Enterprise Governance, Risk, and Compliance Software

PDF version of this report
You must have Adobe Acrobat reader to view, save, or print PDF files. The
reader is available for free

Enterprise Governance, Risk,
and Compliance Software

by James G. Barr

Docid: 00021510

Publication Date: 2106

Report Type: TUTORIAL


Enterprise governance, risk, and compliance (EGRC) software is designed
to automate the documentation and reporting of risk management and
compliance activities and serves as the principal instrumentation of
modern enterprise governance. The EGRC market arose in response to
accounting scandals involving Enron and other high-profile corporations.

Report Contents:


[return to top of this

Enterprise governance, risk, and compliance (EGRC) software is designed
to automate the documentation and reporting of enterprise risk management
and compliance activities1 and serves as the principal
instrumentation of modern enterprise governance. The EGRC market
arose in response to accounting scandals involving Enron and other
high-profile corporations. Owing to these abuses, various governments,
including the US, enacted laws that imposed strict penalties for
public companies and their executives if they fail to observe certain
financial accountability and other standards.

To help satisfy these complex and sometimes ambiguous requirements,
enterprises frequently rely on EGRC software. The primary end users

  • Internal auditors and the enterprise audit committee
  • Risk and compliance managers
  • Enterprise general counsel and other legal professionals
  • Accountable business process owners2

With a risk landscape that includes rampant ransomware and distributed
denial of service (DDoS) attacks, and more rigorous regulations like the
California Consumer Privacy Act (CCPA), interest in EGRC software is

EGRC Market

MarketsandMarkets reports that the global EGRC market should grow from
$1.3 billion in 2021 to $2.2 billion by 2026, for a very respectable
compound annual growth rate (CAGR) of 10.9 percent during the forecast

In a crowded market space, prominent EGRC providers include:

  • IBM
  • MetricStream
  • NAVEX Global
  • Oracle
  • RSA Archer
  • SAP
  • SAS Institute
  • ServiceNow
  • Software AG
  • Thomson Reuters
  • Wolters Kluwer3


[return to top of this


The basic concept of enterprise governance, risk, and compliance (EGRC)
may be summarized as follows:

  • Governance pertains to those enterprise policies
    and protocols, including government regulations, that prescribe
    enterprise behavior. Governance exists to ensure that enterprise
    operations are effective, efficient, respectful of the rights of
    enterprise stakeholders, and conform to relevant laws. In short,
    governance encompasses the rules for running a particular enterprise.
  • Risk pertains to any situation, circumstance, or
    event that may compromise enterprise operations and/or enterprise
  • Finally, compliance pertains to those initiatives
    designed to ensure adherence to enterprise governance standards and,
    thus, enterprise operational practices.

In enterprise management shorthand, EGRC describes “how enterprise
officials intend to manage the enterprise” (governance); “what factors may
adversely affect their ability to administer governance standards” (risk);
and “how enterprise officials intend to achieve governance objectives”

While enabled by software, as analyst Jeff Aldorisio reminds us, “
is a strategy
, rather than a platform, digital solution or any other
set of tools. An [enterprise] builds a framework so that [it] can
take a structured approach to managing risk, meeting compliance and
maintaining governance over every area of IT.”4


As observed by IBM, basic EGRC capabilities as delivered by many, if not
most, EGRC tools include:

  • “Content and document management that helps [enterprises] create,
    track, and store digitized content.
  • “Risk data management and analytics that help to measure, quantify,
    and predict risk – and determine steps to reduce it.
  • “Workflow management to help [enterprises] establish, execute, and
    monitor [EGRC]-related workflows.
  • “Audit management to organize information and simplify processes for
    conducting internal audits.
  • “A dashboard that provides a central interface where key performance
    indicators relevant to [enterprise] processes and objectives can be
    monitored in real-time.

“Effective GRC tools create and distribute policies and controls and map
them to regulations and compliance requirements. They help assess whether
controls have been deployed, are functioning correctly, and are improving
risk assessment and mitigation.”5


The initial development of EGRC software was a direct response to the
accounting scandals that involved Enron, Tyco International, Adelphia
Cable, Peregrine Systems, and WorldCom, among others. As a result of
these abuses, domestic and international governments passed laws like
the Sarbanes-Oxley Act (or SOX) that prescribed various sanctions,
including criminal penalties, for public companies and their executives if
they failed to follow good business practices.

