12% 12%
DO NOT DISTRIBUTE, SUBSCRIBER PERSONAL USE ONLY
83© GRC 20/20 Research, LLC • ww.GRC2020.com
GRC Technology Market: Internal Control Management
Internal Control Management
Internal Control Management Platforms
Financial Close & Reporting Solutions
Miscellaneous Internal Control Tools
Internal Control Management technologies provide the ability to define, document, map, monitor, test, assess, and report on controls within the organization, including process and systems documentation. These solutions document internal controls, provide control assessments/self-assessments, and manage this through workflow, tasks, and reporting. Internal Control Reporting Solutions
DO NOT DISTRIBUTE, SUBSCRIBER PERSONAL USE ONLY
84© GRC 20/20 Research, LLC • ww.GRC2020.com
Internal Control Management Spending
84
Do you plan to spend more/same/less on GRC solutions in the following categories over the next 3 years?
S45% Spending More
6% Spending Less
3% Unsure49% Same
Don’t Knows Filtered Out
Across All Organizations
290 respondents from organization using or considering GRC solutions/technology
Small Organizations§ 40% Spending More
§ 53% Same
§ 7% spending Less
Medium Organizations§ 44% Spending More
§ 51% Same
§ 5% spending Less
Large Organizations§ 51% Spending More
§ 41% Same
§ 8% spending Less
40%
44%
51%
DO NOT DISTRIBUTE, SUBSCRIBER PERSONAL USE ONLY
85© GRC 20/20 Research, LLC • ww.GRC2020.com
Enterprise GRC Core: Internal Control Management
Internal Control Management solutions provide the capability to manage, define, document, map, monitor, test, assess, and report on internal controls of the organization. This enables organizations to manage:§ Internal control program of staff, projects, resources,
assessments, and reporting§ Central register of internal controls in which controls are
mapped to risks and obligations so a single control can be implemented to address similar requirements.
§ Control assessments to query areas of the organization on control effectiveness and attestations
§ Automated controls established for continuous detective, and preventive controls.
§ Exceptions, exemptions and corrective controls so documentation is in place and does not get missed.
§ Remediation process related to weak or missing controls
Solution Area Definition
q Central control register that can be mapped to objectives, risks, policies, issues, obligations, and organization hierarchy.
q Survey and assessment capability to query state of controls across organization and record attestations.
q Exception and exemption process to document control and manage process.
q Business process modeling and documentation to visually layout business processes with identified controls in process.
q Reporting on controls, including deficiencies and weaknesses
q Document control testing and findingsq Support or integrate with automated control solutionsq Remediation management to address control
issues
Critical Capabilities
DO NOT DISTRIBUTE, SUBSCRIBER PERSONAL USE ONLY
86© GRC 20/20 Research, LLC • ww.GRC2020.com
GRC Technology Market: IT GRC Management
IT GRC Management
IT GRC Platforms
Asset Discovery & Management Solutions
Vulnerability & Threat Management Solutions
IT GRC Management technologies are used to govern and direct information and technology (IT) strategies in the context of business. The governance function of IT is the alignment, strategy, and direction of IT to support the business. A core component of IT GRC Solutions is the ability to manage and monitor security, risk, and compliance across IT systems throughout the organization and across significant business relationships.
IT Project, Change & Service Delivery Solutions
IT Incident & Event Management Solutions
Security Event & Information Mgmt Solutions
IT Security Solutions
Miscellaneous IT GRC Tools
DO NOT DISTRIBUTE, SUBSCRIBER PERSONAL USE ONLY
87© GRC 20/20 Research, LLC • ww.GRC2020.com
IT GRC Management Spending
87
Do you plan to spend more/same/less on GRC solutions in the following categories over the next 3 years?
S56% Spending More
5% Spending Less
3% Unsure39% Same
Don’t Knows Filtered Out
Across All Organizations
290 respondents from organization using or considering GRC solutions/technology
Small Organizations§ 50% Spending More
§ 43% Same
§ 7% spending Less
Medium Organizations§ 57% Spending More
§ 38% Same
§ 5% spending Less
Large Organizations§ 59% Spending More
§ 36% Same
§ 5% spending Less
50%
57%
59%
DO NOT DISTRIBUTE, SUBSCRIBER PERSONAL USE ONLY
88© GRC 20/20 Research, LLC • ww.GRC2020.com
GRC Technology Market: Issue Reporting & Management
Issue Reporting & Management
Incident/Investigations Management Platforms
Hotline & Issue Intake Solutions
Complaint Management Solutions
Issue Reporting & Management technologies provide issue intake and investigations management. Issue reporting solutions (e.g. hotline, whistleblower) provide a confidential, independent resource for individuals to report observations related to issues as well as potential acts of fraud, theft, inappropriate or illegal behavior, negligence or other impropriety. Investigations management solutions are used to manage investigations, issues, incidents, events, or cases: they specifically provide consistent documentation and processes for the management of events — from reporting, to managing and documenting the investigation, to recording the loss and business impact.
