Enterprise Governance, Risk, and Compliance Software

PDF version of this report
You must have Adobe Acrobat reader to view, save, or print PDF files. The
reader is available for free
download.

Enterprise Governance, Risk,
and Compliance Software

by James G. Barr

Docid: 00021510

Publication Date: 2106

Report Type: TUTORIAL

Preview

Enterprise governance, risk, and compliance (EGRC) software is designed
to automate the documentation and reporting of risk management and
compliance activities and serves as the principal instrumentation of
modern enterprise governance. The EGRC market arose in response to
accounting scandals involving Enron and other high-profile corporations.

Introduction

[return to top of this
report]

Enterprise governance, risk, and compliance (EGRC) software is designed
to automate the documentation and reporting of enterprise risk management
and compliance activities¹ and serves as the principal
instrumentation of modern enterprise governance. The EGRC market
arose in response to accounting scandals involving Enron and other
high-profile corporations. Owing to these abuses, various governments,
including the US, enacted laws that imposed strict penalties for
public companies and their executives if they fail to observe certain
financial accountability and other standards.

To help satisfy these complex and sometimes ambiguous requirements,
enterprises frequently rely on EGRC software. The primary end users
include:

Internal auditors and the enterprise audit committee
Risk and compliance managers
Enterprise general counsel and other legal professionals
Accountable business process owners²

With a risk landscape that includes rampant ransomware and distributed
denial of service (DDoS) attacks, and more rigorous regulations like the
California Consumer Privacy Act (CCPA), interest in EGRC software is
escalating.

EGRC Market

MarketsandMarkets reports that the global EGRC market should grow from
$1.3 billion in 2021 to $2.2 billion by 2026, for a very respectable
compound annual growth rate (CAGR) of 10.9 percent during the forecast
period.

In a crowded market space, prominent EGRC providers include:

IBM
MetricStream
NAVEX Global
Oracle
RSA Archer
SAP
SAS Institute
ServiceNow
Software AG
Thomson Reuters
Wolters Kluwer³

Description

[return to top of this
report]

Concept

The basic concept of enterprise governance, risk, and compliance (EGRC)
may be summarized as follows:

Governance pertains to those enterprise policies
and protocols, including government regulations, that prescribe
enterprise behavior. Governance exists to ensure that enterprise
operations are effective, efficient, respectful of the rights of
enterprise stakeholders, and conform to relevant laws. In short,
governance encompasses the rules for running a particular enterprise.
Risk pertains to any situation, circumstance, or
event that may compromise enterprise operations and/or enterprise
governance.
Finally, compliance pertains to those initiatives
designed to ensure adherence to enterprise governance standards and,
thus, enterprise operational practices.

In enterprise management shorthand, EGRC describes “how enterprise
officials intend to manage the enterprise” (governance); “what factors may
adversely affect their ability to administer governance standards” (risk);
and “how enterprise officials intend to achieve governance objectives”
(compliance).

While enabled by software, as analyst Jeff Aldorisio reminds us, “
[EGRC]
is a strategy, rather than a platform, digital solution or any other
set of tools. An [enterprise] builds a framework so that [it] can
take a structured approach to managing risk, meeting compliance and
maintaining governance over every area of IT.”⁴

Capabilities

As observed by IBM, basic EGRC capabilities as delivered by many, if not
most, EGRC tools include:

“Content and document management that helps [enterprises] create,
track, and store digitized content.
“Risk data management and analytics that help to measure, quantify,
and predict risk – and determine steps to reduce it.
“Workflow management to help [enterprises] establish, execute, and
monitor [EGRC]-related workflows.
“Audit management to organize information and simplify processes for
conducting internal audits.
“A dashboard that provides a central interface where key performance
indicators relevant to [enterprise] processes and objectives can be
monitored in real-time.

“Effective GRC tools create and distribute policies and controls and map
them to regulations and compliance requirements. They help assess whether
controls have been deployed, are functioning correctly, and are improving
risk assessment and mitigation.”⁵

Origin

The initial development of EGRC software was a direct response to the
accounting scandals that involved Enron, Tyco International, Adelphia
Cable, Peregrine Systems, and WorldCom, among others. As a result of
these abuses, domestic and international governments passed laws like
the Sarbanes-Oxley Act (or SOX) that prescribed various sanctions,
including criminal penalties, for public companies and their executives if
they failed to follow good business practices.