Subsequent financial failures that led to the Great Recession of 2008 and
2009 reinforced the need for stricter internal controls over financial
reporting and, as a result, further energized the EGRC market,
facilitating the development of tools to manage:

  • Financial risk
  • Credit risk
  • Operational risk
  • Market risk
  • Compliance risk
  • Foreign exchange or settlement risk
  • Interest rate risk
  • Third-party risk (from suppliers and business partners)
  • Social risk (owing to the increasing use of unregulated social media
    for enterprise sales and marketing)


A comprehensive EGRC solution will normally feature the following:

  • Financial Risk Software – Ensures that the
    operation of all financial processes follow enterprise governance
    policies, as well as accounting, financial, and auditing compliance.
  • Operational Risk Software – As defined by the Basel
    Committee, addresses the risk of loss resulting from inadequate or
    failed internal processes, people, and systems, or from external events,
    encompassing legal risk as well.
  • IT Risk Software – Ensures that all IT activities
    and personnel support current and future business needs and comply with
    IT security mandates.
  • Enterprise Risk Management Software – Includes the
    categories of market risk, credit risk, and operational risk (which
    include and subsume EGRC).

At its best, EGRC software adapts quickly to new regulations, and
addresses most, if not all, area of enterprise management, including:

  • Controls and policies
  • Information sharing with the public and government agencies
  • IT controls for self-assessment and measurement
  • Asset management
  • Remediation and exception management
  • Compliance reporting

Owing to their ease of use and administration, EGRC software-as-a-service
(SaaS) solutions are particularly popular.

Current View

[return to top of this

EGRC Benefits

IDC believes the principal benefits of using EGRC software are:

  • Mitigation of risk in terms of financial exposure, reputational
    damage, or potential business interruption.
  • Visibility into the “mass of enterprise data” through a “single pane
    of glass.”
  • Integration with other enterprise systems that serve enterprise
    governance, risk, and compliance requirements.
  • Collaboration across departments to ensure governance, risk, and
    compliance efforts are focused on common enterprise goals.6

Market Drivers

The demand for EGRC software and services is propelled by multiple
factors, in particular:

  • The rising number, severity, and cost of data breaches

  • The management uncertainties surrounding pandemic- and
    post-pandemic-related operations
    , in particular, the ubiquity of
    remote operations.

  • The need to manage ever-expanding volumes of Big Data
    especially Internet of Things (IoT) data.7,8

According to analyst Michael Rasmussen, other drivers include:

  • Data privacy – GDPR plus the California Consumer
    Privacy Act (CCPA).
  • Growing accountability – due to the UK’s Senior
    Managers Regime (SMR), Australia’s Banking Executive Accountability
    Regime (BEAR), plus similar regulations in Singapore, Hong Kong, Japan,
    Ireland, and Spain.
  • Operational resiliency – reflecting the integration
    of operational risk, business continuity, third party risk, and more.
  • Greater enforcement – particularly anti-bribery and
    corruption, especially in Europe.
  • New EGRC technology – plus the maturing of AI

Analyst Robert Bond echoes the enforcement concern, saying “The risk of
consumer class-actions for privacy infringements will drive compliance up
the agenda and lead to greater attention to data protection compliance and

Regarding corporate accountability, analyst Connor Blake warns that “If
it looks like your customers care more about your company’s business
ethical conduct than you do, that is a disaster waiting to happen.
Companies will need to be far more agile to get ahead of that curve,
automating away compliance risks for their employees and delivering really
intuitive GRC tools to make it simple for your employees to tell you
what’s going on before your customers do.”11

Market Inhibitors

MarketWatch cautions that “fluctuating regulatory policies and lack of
awareness within [enterprises] are acting as restraints for [the]
enterprise governance, risk, and compliance (EGRC) market.”12

Analyst Fergus Allan adds that under the Trump Administration, the
“regulatory landscape [was] significantly different [than in Europe], with
the pace of regulation seeing a deceleration and arguably a reversal in
some cases.”13 A more regulation-friendly Biden Administration,
however, may reverse this dynamic.

Vertical Concentration

While popular across all enterprises, EGRC is finding special resonance
among industry verticals, specifically:

  • Banking, Financial Services, and Insurance (BFSI)
  • Telecommunications
  • Energy & Utility
  • Government
  • Healthcare
  • Manufacturing
  • Mining & Natural Resources
  • Retail & Consumer Goods
  • Information Technology
  • Transportation & Logistics

Of these, MarketsandMarkets predicts the

sector will
exhibit “the highest growth rate, owing to the growing need to manage
various standards and ensure compliance requirements for regulations. The
healthcare sector is constantly focusing on enhancing the services
delivered to patients. While delivering the best services to patients and
staff, clinics and hospitals must assess and control various risks with
regards to patient safety, federal regulations, and medical errors.”14

Grand View Research forecasts high EGRC growth in the BFSI sector. “EGRC
helps in effective risk management by identifying potential threats to
customers and third parties covering every line of a business and its
operations in the BFSI sector. [Banks] and financial institutions are now
making use of analytics to detect any entity-level linkages as well as to
monitor suspicious activities of different linked accounts used for
laundering activities. Hence, large capital is being allotted for the
implementation of advanced technology-based EGRC solutions.