Corrective Action/Preventive Action Solutions
Forensics & Evidence Collection Solutions
Impact & Loss Analysis Solutions
Miscellaneous Issue Reporting & Mgmt Tools
DO NOT DISTRIBUTE, SUBSCRIBER PERSONAL USE ONLY
89© GRC 20/20 Research, LLC • ww.GRC2020.com
Enterprise GRC Core: Issue Reporting & Management
Issue Reporting & Management solutions provide the capability to notify on issues and incidents and manage, document, resolve, and report on the range of complaints, issues, incidents, events, investigations, and cases. These solutions enable companies to manage:§ Issue management and resolution processes across the
organization (e.g., legal, compliance, HR, security, health & safety, quality) from the intake through the investigation and resolution.
§ Issue intake and consolidation through hotlines, management reporting, surveys, and other notification pathways.
§ Issue history to collect incidents over time and the details and analysis of business impact to feed into risk models.
§ Investigation management to manage the lifecycle and process of incidents, investigations, and processes.
§ Incident analysis for root cause and CAPA.
Solution Area Definitionq Map issues to risks, policies, objectives, obligations, and
controls to show relationships and impact of issuesq Provide issue intake (anonymous and non-anonymous) as well
as a portal to collect issues reported to managementq Structured and legally defensible investigation process and
documentationq Issue escalation when investigation grows beyond what
originally thoughtq Manage investigative resources, skills, and utilizationq Collect a detailed history of issues, particularly frequency and
impactq Conduct remediation and CAPA in context of issues and
findingsq Loss analytics and root cause analysisq Variety of templates and interfaces for managing
different types of issues
Critical Capabilities
DO NOT DISTRIBUTE, SUBSCRIBER PERSONAL USE ONLY
90© GRC 20/20 Research, LLC • ww.GRC2020.com
Issue Reporting & Management Spending
90
Do you plan to spend more/same/less on GRC solutions in the following categories over the next 3 years?
S47% Spending More
6% Spending Less
3% Unsure47% Same
Don’t Knows Filtered Out
Across All Organizations
290 respondents from organization using or considering GRC solutions/technology
Small Organizations§ 48% Spending More
§ 45% Same
§ 7% spending Less
Medium Organizations§ 44% Spending More
§ 49% Same
§ 6% spending Less
Large Organizations§ 48% Spending More
§ 45% Same
§ 7% spending Less
48%
44%
48%
DO NOT DISTRIBUTE, SUBSCRIBER PERSONAL USE ONLY
91© GRC 20/20 Research, LLC • ww.GRC2020.com
Market Maturity: Issue Reporting & Management
Innovators Early Adopters Majority Late Majority Reinvent/Laggard
Small Expanding High Peaked Renew/Decline
Very High High High Medium Rising/Low
Low Expanding High Flattening Strong/Moderate
Low Increasing Moderate High Varies
RReevv
eennuuee
NNeeww GGrroowwtthh MMaattuurriittyy SSaattuurraattiioonnDDeecclliinnee oorr
RReenneewweedd GGrroowwtthh
AAuuddiieennccee
MMaarrkkeett
PPrriiccee
SSaalleess
CCoommppeettiittiioonn
RReenneewweedd GGrroowwtthh
Issue
Man
agem
ent
DO NOT DISTRIBUTE, SUBSCRIBER PERSONAL USE ONLY
92© GRC 20/20 Research, LLC • ww.GRC2020.com
$20,000MM
$2,000MM
$342MM
Theoretical Addressable MarketTotal addressable market size if every
organization purchased a solution.
2016 Estimated Market SizeCalculation of known and estimated revenues in current year with trajectory projected to end of year.
$305MMCalculation of known and estimated revenues of solutions in this market segment for 2015
2015 Market SizePoint where market slows to below
10% annual growth.
Saturated Market Size
Market Size & Growth: Issue Reporting & Management
NOTES:
22001144 22001155 22001166 22001177 22001188
Size $274MM $305MM $342MM $383MM $429MMCAGR 12% 12% 12% 12%
DO NOT DISTRIBUTE, SUBSCRIBER PERSONAL USE ONLY
93© GRC 20/20 Research, LLC • ww.GRC2020.com
GRC Technology Market: Legal Management
Legal Management
Legal Management Platforms
Legal Spend Management Solutions
Legal Management technologies administer the collection of facts related to events and legal cases under investigation, for use in verifying their circumstances, in order to provide valid information for testing by independent parties with the confidence that the information provided is related to these events. Discovery tools assist in managing and communicating discovery holds and uncovering, segmenting, organizing and storing electronic forms of evidence that can be used in an investigation, both before and after the occurrence of the related events, including tools that separate potential discovery documents from their original locations and repositories. This category of technology also includes systems for retention management that integrate with content/document systems to manage the storage, disposition, and retention of information.
