In 2008 I wrote a piece for Risk Management Magazine called GRC –TheGreat Risk Con.

Much to the chagrin of many readers, my article went on to make a number of inflammatory comments ranging from an inference which suggested that anyone who uses the GRC term doesn’t know what they’re talking about, through to GRC being a term created by the major IT players in order to create and capture a new market segment.

I painted the term as unhelpful and mischievous and in the process I’m pleased to say that this caused great debate in this magazine.

Three years later, little has changed. The GRC software market remains immature. Like other immature markets it’s characterised by small and medium-sized IT vendors rapidly acquiring each other while the major players wait for this to settle down so they can pick the winners and buy them. The Great Risk Con has become the Great Risk Consolidation. It’s been this way for years.

My main contention with the GRC category is it lumps things together which don’t necessarily belong together. Risk assessment with compliance; issue tracking with audit work papers; continuous control monitoring with continuous transaction monitoring, with audit work papers, e-rooms and collaboration tools, CAATs 2.0, knowledge management, control-self assessment and anything else you can think of thrown in for good measure.

The lines have been blurred, and the research analysts seem to like the tools that do a bit of everything. Good for them.

The reality is there is no one size fits all solution. The field is too dispersed and the segment is still characterised by a number of niche players who are good at what they do.

One leading GRC analyst estimates that there are over 400 GRC vendors, spanning 19 categories. And this is before considering our local batch from Australia, many of which are quite good. He concludes that in most cases it is more important to ensure your specific needs are met rather than trying to boil the ocean or buy a one-size-fits-all fully integrated solution.

At this stage we’d concur. The market is still immature. There still is innovation happening, some new niches being created and some interesting developments being made. This is why the user bases are still fragmented. It’s why systems are still being bought and junked regularly.It also explains why so many systems continue to be built in-house.

When embarking on a decision to buy, replace, build or configure, time spent up-front on being really clear on your user needs and requirements and nailing those in the first instance is the key to getting this right.

For now, best of breed trumps best in class. I suspect it will be this way for many years.

Todd Davies & Associates assists organisations with GRC systems strategy, design and selection.  This article first appeared in the final edition for 2011 of Risk Management Magazine.

To subscribe to this series of occasional articles and case studies, please click here.

To see the rebuttal, have a look at page 3 of the July edition of Risk Management Magazine here.  And to see the original article which caused the contraversy, click here for page 3 fo the June edition.  (Now locked down, here’s the web version).

For more information on how strategy, risk, governance and assurance come together, please click here.

To subscribe to this series of occasional articles and case studies, please click here.

Governance Risk and Compliance – The Great Risk Con, Todd Davies, Risk Management Magazine, June 2008

GRC as a term is popping up everywhere. It seems that all companies that used to sell audit software are now “GRC companies”, recruiting firms that used to hire auditors and company secretaries now have a “GRC practice” and GRC conferences are popping up all over the place.

So what is GRC? Is it something new that we need to be across? Or is it the latest bit of marketing spin used by software companies to lure new buyers?

Read the full article on Risk Management Magazine’s website here.

Key points

• GRC is an amalgam of a range of different disciplines and functions which don’t always sit nicely together.
• The term seems to stem from “big software” who are keen to create, consolidate and capture new markets.  It blurs lines and does little to aid understanding of the various segments and providers in this space.
• When selecting GRC software it is important to understand exactly what you want to achieve before looking at GRC solutions.  One size does not yet fit all.
• Compliance is only a subset of risk and governance.  By lumping GR&C together there is an increased chance that compliance will dominate, and that strategic risk will continue to be overlooked
• An alternative construct could be to link risk, governance and assurance together with strategy.  This aligns with the intent of ASX Principle 7 and broader shareholder and stakeholder interests.

Related links

• Navigating the GRC Maze – Understanding GRC Solutions and Software Selection
• SRGA – Strategy, Risk, Governance and Assurance
• Enterprise Governance – bringing strategy, risk, governance and assurance functions together

To subscribe to this series of occasional articles and case studies, please click here.