2020 08 State of The GRC Market

2020-08
2020 State of the GRC Market

Analysis, Sizing, Forecasting & COVID-19 Impact
MARKET RESEARCH BRIEFING

Governance, Risk Management & Compliance Insight
Terms & Conditions . . .
ü GRC 20/20 Research Briefings are copyrighted and protected material.

Content cannot be reused or distributed without written permission from GRC
20/20 Research, LLC.
ü GRC Advisor Enterprise Subscribers get access to live and recorded

Research Briefings for all employees for INTERNAL use only through the GRC
20/20 website. If they wish to have a recording to host internally there is a fee
for this.
ü Others pay for either individual or group access to specific GRC 20/20
Research Briefings. Individual access is for the individual only and slides or
login are not to be shared with others or viewed as a group.
© GRC 20/20 Research, LLC • www.GRC2020.com 2

Two Things to Note . . .
Complimentary Inquiry RFP Development & Support

§ Organizations evaluating or considering § GRC 20/20 has an extensive library of RFP
GRC solutions are free to ask GRC 20/20 on requirements across a range of GRC
our understanding and comparison of capability areas presented in this
solutions in the market to meet your GRC presentation.
requirements. § GRC 20/20 can be engaged in RFP
§ Inquiries are single focused questions that development and support projects to
can be answered in under 30 minutes. streamline your process, gain perspectives
§ Complimentary inquiry is only available to learned from other organizations, and to
organizations evaluating or considering GRC keep solution providers honest in their
solutions for their internal use. responses.

Titelmasterformat durch Klicken bearbeiten
Our Objectives . . .
1) GRC Market Definition & Overview
2) GRC Market Segmentation & Sizing
3) GRC Market Drivers & Trends
4) GRC Technology Advice & Directions

Navigating Chaos
The Chaos of GRC Interconnectedness
Realize that everything connects to everything else.

Leonardo da Vinci © GRC 20/20 Research, LLC • www.GRC2020.com 6
Are you truly aware of your risk? Removing silos to truly see risk . . .
I never saw a wreck and

never have been
wrecked, nor was I ever
in a predicament that
threatened to end in a
disaster. I cannot
conceive of any vital
disaster happening to this
vessel.
E.J. Smith,
Captain of the Titanic

The more we study the major problems of our time, the more we
come to realise that they cannot be understood in isolation. They
are systemic problems, which means that they are
interconnected and interdependent.
- Physicist Fritjof Capra
Regulatory Activity in Financial Services 2008 to 2018
Source: Thomson Reuters Regulatory Intelligence – Cost of Compliance

Inevitability of Failure: Too Many Approaches
There are too many departments sending too many
communications in different formats. GRC management is
buried in documents, spreadsheets & emails.
Ø Wasted resources through redundancy & overlap
Ø Excessive emails, documents, and paper trails
Ø Poor visibility & reporting
Ø Files and documents out of sync
Ø Overwhelming complexity
Ø Lack of accountability

Confusing Conundrum of GRC Management Processes & Information
The Winchester Mystery House

Ø 160 rooms
Ø 47 fireplaces
Ø 6 kitchens
Ø 10,000 windows
Ø 65 doors to blank walls
Ø 13 staircases abandoned
Ø 25 skylights – in floors
Ø 147 builders/no architects
Ø Built without a blueprint
Ø $5.5 million over 38 years

. . . And We Hope Nothing Fails
Ø Inability to gain clear view of GRC
information interdependencies;
Ø High cost of consolidating GRC information;
Ø Difficulty maintaining accurate GRC

information;
Ø Failure to trend across GRC assessment

periods;
Ø Redundant approaches limit correlation,

comparison and integration of GRC
information; and
Ø Lack of agility to respond timely to changing

risks, regulations, laws, and situations.
The Organization Has to be Able to See . . .
q The Tree. The individual area of risk
q The Forest. The interconnectedness of risk

GRC in Transition: From Old Ways to New Ways

The Official Definition of GRC . . .
GRC is a capability that enables an

organization to:
G) reliably achieve objectives
R) address uncertainty and
C) act with integrity.
SOURCE: OCEG GRC Capability Model

Governance, Risk Management & Compliance in Context
Governance Risk Management Compliance

Governance sets direction and strategy Risk management seeks to manage Compliance aims to see that the
for the organization to reliably achieve and understand uncertainty by organization acts with integrity in
objectives. Governance sets the identification, assessment, and fulfilling its regulatory, contractual, and
context for risk management, without monitoring of risk within context to act self-imposed obligations and values.
context risk management fails. on risk through acceptance, avoidance, Compliance follows through on risk
mitigation, or transfer. treatment plans to assure that risk is
being managed within limits and
controls are in place and functioning.
Change is the Greatest Challenge Impacting GRC Management
Regulatory/Legal Change
REGULATIONS Monitor change in the legal and regulatory environment to
determine how pending legislation, court decisions,
COURT RULINGS new/changing regulations, and enforcement actions affect
current and needed policies.
Internal Risk/Business Change MERGERS &

ACQUISITIONS
LEGISLATION Monitor changes to the internal environment to identify how changes to
strategy, mergers & acquisitions, processes, technology, business relation-
ENFORCEMENT ships, and employees affect current and needed policies.
MONITOR
contact Carole S. Switzer cswitzer@oceg.org for comments, reprints or licensing requests

©2012 OCEG visit www.oceg.org for other installments in the Anti-Corruption Illustrated Series
External Risk Change $

Monitor change in the external risk environment to
BUSINESS
determine how uncertainty in economic, geo-political, RELATIONSHIPS
MARKET FORCES environmental, industry, societal, and market forces FINANCIAL
COMPETITIVE POSITION
GEO-POLITICAL FORCES affect current and needed policies.
STRATEGY
01
11 11
01 10 00
01 01
00
INDUSTRY EMPLOYEES
TECHNOLOGY
SOCIETAL FORCES
PROCESSES
IT