Matter Management Solutions
Discovery / eDiscovery Solutions
Claims Defense & Legal Discovery Solutions
Contract Management Solutions
Board & Entity Management Solutions
Intellectual Property Management Solutions
Legal Research & Analytic Solutions
Miscellaneous Legal Management ToolsDO NOT DISTRIBUTE, SUBSCRIBER PERSONAL USE ONLY
94© GRC 20/20 Research, LLC • ww.GRC2020.com
Legal Management Spending
94
Do you plan to spend more/same/less on GRC solutions in the following categories over the next 3 years?
S31% Spending More
7% Spending Less
3% Unsure62% Same
Don’t Knows Filtered Out
Across All Organizations
290 respondents from organization using or considering GRC solutions/technology
Small Organizations§ 16% Spending More
§ 76% Same
§ 8% spending Less
Medium Organizations§ 30% Spending More
§ 67% Same
§ 3% spending Less
Large Organizations§ 48% Spending More
§ 39% Same
§ 13% spending Less
16%
30%
48%
DO NOT DISTRIBUTE, SUBSCRIBER PERSONAL USE ONLY
95© GRC 20/20 Research, LLC • ww.GRC2020.com
GRC Technology Market: Physical Security Management
Physical Security Management
Physical Security Management Platforms
Physical Asset Management Solutions
Physical Loss Management Solutions
Physical Security Management technologies enhance physical asset and individual protection, and the authorization and monitoring of access to an organization’s facilities and property. This category of technology also includes systems to manage physical loss and theft.
Surveillance & Monitoring Solutions
Miscellaneous Physical Security Tools
DO NOT DISTRIBUTE, SUBSCRIBER PERSONAL USE ONLY
96© GRC 20/20 Research, LLC • ww.GRC2020.com
Physical Security Management Spending
96
Do you plan to spend more/same/less on GRC solutions in the following categories over the next 3 years?
S34% Spending More
8% Spending Less
3% Unsure58% Same
Don’t Knows Filtered Out
Across All Organizations
290 respondents from organization using or considering GRC solutions/technology
Small Organizations§ 25% Spending More
§ 68% Same
§ 7% spending Less
Medium Organizations§ 39% Spending More
§ 58% Same
§ 3% spending Less
Large Organizations§ 40% Spending More
§ 45% Same
§ 15% spending Less
25%
39%
40%
DO NOT DISTRIBUTE, SUBSCRIBER PERSONAL USE ONLY
97© GRC 20/20 Research, LLC • ww.GRC2020.com
GRC Technology Market: Policy & Training Management
Policy & Training Management
Policy & Training Management Platforms
Policy Management Solutions
Policy Forms & Disclosure Solutions
Policy & Training Management technologies mange the development, approval, distribution, communication, forms, maintenance, and records of organization policies, standards, procedures, guidelines and related training and communication awareness activities. This includes solutions used to train individuals on policy and risk areas to employees and extended business relationships. Elements of gamification, eLearning, learning management, document/content management are part of this segment from a GRC perspective. Forms and disclosure management solutions (e.g., conflict of interest, gifts & entertainment/hospitality) are included in this segment as they relate and support organization policies.
Training Management Solutions
Training & Gamification Solutions
Miscellaneous Policy & Training Mgmt Tools
DO NOT DISTRIBUTE, SUBSCRIBER PERSONAL USE ONLY
98© GRC 20/20 Research, LLC • ww.GRC2020.com
Policy Management: Critical Capabilities
Policy management solutions provide the capability to mange the development, approval, distribution, communication, forms, maintenance, and records of policies, procedures and related awareness activities. This enables organizations to manage:§ Policy management process of development, approval,
communication, monitoring, and maintenance. This includes workflow, task management, and content management capabilities with version control
§ Policy portal for individuals to be able to access policies relevant to their role and responsibilities, access related resources and forms, and complete tasks related to policies and training.
§ Policy evidence to provide a system of record and audit trail of all interactions, development, approvals, communications, training, exception, exemptions related to policies.
Solution Area Definition
q Manage policy lifecycle from development through maintenance and policy retirement
q Workflow, task management, and content managementq Integration w/ HR systems & business systems to identify
change where policies/training need to be communicatedq Policy portal for individuals to access policies, training,
forms, and related tasksq Forms development and management for forms related to
policiesq Editing capabilities and version control of policy contentq Ability to map policies to other GRC content and recordsq Regulatory change management to keep policies currentq Exception/exemption management of policiesq Integration of training and LMS capabilitiesq Audit trail of evidence of all policy interactionsq Mobility capabilities
Critical Capabilities
DO NOT DISTRIBUTE, SUBSCRIBER PERSONAL USE ONLY
99© GRC 20/20 Research, LLC • ww.GRC2020.com
Policy & Training Management Spending
99
Do you plan to spend more/same/less on GRC solutions in the following categories over the next 3 years?