Subsequent financial failures that led to the Great Recession of 2008 and
2009 reinforced the need for stricter internal controls over financial
reporting and, as a result, further energized the EGRC market,
facilitating the development of tools to manage:

Financial risk
Credit risk
Operational risk
Market risk
Compliance risk
Foreign exchange or settlement risk
Interest rate risk
Third-party risk (from suppliers and business partners)
Social risk (owing to the increasing use of unregulated social media
for enterprise sales and marketing)

Solutions

A comprehensive EGRC solution will normally feature the following:

Financial Risk Software – Ensures that the
operation of all financial processes follow enterprise governance
policies, as well as accounting, financial, and auditing compliance.
Operational Risk Software – As defined by the Basel
Committee, addresses the risk of loss resulting from inadequate or
failed internal processes, people, and systems, or from external events,
encompassing legal risk as well.
IT Risk Software – Ensures that all IT activities
and personnel support current and future business needs and comply with
IT security mandates.
Enterprise Risk Management Software – Includes the
categories of market risk, credit risk, and operational risk (which
include and subsume EGRC).

At its best, EGRC software adapts quickly to new regulations, and
addresses most, if not all, area of enterprise management, including:

Controls and policies
Information sharing with the public and government agencies
IT controls for self-assessment and measurement
Asset management
Remediation and exception management
Compliance reporting

Owing to their ease of use and administration, EGRC software-as-a-service
(SaaS) solutions are particularly popular.

Current View

[return to top of this
report]

EGRC Benefits

IDC believes the principal benefits of using EGRC software are:

Mitigation of risk in terms of financial exposure, reputational
damage, or potential business interruption.
Visibility into the “mass of enterprise data” through a “single pane
of glass.”
Integration with other enterprise systems that serve enterprise
governance, risk, and compliance requirements.
Collaboration across departments to ensure governance, risk, and
compliance efforts are focused on common enterprise goals.⁶

Market Drivers

The demand for EGRC software and services is propelled by multiple
factors, in particular:

The rising number, severity, and cost of data breaches.
The management uncertainties surrounding pandemic- and
post-pandemic-related operations, in particular, the ubiquity of
remote operations.
The need to manage ever-expanding volumes of Big Data,
especially Internet of Things (IoT) data.^7,8

According to analyst Michael Rasmussen, other drivers include:

Data privacy – GDPR plus the California Consumer
Privacy Act (CCPA).
Growing accountability – due to the UK’s Senior
Managers Regime (SMR), Australia’s Banking Executive Accountability
Regime (BEAR), plus similar regulations in Singapore, Hong Kong, Japan,
Ireland, and Spain.
Operational resiliency – reflecting the integration
of operational risk, business continuity, third party risk, and more.
Greater enforcement – particularly anti-bribery and
corruption, especially in Europe.
New EGRC technology – plus the maturing of AI
offerings.⁹

Analyst Robert Bond echoes the enforcement concern, saying “The risk of
consumer class-actions for privacy infringements will drive compliance up
the agenda and lead to greater attention to data protection compliance and
governance.”¹⁰

Regarding corporate accountability, analyst Connor Blake warns that “If
it looks like your customers care more about your company’s business
ethical conduct than you do, that is a disaster waiting to happen. Companies will need to be far more agile to get ahead of that curve,
automating away compliance risks for their employees and delivering really
intuitive GRC tools to make it simple for your employees to tell you
what’s going on before your customers do.”¹¹

Market Inhibitors

MarketWatch cautions that “fluctuating regulatory policies and lack of
awareness within [enterprises] are acting as restraints for [the]
enterprise governance, risk, and compliance (EGRC) market.”¹²

Analyst Fergus Allan adds that under the Trump Administration, the
“regulatory landscape [was] significantly different [than in Europe], with
the pace of regulation seeing a deceleration and arguably a reversal in
some cases.”¹³ A more regulation-friendly Biden Administration,
however, may reverse this dynamic.