Monitoring for Context Changes that Impact GRC
REGULATORY & LEGAL

ENFORCEMENT GOVERNANCE
INDUSTRY ECONOMICS / AND TONE
PRACTICES GEO-POLITICS RISK STRATEGIC AND
TOLERANCE OPERATING PLANS
EXTERNAL
CONTEXT INTERNAL
CONTEXT
EXTERNAL
CONTROLS
VIEWS
STAKEHOLDER VIEW
WS TRAINING AND WORKFORCE
10
SOCIETAL / 11 11
00 01 10
COMMUNICATION CULTURE
10 10
ENVIRONMENTAL 00
STANDARDS
TECHNOLOGY MARKET DEM

DEMANDS
MANDS
S THIRD PARTY REQUIREMENTS
ADVANCEMENTS
NTS RISKS AND AND
PERFORMANCE CONTROLS
©OCEG, Contact support@oceg.org for comments, reprints or licensing

Keeping Policies Current
MISSION
VISION
VALUES
STRATEGY
PRINCIPLED PERFORMANCE
RISK ASSESSMENT IDENTIFIED POLICIES

PROCESSES ROLES
LIKELIHOOD
IMPACT
©OCEG, Contact support@oceg.org for comments, reprints or licensing
© GRC 20/20 Research, LLC • www.GRC2020.com

20 20
Varying Levels of GRC Management
Top-down federated GRC

management strategy across
Enterprise the entire organization.
Division Division or business unit

management strategy
Business Unit
Management being done at a

Department department, function, or
process level
Function
Process
Risk Managed in context of a

Regulation specific focus, regulation, or
Issue issues
What is Your Approach to GRC Management?
Distributed GRC Management Federated GRC Management
§ Disconnected departments managing GRC related § An integrated approach that balances GRC
activities in different ways with little or no collaboration management centralization with distributed
with other departments participation and collaboration

GRC Strategy Within Organizations
GRC Strategy
GRC Process
GRC Information
GRC Technology

360° GRC Contextual Analytics & Intelligence Capabilities
Action Items
Analyzed to
understand relationships
Integrated and
mapped together
to provide context
Distributed & Disconnected
GRC Data Points

BENEFITS
GRC Information Architecture Provides 360° Contextual Intelligence
Strategic
higher quality information
Integrating GRC information allows
Objectives Department management to make more
Process intelligent decisions, more rapidly.
Strategic process optimization

Entity All non-value-added activities are
Process Organization Risks Operational eliminated and value-added
Financial activities are streamlined to reduce
Asset .
lag time and undesirable variation.
better capital allocation

Identifying areas where there are
redundancies or inefficiencies
Regulatory
BENEFITS Preventive allows financial and human capital
to be allocated more effectively.
Contractual Obligations Controls Detective
Values higher quality information
Corrective improved effectiveness
Integrating GRC information allows Overall effectiveness is improved
management to make more as gaps are closed, unnecessary
intelligent decisions, more rapidly. redundancy is reduced, and GRC
activities are allocated to the right
process optimization individuals and departments.
Code of All non-value-addedComplaint
activities are
Conduct eliminated and value-added protected reputation
Policies & Procedures Policies Issues Event
activities are streamlined to reduce Reputation is protected and
.
Training & Awareness Investigation
lag time and undesirable variation. enhanced because risks are
managed more effectively.
Owner better capital allocation
Subject Matter Expert Roles Identifying areas where there are reduced costs
redundancies or inefficiencies Reduced costs help to improve
Employee
allows financial and human capital return on investments made in GRC
to be allocated more effectively. activities.
©2012 OCEG, Permission by OCEG is required for reproduction and/or use of material
From GRC 1.0 to GRC 5.0: A History of Technology for GRC
GRC 1.0
SOX Captivity
2002 - 2007
GRC 2.0
Enterprise GRC
2007 - 2012 GRC 3.0
GRC Architecture
2012 - 2017 GRC 4.0
Agile GRC
2017 - 2021 GRC 5.0
Cognitive GRC
2021+

Components of Agile GRC Technology
Usability Cost of Ownership Configurability
Scalability Adaptability Integration
Analytics A.I. Future Proof

Robotic Process
Automation
Feature/Functionality

Benefits of 360° Contextual Awareness of GRC
Aware
Efficient 6 1
Resilient
5
Agile 2 Aligned
GRC
Agile 4 3 Responsive


The GRC Market: Technology, Information,& Professional Services
GRC Technology Solutions
850+ technology solution providers
that offer solutions related to GRC
GRC Intelligence & Content Solutions

150+ providers with 400+
content/intelligence solutions across a
range of GRC areas
GRC Professional Services Solutions

1,000+ professional service firms
offering services related to GRC

GRC Technology Market: Different Types of Technology
Platforms
Platforms provide a breadth of capabilities that span solution
areas in a segment enabling them to be a platform to manage a
GRC segment extensively.
Platforms
Solutions
Solutions are technologies that are more focused in what they
do. They tend to solve specific problems and come at a segment
from a narrower perspective. They can compliment a platform or
run independently from it.
Tools Solutions Tools

Tools are technologies that assist or enable a segment, but do
not fit adequately in any of the definitions for platforms or
solutions. Every GRC segment has a Miscellaneous Tools
category to catch all the related technologies that assist and add
value, but do not have enough market presence in a segment to
get their own solution or platform identification.