S49% Spending More
6% Spending Less
3% Unsure45% Same
Don’t Knows Filtered Out
Across All Organizations
290 respondents from organization using or considering GRC solutions/technology
Small Organizations§ 45% Spending More
§ 45% Same
§ 10% spending Less
Medium Organizations§ 49% Spending More
§ 49% Same
§ 2% spending Less
Large Organizations§ 52% Spending More
§ 39% Same
§ 9% spending Less
45%
49%
52%
DO NOT DISTRIBUTE, SUBSCRIBER PERSONAL USE ONLY
100© GRC 20/20 Research, LLC • ww.GRC2020.com
Market Maturity: Policy & Training Management
Innovators Early Adopters Majority Late Majority Reinvent/Laggard
Small Expanding High Peaked Renew/Decline
Very High High High Medium Rising/Low
Low Expanding High Flattening Strong/Moderate
Low Increasing Moderate High Varies
RReevv
eennuuee
NNeeww GGrroowwtthh MMaattuurriittyy SSaattuurraattiioonnDDeecclliinnee oorr
RReenneewweedd GGrroowwtthh
AAuuddiieennccee
MMaarrkkeett
PPrriiccee
SSaalleess
CCoommppeettiittiioonn
RReenneewweedd GGrroowwtthh
Polic
y Ma
nage
ment
DO NOT DISTRIBUTE, SUBSCRIBER PERSONAL USE ONLY
101© GRC 20/20 Research, LLC • ww.GRC2020.com
$20,000MM
$2,000MM
$390MM
Theoretical Addressable MarketTotal addressable market size if every
organization purchased a solution.
2016 Estimated Market SizeCalculation of known and estimated revenues in current year with trajectory projected to end of year.
$305MMCalculation of known and estimated revenues of solutions in this market segment for 2015
2015 Market SizePoint where market slows to below
10% annual growth.
Saturated Market Size
Market Size & Growth: Policy & Training Management
NOTES:
22001144 22001155 22001166 22001177 22001188
Size $226MM $305MM $390MM $500MM $630MMCAGR 26% 28% 28% 26%
DO NOT DISTRIBUTE, SUBSCRIBER PERSONAL USE ONLY
102© GRC 20/20 Research, LLC • ww.GRC2020.com
GRC Technology Market: Quality Management
Quality Management
Quality Management Platforms
Non-Conformance & Variance Solutions
Product Regulation & Labeling Solutions
Quality Management technologies record, benchmark, track and manage activity related to product and service quality assessments and certifications, production failures, product recalls, design and delivery improvements and their related regulatory guidelines.
Equipment Management Solutions
Corrective Action/Preventive Action Solutions
Miscellaneous Quality Management Tools
DO NOT DISTRIBUTE, SUBSCRIBER PERSONAL USE ONLY
103© GRC 20/20 Research, LLC • ww.GRC2020.com
Quality Management Spending
103
Do you plan to spend more/same/less on GRC solutions in the following categories over the next 3 years?
S44% Spending More
4% Spending Less
3% Unsure52% Same
Don’t Knows Filtered Out
Across All Organizations
290 respondents from organization using or considering GRC solutions/technology
Small Organizations§ 44% Spending More
§ 50% Same
§ 6% spending Less
Medium Organizations§ 31% Spending More
§ 66% Same
§ 3% spending Less
Large Organizations§ 58% Spending More
§ 38% Same
§ 4% spending Less
44%
31%
58%
DO NOT DISTRIBUTE, SUBSCRIBER PERSONAL USE ONLY
104© GRC 20/20 Research, LLC • ww.GRC2020.com
Market Maturity: Quality Management
Innovators Early Adopters Majority Late Majority Reinvent/Laggard
Small Expanding High Peaked Renew/Decline
Very High High High Medium Rising/Low
Low Expanding High Flattening Strong/Moderate
Low Increasing Moderate High Varies
RReevv
eennuuee
NNeeww GGrroowwtthh MMaattuurriittyy SSaattuurraattiioonnDDeecclliinnee oorr
RReenneewweedd GGrroowwtthh
AAuuddiieennccee
MMaarrkkeett
PPrriiccee
SSaalleess
CCoommppeettiittiioonn
RReenneewweedd GGrroowwtthh
Quali
ty Ma
nage
ment
DO NOT DISTRIBUTE, SUBSCRIBER PERSONAL USE ONLY
105© GRC 20/20 Research, LLC • ww.GRC2020.com
$3,100MM
$1,300MM
$982MM
Theoretical Addressable MarketTotal addressable market size if every
organization purchased a solution.
