Sharpen Your Pencils
All vendors, of course, lead with best-case scenarios. Deloitte principal Brian Parker warns that the tab can run a lot higher. A program dealing with regulatory compliance alone, he claims, can cost $200,000 or more. An integrated approach that delivers the full scope of GRC capabilities can crest the $1 million mark for a large organization. One reason for the spread is that there is not a great deal of uniformity among GRC products in terms of what they do and how they do it; therefore, each vendor's pitch has to be evaluated very carefully against a company's needs.

However complicated the buying decision may be, there is evidence that more companies will be sharpening their pencils and taking a closer look, if only to satisfy the growing drumbeat coming from the top of their organizations, and beyond. "Auditors, audit committees, governments, regulators, and credit-rating agencies are increasingly asking companies to improve their risk-management efforts," says Brandts. "The influx of companies asking for help in this regard has significantly increased over the last few months."

Corporate Integrity's Rasmussen notes that a stampede toward G and R (if not C) is creating a brisk sales environment. "Vendors that can target third-party risk management — managing the risk of processes and relationships — are finding that this is a very hot area right now," he says.

James Doss, CFO of RF Industries, is convinced. Risk management is a top priority at the San Diego–based provider of wired and wireless networking and communications products, and Doss says GRC software can address it effectively. "Risk is probably a secondary thought to most people [when they buy this software], but in essence that's really what the driver is."

Another key concern, says Doss, is flexibility on the part of the vendor. "You want the software to flex with your changing processes and needs," he says, in part to "get buy-in from your company's stakeholders so they feel that the software works with them, instead of forcing them to change their ways."

Power Up, Price Down
The changes that Rasmussen speaks of will likely manifest themselves in several different ways this year. For one, expect vendors to expand their offerings from core areas of expertise into more complete products or product suites that address all three components of GRC. While many may continue to stress a particular niche as a way to win sales, most will attempt to convince customers that their products can, and should, be more widely deployed across the enterprise to address governance, risk, and compliance. Customers will have to decide to what degree they buy based on today's niche expertise versus tomorrow's promise.

That may sound daunting, but market forces will provide some relief. The rapid proliferation of GRC vendors — Rasmussen now counts around 1,300 GRC technology and consulting service providers, from major players like Oracle, SAP, BWise, and OpenPages to single-owner start-ups — is about to give way to the same wave of consolidation that has swept through the business-intelligence market in the past two years.

The software should also get easier to use. OpenPages, for example, has been following a path in which its products can be tailored without expensive and time-consuming reprogramming. John Klein, vice president of audit services at Miami-based Carnival Cruise Lines, says that that has allowed his company to give more employees access to the software. "When we first implemented OpenPages, only a handful of 'power users' were utilizing the software to document [Sarbanes-Oxley]-related activities associated with hundreds of process and control owners," he says. "We have since configured the software so that process and control owners can perform certifications directly."

And it should become easier to afford, as the transition toward software-as-a-service continues to gain momentum. Centrally hosted software that is rented not only allows customers to avoid a capital outlay, but it also offers a number of technological benefits, such as automatic updates, improved scalability, and reduced IT overhead.

But GRC remains far from a no-brainer. For one thing, companies that already use ERP or other sophisticated enterprise software must decide whether they want to bring in a niche player or rely on the GRC offerings (and, in general, more-sophisticated if more-expensive support) of their key vendors. There is also the question of which vendors will still be around a year from now, and whether an acquisition will have any impact on the product of the acquired company.

But the biggest question of all remains whether and to what degree software can automate and augment the many business processes that lie at the heart of governance, risk, and compliance. If a company takes a fragmented approach toward those tasks, the existence of a unified software package may not gain much traction at a time when each department or business unit is scrutinizing its budget like never before and shelling out for only what it needs today.

John Edwards is a freelance writer based in Gilbert, Arizona.

What We Talk about When We Talk about GRC

Since GRC technology and services comprise three separate activities, companies naturally emphasize different reasons for investing in it. Compliance was the main attraction at first, but after several years of wrestling with Sarbanes-Oxley, "people had compliance fatigue," says John Hagerty, an analyst at AMR Research in Boston. Risk management subsequently started to drive the GRC market, beginning in the first half of 2007. "The conversation really changed," says Hagerty. "Companies were looking specifically to understand what their risk profile was — which areas they were exposed in, which activities could be risky."

• « previous
• 1
• 2
• 3
• next »

LinkedIn Company Connections:

• Forrester Research |
• Corporate Integrity |
• OpenPages |
• SAP |
• Lumigent Technologies |
• BWise |
• Deloitte & Touche |
• RF Industries |