Basic, Common & Advanced Solutions
Advanced
high
high
§ Solutions that go beyond
common features and
distinguish themselves with a
Value to Organization
varying array of advanced
Cost to Implement
capabilities.
Common
§ Solutions with features that are
commonly found in the market
across primary competitors in
the segment.
Basic
§ Solutions that have the basic
elements needed, but are not
as feature rich as solutions that
have a lot of market traction.
low
low
low Techology Capabilities high

GRC Technology Market Segment Definitions
GRC Technology Segment Description
Enterprise GRC Capability to manage an integrated architecture across multiple GRC areas in a structured strategy, process, information and technology architecture.
Audit Management Capability to manage audit planning, staff, documentation, execution/field work, findings, reporting, and analytics.
Control Monitoring & Enforcement Capability to automate the detection and enforcement of internal controls in business processes, systems, records, transactions, documents, and information.
Business Continuity Management Capability to manage, maintain, and test continuity and disaster plans, and implement these plans expected and unexpected disruptions to all areas of operation.
Compliance & Ethics Management Capability to manage an overall compliance program, document and manage change to obligations, assess compliance, remediate non-compliance, and report.
Environmental Management Capability to document, monitor, assess, analyze, record, and report on environmental activities and compliance.
Health & Safety Management Capability to manage, document, monitor, assess, report, and address incidents related to the health and safety of the workforce and workplace,
Internal Control Management Capability to manage, define, document, map, monitor, test, assess, and report on internal controls of the organization.
IT GRC Management Capability to govern IT in context of business objectives and manage IT process, technology, and information risk and compliance.
Issue Reporting & Management Capability to notify on issues and incidents and manage, document, resolve, and report on the range of complaints, issues, incidents, events, investigations, and cases.
Legal Management Capability to manage, monitor, and report on the organization’s legal operations, processes, matters, risks, and activities.
Physical Security Management Capability to manage risk and losses to individuals and physical assets, facilities, inventory, and other property..
Policy & Training Management Capability to mange the development, approval, distribution, communication, forms, maintenance, and records of policies, procedures and related awareness activities.
Quality Management Capability to manage, assess, record, benchmark, and track activity, issues, failures, recalls, and improvement related to product and service quality.
Risk Management Capability to identify, assess, measure, treat, manage, monitor, and report on risks to objectives, divisions, departments, processes, assets, and projects.
Strategy & Performance Management Capability to govern, define, and manage strategic, financial, and operational objectives and related performance and risk activities.
Third Party Management Capability to govern, manage, and monitor the array of 3rd party relationships in the enterprise, particularly risk and compliance challenges these relationships bring.

New Segments GRC 20/20 is Working on Adding into Market Model
• ESG (Environmental & Social Governance/Corporate Social

Responsibility).
– Capability to document, manage, monitor, assess, and attest to the corporate social
responsibility, accountability, and sustainability initiatives of the organization.
• Finance GRC Management.
– Capability to manage, monitor, and report on the organization’s financial controls and
reporting.
• HR GRC Management.
– Capability to govern human resources manage HR processes in context of risk and
compliance.
• Know Your Customer Management & Analytics.
– Capability to manage, analyze, monitor, and report on KYC and AML risks and exposure.
• Legal GRC Management.
– Capability to govern, manage, monitor, and report on the organization’s legal operations,
processes, matters, risks, and activities.
GRC Intelligence Market Segment Definitions
GRC Intelligence Segment Description
Audit Content & Intelligence Content providers of audit templates, forms, and intelligence.
Business Continuity Content & Intelligence Content providers of business continuity templates, forms, and intelligence
Compliance Content & Intelligence Content providers of regulatory libraries, regulatory intelligence, compliance forms and templates.
Environmental Content & Intelligence Content providers of environmental intelligence, forms, and templates.
Health & Safety Content & Intelligence Content providers of health & safety libraries, content, forms, and templates.
Internal Control Content & Intelligence Content providers of internal control libraries, forms, and templates.
IT GRC Content & Intelligence Content providers of IT GRC/security control libraries, threat and vulnerability intelligence, forms, and templates.
Legal Content & Intelligence Content providers of legal databases, libraries, legislation tracking, forms, templates, and spend intelligence.
Policy & Training Content & Intelligence Content providers of policy libraries, training courses, and policy and training related content, forms, and templates.
Risk Management Content & Intelligence Content providers of risk intelligence feeds, risk libraries, loss data, risk forms, and templates.
Third Party Management Content & Intelligence Content providers of third party management intelligence, due diligence, watch lists, negative news, ratings, monitoring, forms, and templates
Issue Specific Content & Intelligence Content providers of content and intelligence related to specific issues, regulations, and risks (e.g., bribery/corruption, conflict minerals, labor)
Industry Specific Content & Intelligence Content providers of industry specific content and intelligence.

GRC Professional Services Market Segment Definitions
GRC Professional Services Segment Description
Audit Services Services focused on external audits as well as internal audit staffing and management.
Consulting Services Services focused on GRC related management and strategy consulting.
Legal Services Services focused on legal matters and advice related to GRC.
Outsourced Services Services that are outsourced such as specific GRC functions, monitoring, certification, etc.
Systems Integration Services Services focused on implementation, build out, and development of GRC related information and technology architecture and solutions.