2016 Estimated Market SizeCalculation of known and estimated revenues in current year with trajectory projected to end of year.
$885MMCalculation of known and estimated revenues of solutions in this market segment for 2015
2015 Market SizePoint where market slows to below
10% annual growth.
Saturated Market Size
Market Size & Growth: Quality Management
NOTES:§ Quality Management is a more established segment than others§ Quality Management is not as much of a concern in every industry so it lowers total
addressable market size when compared to Compliance & Ethics Management§ There will be market share consolidation as this market continues M&A activity as we
have seen for the past several years§ The regulatory impact driving greater adoption is not as strong as in other areas such
as corporate compliance, EH&S, policy management, and third party management
22001144 22001155 22001166 22001177 22001188
Size $812MM $885MM $982MM $1,090MM $1,210MMCAGR 11% 11% 11% 10%
DO NOT DISTRIBUTE, SUBSCRIBER PERSONAL USE ONLY
106© GRC 20/20 Research, LLC • ww.GRC2020.com
GRC Technology Market: Risk Management
Risk Management
Enterprise & Operational Risk Mgmt Platforms
Finance & Treasury Risk Management Solutions
Risk Management technologies support the identification, assessment, evaluation and response, and monitoring of risks and opportunities of risk across the organization. This includes the ability to monitor changes in the external and internal contexts to alert an organization to changing risk conditions (e.g., geo-political, economic, competitor, technology, and natural disaster) that can impact business. These systems help identify specific causes and execute historical review, simulation, interpretation and projection of impacts on an organization’s operations or assets given the potential consequences of events and the likelihood of events occurring sequentially or simultaneously. This category includes enterprise risk management systems, operational risk management systems, as well as specialized risk applications. Finance/Treasury Risk Management - involves an array of applications and systems used to identify and manage the risk factors, causes and response procedures in an organization’s financial and treasury management. These include risk technology focused on specific areas such as liquidity, credit, market, and commodity risk management that help identify risk and execute historical review, simulation, interpretation and projection of impacts on an organization’s financial assets given the potential consequences of events and the likelihood of events occurring sequentially or simultaneously.
Risk Assessment Solutions
Insurance Risk & Claims Management Solutions
Risk Analytics & Modeling Solutions
Model Risk Management Solutions
Project Risk Management Solutions
Loss Collection & Analytic Solutions
Miscellaneous Risk Management Tools
DO NOT DISTRIBUTE, SUBSCRIBER PERSONAL USE ONLY
107© GRC 20/20 Research, LLC • ww.GRC2020.com
Enterprise GRC Core: Risk Management
Risk Management solutions provide the capability to identify, assess, measure, treat, manage, monitor, and report on risks to objectives, divisions, departments, processes, assets, and projects. This enables organizations to manage:§ Risk management process of risk identification,
assessment, quantification, treatment and monitoring activities in context of objectives, including the overall management of the continual, cyclic, as well as dynamic processes of risk assessment, analysis, decision making, and response (e.g., acceptance, mitigation, transfer, avoidance).
§ Risk monitoring on changes in external and internal contexts to alert the organization to conditions that can impact objectives.
§ Risk evaluation to identify specific causes and evaluate historical review, simulation, interpretation and projection of impacts on an objectives and assets.
Solution Area Definitionq Manage overall risk management program planning,
staff, projects/assessments, and activitiesq Support for multiple risk management frameworks,
methodologies, and analysis techniquesq Set and map objectives and context (e.g., internal,
external) of riskq Enable the organization to identify, categorize, map, and
show risk relationships in registersq Enable the organization to gather information and
assessment of risks in a variety of approachesq Analyze risk from different perspectives and implement
risk treatmentq Provide monitoring and reporting on risk, including risk
normalization and aggregation enterprise reportingq Ability to analyze scenarios and evaluate risk losses
and events, and revise risk models as necessaryq Dashboarding and metrics (e.g., KRIs) on risk
Critical Capabilities
DO NOT DISTRIBUTE, SUBSCRIBER PERSONAL USE ONLY
108© GRC 20/20 Research, LLC • ww.GRC2020.com
Risk Management & Analytics Spending
108
Do you plan to spend more/same/less on GRC solutions in the following categories over the next 3 years?