Vertical Concentration

While popular across all enterprises, EGRC is finding special resonance
among industry verticals, specifically:

Banking, Financial Services, and Insurance (BFSI)
Telecommunications
Energy & Utility
Government
Healthcare
Manufacturing
Mining & Natural Resources
Retail & Consumer Goods
Information Technology
Transportation & Logistics

Of these, MarketsandMarkets predicts the
Healthcare
sector will
exhibit “the highest growth rate, owing to the growing need to manage
various standards and ensure compliance requirements for regulations. The
healthcare sector is constantly focusing on enhancing the services
delivered to patients. While delivering the best services to patients and
staff, clinics and hospitals must assess and control various risks with
regards to patient safety, federal regulations, and medical errors.”¹⁴

Grand View Research forecasts high EGRC growth in the BFSI sector. “EGRC
helps in effective risk management by identifying potential threats to
customers and third parties covering every line of a business and its
operations in the BFSI sector. [Banks] and financial institutions are now
making use of analytics to detect any entity-level linkages as well as to
monitor suspicious activities of different linked accounts used for
laundering activities. Hence, large capital is being allotted for the
implementation of advanced technology-based EGRC solutions.

“The BFSI vertical has witnessed the implementation of several
technology-based solutions, such as AI, machine learning, IoT, blockchain,
robotic process automations (RPA), and augmented reality (AR). Although
technologies like blockchain are secure, others may create significant
security challenges for companies operating in this vertical. This is
encouraging companies in the financial sector to implement security
solutions and use EGRC to assess underlying threats of unauthorized
access.”¹⁵

General Data Protection Regulation

Going forward, EGRC software will be critical in complying with the
European Union (EU) General Data Protection Regulation (GDPR). The GDPR
builds on the EU Data Protection Directive of 1995, which aimed to protect
the fundamental rights and freedoms of natural persons, focusing on their
right to privacy with regard to the processing of their personal data.

The GDPR not only applies to organizations located within the EU but it
will also apply to organizations located outside of the EU if they offer
goods or services to, or monitor the behavior of, EU data
subjects. It applies to all companies processing and holding the
personal data of data subjects residing in the European Union, regardless
of the company’s location.

Recommendations

[return to top of this
report]

The Future of EGRC Software

As revealed by analyst Arum Kumar, recent discussions with enterprise
executives and other EGRC influencers suggests that future editions of
enterprise governance, risk, and compliance software should – and will –
evolve to encompass:

Greater Automation
– “Executives are noticing that effective
automation is drawing the line between [EGRC] leaders and the rest.
Automation is being aimed at answering compliance-oriented business
questions.” Automation is “a must.”
More and Better Data
– “Participants noted that data collected
today by industry is often reflective of lagging indicators. This leads
to a reactive approach rather than being proactive.” Data is
“key."
Simplicity of Operations
– “A participant cited a real-life
example where the system was implemented correctly but followed a
pessimistic approach. It was too difficult for the users to get things
done due to extreme checks in place and it eventually got abandoned.”
Simplification is “crucial."
Standardized Operations
– “Standardization of common concepts
within an industry is important to reduce the effort that goes into
interpretation, effective communication, systems integration and related
skill building. A similar argument applies to tools and platforms.
Rather than have everything customizable in a GRC system, a standardized
and modular set of solutions enables flexibility.” Standardization is
“flexibility."¹⁶

Selecting EGRC Software

Seemingly an evergreen market with new laws and regulations being created
on a continuing basis, the EGRC software space can expect sustained growth
as enterprises seek programmed help to negotiate an ever-changing legal
landscape.

When selecting a EGRC product (or products), enterprise officials should
seek the following:

Offerings from a major EGRC vendor, like IBM, Oracle, or SAP.
Support for all major regulatory regimes including SOX, HIPAA, GLBA,
GDPR, and CCPA.
Support for specific industry or vertical standards as appropriate.
The ability to map specific regulatory requirements to specific
control objectives, and specific control objectives to specific
controls.¹⁷
Regular updates of regulatory content to accommodate new and changing
regulations and standards.¹⁸
Awareness of – and attention to – artificial intelligence (AI) and
robotics as fundamental components of emerging workflow patterns and
platforms.¹⁹
Regulation-specific processes, particularly for prominent regulations
such as SOX, HIPAA, GLBA, GDPR, and CCPA.
Customizable dashboards for displaying compliance progress at the
detail, summary, and executive summary level.²⁰
A detailed compliance audit trail suitable for inspection by
detail-oriented auditors and regulators.
Out-of-the-box integration with existing compliance disciplines and
technologies, including change management, configuration management,
incident management, identify management, network management, and
business continuity.²¹

References

¹ French Caldwell and John A. Wheeler. “Magic Quadrant for
Enterprise Governance, Risk and Compliance Platforms.”