GRC Technology Market Segment Definitions
GRC Technology Segment 2019 Software Market Size Forecasted CAGR Growth
Enterprise GRC $2,013 Million 15 to 20%
Audit Management & Analytics $535 Million 10 to 15%
Automated Control $694 Million 10 to 15%
Business Continuity Management $277 Million 20 to 25%
Compliance Management $744 Million 15 to 20%
EH&S Management $1,192 Million 15 to 20%
Internal Control Management $587 Million 10 to 15%
IT GRC Management $868 Million 15 to 20%
Issue Reporting & Management $508 Million 15 to 20%
Legal Management $416 Million 10 to 15%
Physical Security Management TBD
Policy & Training Management $455 Million 20 to 25%
Quality Management $1,189 Million 10 to 15%
Risk Management $2,975 Million 20 to 25%
Strategy & Performance Management TBD
Third Party Management $549 Million 20 to 25%

GRC Technology Market Size: How Big is Big?
Broader Market Size – GRC Technology Market (not Content or Professional Services)
When considering a broader view of the GRC EcoSystem
NOTE: assumes a 20% overlap in market size estimates in segments (total of all segments size is $13,002 Billion)
$100+B $10.4 B $2.01 B
Broadest View of the Market

Including Physical Security, IT Security, Identity & Access,
Current Market Size for Enterprise GRC Platforms
eDiscovery, Third Party Lifecycle, and more
Note, this is the market for enterprise GRC
platforms, many vendors providing these platforms
are also selling to specific areas

Parts of the Market Most Positively Impacted from COVID-19
• EH&S Management
• IT GRC/Security Management
• Operational Resiliency – BCM and Risk
Management
– Going forward, during crisis not as much
• Policy & Training Management
• Third Party GRC Management
2020 – Overall Market by Geography
37%
44%
5%
5%
2%
2%
5%

GRC Technology Market: Enterprise GRC Platforms & Architecture
Enterprise GRC Platforms & Architecture technologies
Enterprise GRC Platform & Architecture deliver a range of cross-department functionality across
GRC functional areas into an integrated technology
Enterprise GRC Platforms
ecosystem. For some this is single GRC platform for the
GRC Data Integration Solutions entire organization. For others it is an integrated
architecture in which there can be a core platform but often
GRC Analytics & Reporting Solutions extends and integrates into a range of other solutions and
Organization & Process Modeling Solutions data sources.
Miscellaneous GRC Platform & Architecture Tools To be an Enterprise GRC Platform requires a single
platform architecture that has multi-department (e.g.,
enterprise wide) use across the following areas, at a
minimum:
– Enterprise/Operational Risk Management,
– Compliance Management
– Internal Control Management
– Issue Management (e.g., incident, case, investigations)
– NOTE: most Enterprise GRC Platforms offer a range of
additional module beyond these.

What Are the Critical Components of Your GRC Platform?
100% 1 to 49%
of Enterprise of Enterprise
GRC RFPs IT GRC RFPs Automated
GRC Controls
Business
Risk
Continuity
Management
Management
Audit Legal
Management Management
Compliance Health & Safety

Physical
Policy
Security
Management
Management
Internal
Environmental
Control
Management
Management
Strategy &
Third Party
Performance
Management
Management
Issue Quality
50 to 99%
of Enterprise
GRC RFPs
GRC Technology Market: Audit Management & Analytic
Audit Management & Analytic technologies are used by
Audit Management & Analytic auditors to manage and perform audits.
– Audit management solutions are used to manage audit
Audit Management Platforms
cycles – this includes audit planning, resource
Audit Analytic Solutions scheduling/calendaring, work paper management, audit
execution, audit process management, and audit
Miscellaneous Audit Tools reporting. They also support a risk-based approach to
audit planning to prioritize audits based on the risk to the
business.
– Audit analytic solutions utilize data analytics and and
continuous auditing (automated control enforcement &
monitoring) to extract insights from operational and
financial data to assist in audits and provide assurance.

GRC Technology Market: Automated Control Enforcement & Monitoring
Automated Control Enforcement & Automated Control Enforcement & Monitoring
Monitoring technologies provide to automatically and continuously
monitor, enforce, test, assess, and report on controls within
Transactions Control Solutions
the organization. This category of software is also often
Configuration Control Solutions referred to as Continuous Control Monitoring (CCM) or
Automated Controls. This includes the capability to test, on
Fraud & Corruption Control Solutions a continuing or periodic basis, data and activity against
Segregation of Duty Control Solutions defined rules to identify and report potential errors, the
failure of controls, or inappropriate actions – including tests
Master Data Control Solutions of business transactions, network activity, intrusion
Identity & Access Control Solutions
attempts, the sharing of confidential information or
intellectual property, systems access, etc. Also included in
Process Control Solutions this area is the ability to do GRC data analytics,
monitoring, and mining.
End User Computing Control Solutions
Social Media Monitoring Solutions
Miscellaneous Automated Control Tools

GRC Technology Market: Business Continuity Management
Business Continuity technologies model, record and
Business Continuity Management direct the responsibilities, plans, actions and execution of
continuity and disaster plans, testing of operating
Continuity Planning & Management Platforms
procedures, alternatives, information back-ups, data
Crisis Response Solutions recovery and restoration processes during expected and
unexpected disruptions to all areas of operation.
Disaster Recovery Solutions
Miscellaneous Business Continuity Tools

• Moving to Operational Resiliency which is part of risk
management market

GRC Technology Market: Compliance Management
Compliance Management technologies support the
Compliance Management overall coordination of legal, regulatory, contractual,
values, ethics, and corporate obligations and
Compliance Management Platforms
responsibilities with associated compliance documentation,
Compliance Assessment Solutions assessments, tasks, and records. This includes the ability
to monitor, document, and manage changes to the
Regulatory Change Management Solutions regulatory environment and other obligations; to document
Stakeholder & Regulatory Interaction Solutions all obligations of the organization; to perform compliance
assessments against obligations; manage regulator and
Compliance Forms, Reporting & Filing Solutions stakeholder interactions on compliance; and report on the
Social Responsibility & Reporting Solutions state of compliance to regulators and stakeholders.
Miscellaneous Compliance Tools