S63% Spending More
6% Spending Less
3% Unsure31% Same
Don’t Knows Filtered Out
Across All Organizations
290 respondents from organization using or considering GRC solutions/technology
Small Organizations§ 62% Spending More
§ 32% Same
§ 6% spending Less
Medium Organizations§ 68% Spending More
§ 30% Same
§ 2% spending Less
Large Organizations§ 58% Spending More
§ 33% Same
§ 9% spending Less
62%
68%
58%
DO NOT DISTRIBUTE, SUBSCRIBER PERSONAL USE ONLY
109© GRC 20/20 Research, LLC • ww.GRC2020.com
GRC Technology Market: Strategy, Performance & Process Management
Strategy, Performance & Process Mgmt
Strategy, Performance & Process Platforms
Enterprise Architect & Process Modeling Solutions
Strategy, Performance & Process Management technologies include solutions for identifying and managing corporate strategies, goals, and objectives and cascading them through the organization; optimizing operational and financial performance against those objectives; and providing valuable information for decision-making and reporting purposes.
Performance & Objective Management Solutions
Enterprise Asset Management Solutions
Enterprise Change Management Solutions
Enterprise Intelligence & Analytic Solutions
Miscellaneous Strategy & Process Mgmt Tools
DO NOT DISTRIBUTE, SUBSCRIBER PERSONAL USE ONLY
110© GRC 20/20 Research, LLC • ww.GRC2020.com
Strategy & Performance Management Spending
110
Do you plan to spend more/same/less on GRC solutions in the following categories over the next 3 years?
S47% Spending More
9% Spending Less
3% Unsure44% Same
Don’t Knows Filtered Out
Across All Organizations
290 respondents from organization using or considering GRC solutions/technology
Small Organizations§ 56% Spending More
§ 33% Same
§ 11% spending Less
Medium Organizations§ 51% Spending More
§ 42% Same
§ 7% spending Less
Large Organizations§ 29% Spending More
§ 58% Same
§ 13% spending Less
56%
51%
29%
DO NOT DISTRIBUTE, SUBSCRIBER PERSONAL USE ONLY
111© GRC 20/20 Research, LLC • ww.GRC2020.com
GRC Technology Market: Third Party Management
Third Party Management
Third Party Management Platforms
Procurement & ERP Third Party Solutions
Third Party Management technologies provide organizations the ability to govern third party relationships (e.g., vendor, supplier, contractor, consultant, service provider, outsourcers, agent) and the lifecycle of onboarding, contracts, due diligence screening, performance monitoring, risk management, compliance management, quality and service level management, and off-boarding. The third party GRC specific solutions record, and maintain the communication, attestation, and assessment of policies, contractual compliance, risk and compliance assessments, and audits across extended business relationships. Third party screening solutions are used to vet third parties and validate them against databases such as politically exposed persons, watch lists, social accountability, and more.
Third Party Risk Management Solutions
Screening & Due Diligence Solutions
Miscellaneous Third Party Management Tools
DO NOT DISTRIBUTE, SUBSCRIBER PERSONAL USE ONLY
112© GRC 20/20 Research, LLC • ww.GRC2020.com
3rd Party Management: Critical Capabilities
3rd Party Management solutions provide capabilities to govern, manage, and monitor the array of 3rd party relationships in the enterprise, particularly risk and compliance challenges these relationships bring.This enables organizations to manage:§ 3rd party management process of onboarding,
approval, due diligence, communications, assessment, evaluation, issue management, and off-boarding. This includes workflow, task management, and content management capabilities.
§ 3rd party portal for 3rd parties to be able to submit and share information, take assessments, provide attestations, and other related requests and forms, to complete tasks.
§ Provide evidence to provide a system of record and audit trail of all interactions, assessments, audits/inspections, and interactions with 3rd parties.
Solution Area Definitionq Onboarding process to register suppliers and have
them submit necessary documentationq Due diligence process during onboarding and
periodically or continually thereafterq Risk assessment and analysis of 3rd party relationshipsq Policy communication & attestation to 3rd partiesq Training & awareness of 3rd paritiesq Compliance assessment and analysis of 3rd party
relationshipsq Issue management through issue
reporting/identification, response/investigation, and resolution.
q Forms & disclosure management for 3rd parties to fill out forms and submit information
q Audit & inspection management of 3rd parties in context of right to audit clauses
q Management of the off-boarding process
Critical Capabilities
DO NOT DISTRIBUTE, SUBSCRIBER PERSONAL USE ONLY
113© GRC 20/20 Research, LLC • ww.GRC2020.com
Third Party Management Spending
113
Do you plan to spend more/same/less on GRC solutions in the following categories over the next 3 years?