“The BFSI vertical has witnessed the implementation of several
technology-based solutions, such as AI, machine learning, IoT, blockchain,
robotic process automations (RPA), and augmented reality (AR). Although
technologies like blockchain are secure, others may create significant
security challenges for companies operating in this vertical. This is
encouraging companies in the financial sector to implement security
solutions and use EGRC to assess underlying threats of unauthorized

General Data Protection Regulation

Going forward, EGRC software will be critical in complying with the
European Union (EU) General Data Protection Regulation (GDPR). The GDPR
builds on the EU Data Protection Directive of 1995, which aimed to protect
the fundamental rights and freedoms of natural persons, focusing on their
right to privacy with regard to the processing of their personal data.

The GDPR not only applies to organizations located within the EU but it
will also apply to organizations located outside of the EU if they offer
goods or services to, or monitor the behavior of, EU data
subjects. It applies to all companies processing and holding the
personal data of data subjects residing in the European Union, regardless
of the company’s location.


[return to top of this

The Future of EGRC Software

As revealed by analyst Arum Kumar, recent discussions with enterprise
executives and other EGRC influencers suggests that future editions of
enterprise governance, risk, and compliance software should – and will –
evolve to encompass:

  • Greater Automation

    – “Executives are noticing that effective
    automation is drawing the line between [EGRC] leaders and the rest.
    Automation is being aimed at answering compliance-oriented business
    questions.” Automation is “a must.”

  • More and Better Data

    – “Participants noted that data collected
    today by industry is often reflective of lagging indicators. This leads
    to a reactive approach rather than being proactive.” Data is

  • Simplicity of Operations

    – “A participant cited a real-life
    example where the system was implemented correctly but followed a
    pessimistic approach. It was too difficult for the users to get things
    done due to extreme checks in place and it eventually got abandoned.”
    Simplification is “crucial."

  • Standardized Operations

    – “Standardization of common concepts
    within an industry is important to reduce the effort that goes into
    interpretation, effective communication, systems integration and related
    skill building. A similar argument applies to tools and platforms.
    Rather than have everything customizable in a GRC system, a standardized
    and modular set of solutions enables flexibility.” Standardization is

Selecting EGRC Software

Seemingly an evergreen market with new laws and regulations being created
on a continuing basis, the EGRC software space can expect sustained growth
as enterprises seek programmed help to negotiate an ever-changing legal

When selecting a EGRC product (or products), enterprise officials should
seek the following:

  1. Offerings from a major EGRC vendor, like IBM, Oracle, or SAP.
  2. Support for all major regulatory regimes including SOX, HIPAA, GLBA,
    GDPR, and CCPA.
  3. Support for specific industry or vertical standards as appropriate.
  4. The ability to map specific regulatory requirements to specific
    control objectives, and specific control objectives to specific
  5. Regular updates of regulatory content to accommodate new and changing
    regulations and standards.18
  6. Awareness of – and attention to – artificial intelligence (AI) and
    robotics as fundamental components of emerging workflow patterns and
  7. Regulation-specific processes, particularly for prominent regulations
    such as SOX, HIPAA, GLBA, GDPR, and CCPA.
  8. Customizable dashboards for displaying compliance progress at the
    detail, summary, and executive summary level.20
  9. A detailed compliance audit trail suitable for inspection by
    detail-oriented auditors and regulators.
  10. Out-of-the-box integration with existing compliance disciplines and
    technologies, including change management, configuration management,
    incident management, identify management, network management, and
    business continuity.21


[return to top of this

About the Author

[return to top of this

James G. Barr is a leading business continuity analyst
and business writer with more than 30 years’ IT experience. A member of
“Who’s Who in Finance and Industry,” Mr. Barr has designed, developed, and
deployed business continuity plans for a number of Fortune 500 firms. He
is the author of several books, including How to Succeed in Business
BY Really Trying
, a member of Faulkner’s Advisory Panel, and a
senior editor for Faulkner’s Security Management Practices.
Mr. Barr can be reached via email at jgbarr@faulkner.com.

[return to top of this