GRC Technology Market: Environmental Management
Environmental Management technologies help monitor,
Environmental Management analyze, record, and report organizational activity focused
on compliance with environmental laws and regulations,
Environmental Management Platforms
related corporate policy related to managing environmental
Air, Water, Waste Management Solutions controls and conditions, and assessing the environmental
impact of the corporation’s operations, strategies, and
Chemical Management Solutions plans.
Energy & Carbon Management Solutions
Land Use & Permit Solutions
Sustainability & Environmental Reporting Solutions
Miscellaneous Environmental Tools

GRC Technology Market: Health & Safety
Health & Safety technologies manage the regulatory and
Health & Safety Management policy-based guidelines and processes for protecting and
reporting on the workforce, workplace, resources-under-
Health & Safety Management Platforms
management and external environment impacted by an
Health & Safety Forms & Document Solutions organization’s activities.
Health & Safety Incident Solutions
Occupational Safety Solutions
Hazard Analysis Solutions
Chemical Management & Labeling Solutions
Miscellaneous Health & Safety Tools

GRC Technology Market: Internal Control Management
Internal Control Management technologies provide the
Internal Control Management ability to define, document, map, monitor, test, assess, and
report on controls within the organization, including
Internal Control Management Platforms
process and systems documentation. These solutions
Financial Close & Reporting Solutions document internal controls, provide control
assessments/self-assessments, and manage this through
Internal Control Reporting Solutions workflow, tasks, and reporting.
Miscellaneous Internal Control Tools

GRC Technology Market: IT GRC Management
IT GRC Management technologies are used to govern
IT GRC Management and direct information and technology (IT) strategies in the
context of business. The governance function of IT is the
IT GRC Platforms
alignment, strategy, and direction of IT to support the
Asset Discovery & Management Solutions business. A core component of IT GRC Solutions is the
ability to manage and monitor security, risk, and
IT Project, Change & Service Delivery Solutions compliance across IT systems throughout the organization
Vulnerability & Threat Management Solutions and across significant business relationships.
IT Incident & Event Management Solutions
Security Event & Information Mgmt Solutions
IT Security Solutions
Miscellaneous IT GRC Tools

GRC Technology Market: Issue Reporting & Management
Issue Reporting & Management technologies provide
Issue Reporting & Management issue intake and investigations management. Issue
reporting solutions (e.g. hotline, whistleblower) provide a
Incident/Investigations Management Platforms confidential, independent resource for individuals to report
observations related to issues as well as potential acts of
Hotline & Issue Intake Solutions
fraud, theft, inappropriate or illegal behavior, negligence or
Corrective Action/Preventive Action Solutions other impropriety. Investigations management solutions are
used to manage investigations, issues, incidents, events,
Complaint Management Solutions or cases: they specifically provide consistent
documentation and processes for the management of
Forensics & Evidence Collection Solutions events — from reporting, to managing and documenting
the investigation, to recording the loss and business
Impact & Loss Analysis Solutions
impact.
Miscellaneous Issue Reporting & Mgmt Tools

GRC Technology Market: Legal Management
Legal Management technologies administer the collection
Legal Management of facts related to events and legal cases under
investigation, for use in verifying their circumstances, in
Legal Management Platforms
order to provide valid information for testing by
Matter Management Solutions independent parties with the confidence that the
information provided is related to these events. Discovery
Legal Spend Management Solutions tools assist in managing and communicating discovery
Discovery / eDiscovery Solutions holds and uncovering, segmenting, organizing and storing
electronic forms of evidence that can be used in an
Claims Defense & Legal Discovery Solutions investigation, both before and after the occurrence of the
Contract Management Solutions
related events, including tools that separate potential
discovery documents from their original locations and
Board & Entity Management Solutions repositories. This category of technology also includes
systems for retention management that integrate with
Intellectual Property Management Solutions
content/document systems to manage the storage,
Legal Research & Analytic Solutions disposition, and retention of information.
Miscellaneous Legal Management Tools

GRC Technology Market: Physical Security Management
Physical Security Management technologies enhance
Physical Security Management physical asset and individual protection, and the
authorization and monitoring of access to an organization’s
Physical Security Management Platforms
facilities and property. This category of technology also
Physical Asset Management Solutions includes systems to manage physical loss and theft.
Surveillance & Monitoring Solutions
Physical Loss Management Solutions
Miscellaneous Physical Security Tools

GRC Technology Market: Policy & Training Management
Policy & Training Management technologies mange the
Policy & Training Management development, approval, distribution, communication, forms,
maintenance, and records of organization policies,
Policy & Training Management Platforms
standards, procedures, guidelines and related training and
Policy Management Solutions communication awareness activities. This includes
solutions used to train individuals on policy and risk areas
Training Management Solutions to employees and extended business relationships.
Policy Forms & Disclosure Solutions Elements of gamification, eLearning, learning
management, document/content management are part of
Training & Gamification Solutions this segment from a GRC perspective. Forms and
disclosure management solutions (e.g., conflict of interest,
Miscellaneous Policy & Training Mgmt Tools
gifts & entertainment/hospitality) are included in this
segment as they relate and support organization policies.

GRC Technology Market: Quality Management
Quality Management technologies record, benchmark,
Quality Management track and manage activity related to product and service
quality assessments and certifications, production failures,
Quality Management Platforms
product recalls, design and delivery improvements and
Non-Conformance & Variance Solutions their related regulatory guidelines.
Equipment Management Solutions
Product Regulation & Labeling Solutions
Corrective Action/Preventive Action Solutions
Miscellaneous Quality Management Tools