S41% Spending More
11% Spending Less
3% Unsure48% Same
Don’t Knows Filtered Out
Across All Organizations
290 respondents from organization using or considering GRC solutions/technology
Small Organizations§ 44% Spending More
§ 41% Same
§ 15% spending Less
Medium Organizations§ 31% Spending More
§ 63% Same
§ 6% spending Less
Large Organizations§ 50% Spending More
§ 36% Same
§ 14% spending Less
44%
31%
50%
DO NOT DISTRIBUTE, SUBSCRIBER PERSONAL USE ONLY
114© GRC 20/20 Research, LLC • ww.GRC2020.com
Market Maturity: Third Party Management
Innovators Early Adopters Majority Late Majority Reinvent/Laggard
Small Expanding High Peaked Renew/Decline
Very High High High Medium Rising/Low
Low Expanding High Flattening Strong/Moderate
Low Increasing Moderate High Varies
RReevv
eennuuee
NNeeww GGrroowwtthh MMaattuurriittyy SSaattuurraattiioonnDDeecclliinnee oorr
RReenneewweedd GGrroowwtthh
AAuuddiieennccee
MMaarrkkeett
PPrriiccee
SSaalleess
CCoommppeettiittiioonn
RReenneewweedd GGrroowwtthh
3rdPa
rty
Mana
geme
nt
DO NOT DISTRIBUTE, SUBSCRIBER PERSONAL USE ONLY
115© GRC 20/20 Research, LLC • ww.GRC2020.com
$20,000MM
$2,000MM
$406MM
Theoretical Addressable MarketTotal addressable market size if every
organization purchased a solution.
2016 Estimated Market SizeCalculation of known and estimated revenues in current year with trajectory projected to end of year.
$301MMCalculation of known and estimated revenues of solutions in this market segment for 2015
2015 Market SizePoint where market slows to below
10% annual growth.
Saturated Market Size
Market Size & Growth: Third Party Management
NOTES:
22001144 22001155 22001166 22001177 22001188
Size $223MM $301MM $406MM $549MM $741MMCAGR 35% 35% 35% 35%
DO NOT DISTRIBUTE, SUBSCRIBER PERSONAL USE ONLY
116© GRC 20/20 Research, LLC • ww.GRC2020.com
Organization Profileq Company Profileq Financial Profileq Vision & Solution Plansq Geographic Reachq Industry Footprintq Client References & Case Studiesq Brand, Reputation & Track Recordq Customer Serviceq Training & Educationq Consulting & Implementation Servicesq Channels, alliances, partnershipsq Demonstrated Value, Financial Benefits, & ROIq Service Level Agreementsq Evaluation Instance & Proof of Value Supportq Post-Sales Support
Solution Architectureq Development Platform & Technology Architectureq Information Architecture q Flexibility of Technology & Information Architecture q Product Life Cycle & Updatesq Security Architecture - enterprise, entity, record, fieldq Single Sign-On & LDAPq Deployment Model – On-Premise, Hosted, SaaSq Scalability of Solutionq Integration with Other Systems & Dataq Responsive Interface & Mobility Architectureq Data Management & Bulk Changesq Configuration & Customizationq Availability of Toolkits, flexibility of architectureq Administrationq Internationalization & Contextualizationq Documentation
Considerations to Evaluate
NOTE: these are just a selection of some common elements from GRC 20/20’s RFP template for grcManagement Platforms
DO NOT DISTRIBUTE, SUBSCRIBER PERSONAL USE ONLY
117© GRC 20/20 Research, LLC • ww.GRC2020.com
Foundational Capabilitiesq Workflow & Task Managementq Process Modelingq Content & Document Managementq Cross-Referencing & Relationships of Dataq Survey & Assessment Managementq Audit Trail & Records Managementq Reporting, Dashboards & Business Intelligenceq Notifications & Alertsq Mobility Appsq Visualization & Analyticsq Standard & Framework Supportq Collaborationq Business Rules Engine
Other Topics of Considerationq Out of the Box Features &Functionalityq Breadth of Functionalityq Depth of Functionalityq Advanced Features & Differentiatorsq Usability & User Experienceq Integrated Content & Intelligenceq Embedded Domain/Industry Expertiseq R&D & Innovationq Wizards & Contextual Helpq Role-based Experiences Devoid of Clutter
Considerations to Evaluate
NOTE: these are just a selection of some common elements from GRC 20/20’s RFP template for GRC Management Platforms
DO NOT DISTRIBUTE, SUBSCRIBER PERSONAL USE ONLY
118© GRC 20/20 Research, LLC • ww.GRC2020.com
CostsWhat is the reality of the acquisition and maintenance costs?
1
ContentDoes the solution provide the right GRC content integrations?
2
Technology DebtHow much technology debt does the solution provider carry in promised features undelivered?
3
RFP ResponsesIs the solution provider saying yes to everything in the RFP to win a deal?
4
Client ReferencesAre the client references people actually using the solution every
day?
5
CustomizationCan you configure the solution
or does it require customization & coding?
6
Implementation TeamDoes the implementation team
have real world experience in aspects of GRC?
