Published by Todd Davies on 23 Dec 2011 at 02:57 pm
GRC – The Great Risk Con revisited
“Use caution with Forrester Waves and Gartner Magic Quadrants.” Leading GRC Analyst.
In 2008 I wrote a piece for Risk Management Magazine called GRC –TheGreat Risk Con.
Much to the chagrin of many readers, my article went on to make a number of inflammatory comments ranging from an inference which suggested that anyone who uses the GRC term doesn’t know what they’re talking about, through to GRC being a term created by the major IT players in order to create and capture a new market segment.
I painted the term as unhelpful and mischievous and in the process I’m pleased to say that this caused great debate in this magazine.
Three years later, little has changed. The GRC software market remains immature. Like other immature markets it’s characterised by small and medium-sized IT vendors rapidly acquiring each other while the major players wait for this to settle down so they can pick the winners and buy them. The Great Risk Con has become the Great Risk Consolidation. It’s been this way for years.
My main contention with the GRC category is it lumps things together which don’t necessarily belong together. Risk assessment with compliance; issue tracking with audit work papers; continuous control monitoring with continuous transaction monitoring, with audit work papers, e-rooms and collaboration tools, CAATs 2.0, knowledge management, control-self assessment and anything else you can think of thrown in for good measure.
The lines have been blurred, and the research analysts seem to like the tools that do a bit of everything. Good for them.
The reality is there is no one size fits all solution. The field is too dispersed and the segment is still characterised by a number of niche players who are good at what they do.
One leading GRC analyst estimates that there are over 400 GRC vendors, spanning 19 categories. And this is before considering our local batch from Australia, many of which are quite good. He concludes that in most cases it is more important to ensure your specific needs are met rather than trying to boil the ocean or buy a one-size-fits-all fully integrated solution.
At this stage we’d concur. The market is still immature. There still is innovation happening, some new niches being created and some interesting developments being made. This is why the user bases are still fragmented. It’s why systems are still being bought and junked regularly.It also explains why so many systems continue to be built in-house.
When embarking on a decision to buy, replace, build or configure, time spent up-front on being really clear on your user needs and requirements and nailing those in the first instance is the key to getting this right.
For now, best of breed trumps best in class. I suspect it will be this way for many years.
Todd Davies & Associates assists organisations with GRC systems strategy, design and selection. This article first appeared in the final edition for 2011 of Risk Management Magazine.
If you found this information useful, why not subscribe free newsfeed of our latest articles and case studies.