Gartner, Inc.
September 26, 2013.
² Ibid.
³ “eGRC Market with COVID-19 by Offering (Software and
Services), Software (Usage and Type), Type (Policy Management,
Compliance Management, Audit Management, and Risk Management), Business
Function, End User, and Region – Global Forecast to 2026.”

MarketsandMarkets. May 27, 2021.
⁴ Jeff Aldorisio. “What Is IT Governance, Risk, and
Compliance (GRC)?”
SecurityScorecard. February 9, 2021.
⁵ IBM Cloud Education. “GRC."
IBM. June 18, 2020.
⁶ Angela Gelnaw. “IDC’s Worldwide Governance, Risk, and
Compliance Software Taxonomy, 2017.”
IDC. February 2017:3.
⁷ “Global Enterprise Governance, Risk and Compliance
Software Market Research Report, Market Size, Status, Revenue,
Consumption, Import and Future Forecast to 2019-2024.” MarketWatch.
April 5, 2019.
⁸ Arun Kumar. “Key challenges and priorities for GRC
leaders in 2021.”
IBM.
December 14, 2020.
⁹ Scott Bamford. “11 GRC Experts Predict What’s Ahead in
2019.”
MITRATECH. 2019.
¹⁰ Ibid.
¹¹ Ibid.
¹² “Global Enterprise Governance, Risk and Compliance
Software Market Research Report, Market Size, Status, Revenue,
Consumption, Import and Future Forecast to 2019-2024.” MarketWatch.
April 5, 2019.
¹³ Scott Bamford. “11 GRC Experts Predict What’s Ahead in
2019.”
MITRATECH. 2019.
¹⁴“eGRC Market with COVID-19 by Offering (Software and
Services), Software (Usage and Type), Type (Policy Management,
Compliance Management, Audit Management, and Risk Management), Business
Function, End User, and Region – Global Forecast to 2026.”

MarketsandMarkets. May 27, 2021.
¹⁵ “Enterprise Governance, Risk & Compliance Market
Size, Share & Trends Analysis Report by Component, by Software, by
Services, by Enterprise Type, by Vertical, and Segment Forecasts, 2021 –
2028."
Grand View Research. April 2021.
¹⁶ Arun Kumar. “Key Challenges and Priorities for GRC Leaders in 2021.”

IBM. December 14, 2020.
¹⁷ “Key Considerations for a GRC Management Solution.”

CA
Technologies. 2010:9-10.
¹⁸ Ibid.
¹⁹ “Enterprise GRC Solutions: Market Update 2017."

Chartis
Research Ltd. March 2017:4.
²⁰ “Key Considerations for a GRC Management Solution.”

CA
Technologies. 2010:9-10.
²¹ Ibid.

Web Links

[return to top of this
report]

IBM: http://www.ibm.com/
MetricStream: http://www.metricstream.com/
NAVEX Global: http://www.navexglobal.com/
Oracle: http://www.oracle.com/
RSA Archer: http://www.rsa.com/
SAP: http://www.sap.com/
SAS Institute: http://www.sas.com/
ServiceNow: http://www.servicenow.com/
Software AG: http://www.softwareag.com/
Thomson Reuters: http://www.thomsonreuters.com/
Wolters Kluwer: http://www.wolterskluwer.com/

About the Author

[return to top of this
report]

James G. Barr is a leading business continuity analyst
and business writer with more than 30 years’ IT experience. A member of
“Who’s Who in Finance and Industry,” Mr. Barr has designed, developed, and
deployed business continuity plans for a number of Fortune 500 firms. He
is the author of several books, including How to Succeed in Business
BY Really Trying, a member of Faulkner’s Advisory Panel, and a
senior editor for Faulkner’s Security Management Practices.
Mr. Barr can be reached via email at jgbarr@faulkner.com.

[return to top of this
report]