GRC Technology Market: Risk Management
Risk Management technologies support the identification,
Risk Management assessment, evaluation and response, and monitoring of risks
and opportunities of risk across the organization. This includes
Enterprise & Operational Risk Mgmt Platforms the ability to monitor changes in the external and internal
contexts to alert an organization to changing risk conditions
Risk Assessment Solutions (e.g., geo-political, economic, competitor, technology, and
natural disaster) that can impact business. These systems
Finance & Treasury Risk Management Solutions help identify specific causes and execute historical review,
simulation, interpretation and projection of impacts on an
Insurance Risk & Claims Management Solutions organization’s operations or assets given the potential
consequences of events and the likelihood of events occurring
Risk Analytics & Modeling Solutions sequentially or simultaneously. This category includes
enterprise risk management systems, operational risk
Model Risk Management Solutions management systems, as well as specialized risk applications.
Finance/Treasury Risk Management - involves an array of
Project Risk Management Solutions
applications and systems used to identify and manage the risk
factors, causes and response procedures in an organization’s
Loss Collection & Analytic Solutions
financial and treasury management. These include risk
Miscellaneous Risk Management Tools technology focused on specific areas such as liquidity, credit,
market, and commodity risk management that help identify risk
and execute historical review, simulation, interpretation and
projection of impacts on an organization’s financial assets
given the potential consequences of events and the likelihood
of events occurring sequentially or simultaneously.

GRC Technology Market: Strategy, Performance & Process Management
Strategy, Performance & Process Management
Strategy, Performance & Process Mgmt technologies include solutions for identifying and managing
corporate strategies, goals, and objectives and cascading
Strategy, Performance & Process Platforms
them through the organization; optimizing operational and
Performance & Objective Management Solutions financial performance against those objectives; and
providing valuable information for decision-making and
Enterprise Architect & Process Modeling Solutions reporting purposes.
Enterprise Asset Management Solutions
Enterprise Change Management Solutions
Enterprise Intelligence & Analytic Solutions
Miscellaneous Strategy & Process Mgmt Tools

GRC Technology Market: Third Party Management
Third Party Management technologies provide
Third Party Management organizations the ability to govern third party relationships
(e.g., vendor, supplier, contractor, consultant, service
Third Party Management Platforms
provider, outsourcers, agent) and the lifecycle of
Third Party Risk Management Solutions onboarding, contracts, due diligence screening,
performance monitoring, risk management, compliance
Procurement & ERP Third Party Solutions management, quality and service level management, and
Screening & Due Diligence Solutions off-boarding. The third party GRC specific solutions record,
and maintain the communication, attestation, and
Miscellaneous Third Party Management Tools assessment of policies, contractual compliance, risk and
compliance assessments, and audits across extended
business relationships. Third party screening solutions are
used to vet third parties and validate them against
databases such as politically exposed persons, watch lists,
social accountability, and more.


Drivers & Trends: Enterprise GRC
1
Drivers
Trends
1 Exponential growth in regulatory, risk and No platform does everything. Organizations are
business change is making scattered GRC looking toward an information and technology
Constant processes and information constantly behind GRC architecture that integrates GRC, though there
and exposing the organization. often is one central core platform.
Change Architecture
2 The growing array of 3rd party relationships with 2 Enterprise GRC Platforms are no longer self-
increased regulatory and risk exposure is bearing contained solutions to manage GRC workflow
Growing down on organizations to include in GRC and tasks, they require strong integration
strategies. capabilities into a range of business systems.
Relationships Integration
3 Many organizations still find they are 3 In a GRC architecture approach, organizations
Scattered encumbered by silos of information that is Best of Breed are looking toward a common hub and core for
Information disconnected, and often have several Where it Enterprise GRC but allow for best of breed
disconnected GRC platforms in different areas. solutions where they make sense.
& Platforms Makes Sense
4 Those that have implemented a GRC platform in

the past decade are often finding that the
4 There is growing demand in RFPs for GRC
Growing Business solutions to have business process modeling
solution is out of date and cumbersome to use
Beyond Initial Process capabilities to visually layout and document how
when compared to the new generation of
business processes function in a GRC context.
GRC Platforms solutions. Modeling
5 There is growing demand and need for the

5 Enterprise GRC is no longer for the back-office
Need for but needs to be intuitive and easy to use for the
integration of external content and intelligence
External GRC GRC Mobility front-office. New releases are showing improved
feeds into the GRC architecture.
user interface and mobility options.
Content & Engagement

GRC 20/20 Inquiries by Role
34% 32% 13%

Compliance Risk Management IT
13% 8%
Internal Audit Other

GRC 20/20 Inquiries by Geography
EUROPE
NORTH AMERICA
38%
42%
5%
ASIA
4%
CENTRAL/SOUTH AMERICA
3% MIDDLE EAST
OCEANIA
2% AFRICA
6%

Inquiries by Organization Size
41% 48% 11%
Large Enterprise Medium Enterprise Small Enterprise

10,001+ Employees 1,001 to 10,000 Employees 1 to 1,000 Employees

Top 8 Criteria Looking for in New GRC Purchases
53% Ease of Use 26% Industry Focus
41% Price 23% Customer Service
40% Functionality 21% Integration Capabilities
Company
39% Configurability 16% Stability/Viability
290 respondents from organization using or

considering GRC solutions/technology
Current Level of GRC Integration
We have integrated processes

Our processes and
technologies remain
14% and technology across many
largely siloed 23% or all organizational silos of
operation
The more integrated you

are, the more you share
information and use
standardized approaches to
how you manage and 24%
provide assurance about We have integrated processes
performance, risk and across many organizational
compliance. silos, but we have not yet
completely addressed
39% integrating technology that
We have standardized some processes supports these processes
and use of technology but not across
the entire enterprise
506 respondents from organization in 2020

OCEG/GRC 20/20 GRC Strategy Survey
Is there greater GRC integration in your organization today than three years ago?
No, and we have no

current plans for
change
10% Yes, substantially
more
No, but it is planned 25%
19%
Yes, somewhat more