7
User ExperienceIs the user experience intuitive
and easy to use? Is mobility supported?
8
Concerns 3
4
5
6
28
7
1
Most Significant Concerns in Evaluating GRC Management Providers
DO NOT DISTRIBUTE, SUBSCRIBER PERSONAL USE ONLY
119© GRC 20/20 Research, LLC • ww.GRC2020.com
Steps in Building an for an RFP
Current State Analysis
Define Management Charter & Structure
Define Information Architecture & Needs
Develop Value Proposition for Change
Establish Criteria for Management Technology
Evaluate & Rank Solutions
1 2 3 4 5 6
DO NOT DISTRIBUTE, SUBSCRIBER PERSONAL USE ONLY
120© GRC 20/20 Research, LLC • ww.GRC2020.com
GRC 20/20 Value Perspective: 3 Angles of GRC Value
GRCValue
Agility
Efficiency
Effectiveness
ü Design Effectivenessü Operational Effectiveness
ü Agility to Changeü Responsiveness to Events
ü Financial Capital Savingsü Human Capital Savings
DO NOT DISTRIBUTE, SUBSCRIBER PERSONAL USE ONLY
121© GRC 20/20 Research, LLC • ww.GRC2020.com
Mature GRC Capabilities Achieve the Following 10 Objectives. . .
1 Achieve Business Objectives
2 Ensure Risk Aware Setting of Objectives and Strategic Planning
3 Enhance Organizational Culture
4 Increase Stakeholder Confidence
5 Prepare & Protect the Organization
6 Prevent, Detect, and Reduce Adversity and Weaknesses
7 Motiviate & Inspire Desired Conduct
8 Stay Ahead of the Game
9 Improve Responsiveness & Efficiency
10 Optimize Economic Return & Value
DO NOT DISTRIBUTE, SUBSCRIBER PERSONAL USE ONLY
122© GRC 20/20 Research, LLC • ww.GRC2020.com
1. Aware
ü Have a finger on the pulse of business
ü Watch for change in internal & external environment
ü Turn data into information that can be, and is, analyzed
ü Share information in every relevant direction
2. Aligned
ü Support and inform business objectives
ü Continuously align objectives and operations to risk of the entity
ü Give strategic consideration to information from risk management enabling appropriate change
Maturing GRC Through 360° Contextual Intelligence Delivers . . .
3. Responsive
ü You can’t react to something you don’t sense
ü Gain greater awareness and understanding of information that drives decisions and actions
ü Improve transparency, but also quickly cut through the morass of data to what you need to know to make the right decisions
4. Agile
ü More than fast, nimble
ü Being fast isn’t helpful if you are headed in the wrong direction.
ü Risk management enables decisions and actions that are quick, coordinated and well thought out.
ü Agility allows an entity to use risk to its advantage, grasp strategic opportunities and be confident in its ability to stay on course.
5. Resilient
ü Be able to bounce back quickly from changes in context and threats with limited business impact
ü Have sufficient tolerances to allow for some missteps
ü Have confidence necessary to rapidly adapt and respond to opportunities
6. Lean
ü Build the muscle, trim the fat
ü Get rid of expense from unnecessary duplication, redundancy and misallocation of resources within the risk management
ü Lean the organization overall with enhanced capability and related decisions about application of resources
DO NOT DISTRIBUTE, SUBSCRIBER PERSONAL USE ONLY
123© GRC 20/20 Research, LLC • ww.GRC2020.com
Two Things to Note . . .
§ Organizations evaluating or considering GRC solutions are free to ask GRC 20/20 on our understanding and comparison of solutions in the market to meet your GRC requirements.
§ Inquiries are single focused questions that can be answered in under 30 minutes.
§ Complimentary inquiry is only available to organizations evaluating or considering GRC solutions for their internal use.
Complimentary Inquiry
§ GRC 20/20 has an extensive library of RFP requirements across a range of GRC capability areas presented in this presentation.
§ GRC 20/20 can be engaged in RFP development and support projects to streamline your process, gain perspectives learned from other organizations, and to keep solution providers honest in their responses.
RFP Development & Support
DO NOT DISTRIBUTE, SUBSCRIBER PERSONAL USE ONLY
Questions?Michael Rasmussen, J.D.The GRC Pundit & OCEG [email protected]+1.888.365.4560
Some of the content we have evaluated is OCEG content which GRC 20/20 has an established relationship to use. Please do not copy slides or graphics without permission. GRC 20/20 highly recommends you consider OCEG membership at www.OCEG.org.
GRC 20/20 NewsletterLinkedIn: GRC 20/20
Blog: GRC Pundit
Twitter: GRCPundit
LinkedIn: Michael Rasmussen
DO NOT DISTRIBUTE, SUBSCRIBER PERSONAL USE ONLY
Top Related