Identifying Opportunities, Challenges, and Right Solutions in Governance, Risk & Compliance

Let’s start with the basics: Governance, risk, and compliance (GRC), in layman’s terms, can be defined as the umbrella of strategic efforts by an organization to manage its overall functional structure, the risks that are borne out of its functional and structural elements, and to comply with all the laws and regulations applicable to the organization for the time being in force. GRC is an information technology-based approach that synchronizes effectively with the business objectives, managing the risks affecting the business and complying with the regulatory requirements.

‍

Governance in GRC means the hierarchy created in an organization mentioning who is responsible for which decisions in the organization. Also, it defines who the senior executives that manage and control the organizations are and the decision-making powers they are endowed with. Hence, it is paramount that the information that reaches top management executives is sufficient, accurate, and made available to them on time. It involves ensuring that business activities, such as managing IT operations, are aligned with the organization’s business goals.

‍

Risk management in GRC is a set of activities in an organization that identifies and analyzes the inherent risks in the business and other potential risks that might affect the structural and functional foundations of the enterprise adversely. The activities that fall under risk management are put in place to mitigate such risk factors. It includes a comprehensive IT risk management process that is in sync with the organization’s enterprise risk management function.

‍

Compliance in GRC means having activities that focus on making sure that all laws and regulations applicable to business are followed. And, in cases where there has been any lag in the same, rapid corrective actions are taken, and controls are kept in place to not repeat a similar mistake. It includes ensuring that the IT systems and the data contained in those systems are secured and used as per regulatory norms.

‍

Some research and publication houses (mis)characterize what GRC is about by pushing it solely to compliance. However, the long-standing official definition of GRC found in the OCEG GRC Capability Model is that GRC is a capability to reliably achieve objectives [GOVERNANCE] while addressing uncertainty [RISK MANAGEMENT] and acting with integrity [COMPLIANCE].

‍

Current Issues, Trends, and Market Opportunity in GRC

‍

The rapid changes in the regulatory environment and increasing third-party relationships are exposing various business risks. It is well-discussed globally that the last decade could be termed the decade of the ‘compliance boom’ following the GFC.

‍

Also, the traditional functional roles – legal, internal audit, risk management, and compliance professionals – tend to work in silos that are prone to inefficiencies in information exchange and accountability. The problem inflates when the organization continues to use disconnected/disparate solutions for risk management, internal audit, policy management, and compliance. A huge ignorance/complacency to map the organization’s GRC processes to business strategy usually results in hefty compliance fines. This makes implementing GRC processes in the businesses of the modern age very important and necessary. This ever-increasing requirement has made the GRC solutions market an exciting area of play for tech wizards.

‍

The GRC solutions market is almost ten years old now, and buyers have high expectations with GRC software. The main reason for the same being that GRC in current times is not a back-office job; instead, the same is expected to be intuitive and should have an easy-to-use interface owing to its increased emergence as a core business function. The organizations that have implemented in-house GRC activities in the past decade find the same cumbersome and out-of-date compared to the new generation software, which changes as per variations in various factors around them.

‍

The major drivers, considering the current market trend, which motivate a business to adopt GRC technology solutions are as follows:

‍

Constant Change: The regulatory environment is constantly changing nowadays. Also, various political, industrial, and economic factors rapidly change and can create contingencies for businesses anytime. These changes cannot be dealt with the legacy systems or processes, and the same can expose the business to risks that they might not be prepared to deal with.

‍

Increasing associations: Increasing dealings and associations of organizations with third parties and international or foreign parties are creating regulatory and risk exposure for businesses.

‍

Disintegrated Information: The medium and large organizations have multiple departments in their structural framework. The information in these departments is mostly present in a scattered form, and they seldom have a core system to link their information to and produce the required output. To help organizations with the management of such bulk data and, to help them in this cumbersome task of populating data to provide a meaningful output, GRC software is put into place.

‍

Limitations of legacy GRC platforms: The new-age GRC platforms are way better than the legacy systems. The new ones are built with the help of advanced systems and are created to support the business in the rapidly changing environment. The legacy platforms have their own inherent limitations and are too rigid to keep pace with the ever-changing forces of the market.

‍

As per a survey conducted by a GRC 20/20 Research LLC, here are the top eight features that businesses demand as per the current market trend:

‍

• Ease of use
• Affordable price
• Multiple functionalities
• Configurability
• Industry-focused
• Rapid customer service
• Integration capabilities
• Company stability

‍

Also, it has been noted that 38% of the inquiries for implementing GRC activities in their businesses are from large enterprises (i.e., Enterprises having more than 10,001 employees), 51% of the inquiries are from medium enterprises (i.e., enterprises having more than 1001 to 10,000 employees), and the remaining 11% are from small enterprises.

‍

Hence, considering the current market trends and requirements, there’s a huge opportunity for the companies providing a GRC product that can facilitate an automated system, track various activities, and also has the following features:

‍

• Consolidate the information from external and internal sources to create meaningful insights
• Provide such information to middle management on time for fruitful business decisions
• Identify the risks in various activities of a business and suggest controls to mitigate those risks
• It should meet not only current needs but shall also be aligned with the long-term goals of businesses
• Customization in the programming or change in the configuration can be readily done without requiring additional consultancy charges
• It should help in tracking the audit trail, support various workflows and tasks, should be able to identify the person accountable, and should be mostly automated
• Over and above, the above features should be easy to use and cost-effective from a user experience perspective

‍

GRC platforms of the future (some signs of which can be seen in present-day scenarios as well) shall also have various SaaS (Software-as-a-Service) capabilities such as:

‍

• Content management
• Document management
• Data records of input/output done by users and its distribution
• Risk analysis
• Risk and control matrix
• Audit support
• Workflow processes tracking
• Configuration options as per change in regulatory environment
• Dashboards and various reporting functions

‍

The major vendors that provide SaaS capabilities are FixNix, RSA archer, LogicManager, Riskonnect, SAP GRC, ACL GRC, SAI Global Compliance360, MetricStream GRC, BWise GRC, Rsam GRC, and Enablon GRC.

‍

Among these players, some of the full GRC suite providers, such as MetricStream and RSA Archer, are mostly operational risk-focused and targeted at large companies with mature programs. FixNix-like solutions are mostly operational, enterprise risk-focused, modular, and suitable for companies at different compliance maturity levels. We think FixNix is playing in the right market since two-thirds of the GRC solution inquiries are generated by medium and small-sized enterprises.

‍

GRC Market in North America

‍

North America has the highest global market share in GRC services, as approximately 42% of the inquiries for GRC services arise from North America. The global GRC market is expected to grow from the present $31.5 billion in 2019 to $51.5 billion by 2024 (based on the compounded annual growth rate of 10.3%). North America contributes the maximum in generating revenue for the GRC market. The region is noticing significant developments in the field of GRC. A number of vendors in the region are developing innovative products and solutions with the help of advanced technologies. These technologies include Natural Language Processing and Machine Learning, along with other advanced analytical tools. The growing business complexities and frequently changing regulatory environment in the region have created a high demand for GRC products. FixNix is one of the key players in the North American market that is gaining popularity for its strong product offerings. In 2018, we recognized this player as one of the leading players in the RegTech landscape. Hence, we are revisiting them to understand their growth, product suite, achievements, and growth plan.

‍