46%

GRC Integration Over the Years
2015
2017
2019
0 10 20 30 40 50 60 70 80 90 100
We have integrated processes and technology across many or all organizational silos of operation
We have integrated processes across many organizational silos, but we have not yet completely addressed integrating technology
that supports these processes
We have standardized some processes and use of technology but not across the entire enterprise
Our processes and technologies remain largely siloed

OCEG/GRC 20/20 GRC Strategy Survey 67
Which of the following risk areas are managed in part or whole by the GRC processes and
technologies applied in your organization?
36%
Reputation Risk 59%
36%
Legal Risk 60%
57%
Financial Risk 59%
22%
Competitive Risk 32%
35%
Third Party Risk 56%
46%
Cyber-Security Risk 67%
73%
Compliance Risk 78%
78%
Operational Risk 84%
33%
Strategy Risk 59%
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
Siloed Integrated
Satisfaction of GRC Integration from those Who Integrated
Failed to meet
Where your organization expectations
has integrated processes 7% Provided benefits that
for governance, assurance 19%
exceeded expectations
and/or management of
performance, risk and
compliance (GRC), the
results have:
Provided benefits that
met expectations
74%

Beneficial outcomes of integrating GRC processes across silos in our organization have included
(select all that apply):
None of the above 3%
Other 2%
Greater ability to present consolidated, meaningful information and analyses to 50%
Greater ability to gather information quickly and efficiently 48%
Greater ability to repeat processes in a consistent manner 46%
Reduced impact on operations from siloed training on compliance requirements 31%
Reduced impact on operations from siloed and uncoordinated risk assessments 50%
Reduced gaps in risk and compliance processes 74%
Reduced costs of GRC processes 28%
Reduction in duplicative activities 59%
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
Percent

Siloed: What negative effects result from lack of integration of GRC activities in your
organization?
Inability to gain a clear view of risks on an enterprise-wide basis 74%

Failure to effectively understand compliance and operational risks 60%
Difficulty and time for consolidating and conforming disparate data 55%
Inability to measure effectiveness of efforts 54%
Inability to measure and control performance (efficiency, responsiveness, flexib 52%
Duplication or redundancy of efforts 50%
Difficulty of maintaining accurate data 44%
Failure to provide governing authority with needed information to support decisi 43%
Unreliable or unreconcilable risk assessment results 43%
Other 3%
None of the Above 1%
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
Percent

Siloed: Negative effects from failure to integrate GRC in our organization give rise to:
Increased general operating cost 59%
Increased data management cost 41%
Increased personnel cost 38%
No quantifiable costs 26%
Reduced margins 21%
Higher cost of capital 21%
Less available or more expensive insurance 18%
Higher supplier costs 15%
Other quantifiable costs 2%
I do not know 17%
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
Percent

Siloed: What are the greatest barriers to improving an integrated GRC approach in your
organization?
No established strategy for integration efforts 50%
Lack of champions 45%
Not knowing how to start or implement 32%
Inability to secure program/department cooperation 30%
Inability to secure necessary budget 28%
Belief it is too complex to undertake integration 27%
Lack of a compelling business case or method to demonstrate ROI 26%
Available technology/software not aligned with GRC needs 12%
Other 5%
None 4%
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
Percent


GRC technology provides automation and tracking
Archive and History
uate
hecklistEvery policy and its past revisions must be AUDIT TRAIL WORKFLOW & COLLABORATION ENFORCEMENT
MANAGEMENT REPORTING Metrics
archived for referral at a later time. TASKS MANAGING EXCEPTIONS
THE
When an BENEFITS
organizationOF TECHNOLOGY
experiences an in-
Metrics can provide a solid founda- 0 1 0 1 0 1 0
1 1 1 1 1 1 1 NU
I haven’t
cident or is examined by an externaltion audi-for continuously refining the or- 1 0 1 0 1 0 1 ? FAMILBER seen any This needs
0 0 0 0 0 0 0 UR OF
E
3 S:
violations. to be done
1 1 1 1 1 1 1
differently.
tor or regulator, it is often necessary ganizational
to policy program. The
PO
L
LATICY V
provide positive evidence of policy com- 0 0 0 0 0 0 0 ION IO-
0 S:
EXC
Repository Consistency 0
right metrics will help ensure policies 1 0 1 0 1 0 AN EPTIO
D NS
TIODEVIA
pliance. Preserving a full view of the policy 0 0 0 0 0 0 0 NS -
are effective at establishing desired 0 1 0 1
Technology creates a consistent environment 0 1 0
history andenables
Technology audit trail (including
policy key data and
implementation
behaviors efficiently, and agile 1 1 1 1 1 1 1 • Policy implementation and/or enforcement is • Exceptions must be documented and
points such as
enforcement bythe owner,
creating who read it,
a repository of all policies, 1 track
to conduct assessments, 0 issues
1 of 0 1 0 1 not always possible. Exceptions can happen available to auditors and regulators upon
enough to accommodate the de- 0 corrective
0 actions.
0 0 0 0 0 when the organization cannot comply with a request. Organizations 4 IMPLEMENT that demonstrate & ENFORCE
01 0 11 0 to1more
00 1 10 1 1 1
non-compliance, and take
who was trained,
procedures, and controls 0 that are
acceptance 1 cross-referenced
acknowl- 0 of1a dynamic
mands 0 and1 distributed
0 allows
Technology 1 organizations 00 0 1 0 1 0
policy, when the policy is too subjective, or clear procedures for Evenpolicy
withexception
good communication, policies aren’t always fol-
THE BENEFITS OF 1TECHNOLOGY 1 1 1 1 easily

1 and1efficiently1 manage
0 1 1 10 11 01 11 0 1 101 requires excessive clarification. management are also better
lowed. Implement able to defend controls that enable enforcement.
edgements
with one and
another dates
and for
not treated as isolated
1Technology
0 assert 1is the backbone
0environment.
1 for the
0 implementation
1 0 11 0 00its1hundreds
1 1 00 0
0 to1 01 1 0 1 0 1
• Organizations need processes to authorize, their policy management Monitorprocesses.
those controls for effectiveness and adherence.
specific policy versions)
documents. will help business
0 0 0 0 0 0 0 0 10 0 1
10 1 10 especially 11 01 1 0 010 0
track, monitor and review exceptions. • Organizations should instituteand
Document compensating
remediate violations, while considering
1of the 1policy, 1training thousands

1 and1communications
1 during of
1 audits
1 individual
1 documents 1 1 • Those who authorize exceptions must have controls as part of what exception
policyapproval until should be made.
1 0 0 01 00 1 1 1 1 1 1
improvements
an accurate and complete policy control
0plan. 10 00 1 sufficient authority. Limits should be set so policy revisions are made or the organization
environment is operating 0 0 0 0 0 0 and0assessments. 0 010 0 0
Repository 0 1effectively.
0 1 0 1 Consistency
0 1 0 1 0 0 10 0 1 00 0 1 0 1 0 1
exceptions are regularly reviewed and not
0
granted for extended or unreasonable time
is brought into full compliance.
0 THE 0 0 0 0 Technology
0 0 0 0 environment
0 0 0 0 0 0 0 0 0 0
1 BENEFIT0 and 1 OF 0 TECHNOLOGY
Contact Carole S. Switzer cswitzer@oceg.org for comments, reprints or licensing requests Contact Carole S. Switzer cswitzer@oceg.org for comments, reprints or licensing requests periods. Contact Carole S. Switzer cswitzer@oceg.org for comments, reprints or licensing requests
0 implementation 1
Contact Carole S. Switzer cswitzer@oceg.org for comments, reprints
Technology enables policy 0 creates
1 a consistent
or licensing
©2012
0 1 0 1 0 1 0 1 0
requests for other installments in the Policy Management Illustrated Series©2012 OCEG visit www.oceg.org for other installments in the Policy Management Illustrated Series
OCEG visit www.oceg.org
1 0 1
©2012 OCEG visit www.oceg.org for other installments in the Policy Management Illustrated Series
1 1of all policies,

1 1 1 to 1conduct1assessments,
1 track1 issues
1 of 1
©2012 OCEG visit www.oceg.org for other installments in the Policy Management Illustrated Series
enforcement by creating a repository 1 1 1 1 1 1 1 1 1
1 0 1 0 1 0 1 0 take 1 corrective
0 actions.
1 0 1 0 1 0 1 0 1 0 1
procedures, and controls that0are cross-referenced
0 0 0 0 non-compliance,
0 0 and 0 0 to0more 0 0 0 0 0 0 0 0 0 0 0
with one another and not1treated1as isolated
1 1 1 1Technology
1 allows1 organizations
1 1 1 1 1 1 1 1 1 1 1 1 1 1
0 0 0 0 0 easily
0 and 0efficiently
0 0 its hundreds
0 TECH 0to 0 0 0
THE1 BENEFITS0 0 0 0 0 0 0 0
documents. 0 1 0 1 0 1thousands 1 manage
0 of individual 1 0 0 1 OF TECHNOLOGY
0 1 0 1 0 1
0 1 0 1 0 1 0 0
documents especially
DATA 1 0 1 0 1 0 1 0 1 0 1
1 0 1 0 1 0during1audits and
0 assessments. 0 1 0 1 0 1 0 1 0 1 0
1 1 1 1 1 1 Automation
1 1 1 1 1 1 1 1 1 1 1 1 Consistency
1
Accountability 1 0 1 0 1 0 1 0 0 1 0Repository
1 0 1 0 1 0 1 0
0 0
Technology provides for a complete picture
0 1 0 Technology
0 1 enables the automation of 0 0 1 1 1 0 0 0 0 0 0Technology
0 creates a consistent environment
Technology enables policy implementation and
and defensible audit trail of the ‘who, what, workflows and tasks to complete audits and enforcement by creating a repository of all policies, to conduct assessments, track issues of
when, where, how and why’ including the assessments related to policy compliance. No procedures, and controls that are cross-referenced non-compliance, and take corrective actions.
Technology allows organizations to more
role and actions of each individual. longer is the organization encumbered by
THE
with oneBENEFITS OFtreated
another and not TECHNOLOGY
as isolated
Integration Visibility or lost emails or documents Global Reach
unanswered documents. Availability easily and efficiently manage its hundreds to
that are out of sync. thousands of individual documents especially
Policy communication and training Policy communication and training Policy communication and training Policy communication andduring
training
audits and assessments.
Automationneed to be user
Accountability technologies need to integrate into technologies Consistency
0 1 0 1 0 1 0 1 0 technologies
1 0 should have the
Repository technologies need to be accessible
1 1 1 1 1 1 1 1 1 1
Technology provides forthe larger business
a complete picture environment - Technology
friendly
1
0
0
0
and
enables
1
0
intuitive
0 0
so
0 that
0 the1 automation
0
1 users
0
of0
0
1 proper
0
0
0
1 capabilities to meet
Technology enables the implementation
policy across the andbusiness and often
Technology creates a consistent environment
such
and defensible audit trail as‘who,
of the withwhat,
HR systems to gain workflows
of
1 varying
0
1 and
0
1 degrees
tasks
0 0 of
0 capabilities
1 to 1complete
1
0 audits
1
0
1 and1 language
0 0
1
0
1 and geographic
enforcement needs
by creating of business
a repository relationships so that
of all policies, to conduct assessments, track issues of
0 1 0related
1 to 0policy
1 compliance.
0 1 0 1 0 non-compliance, and take corrective actions.
access
when, where, how and why’ to employee
including the lists to prop- assessments
can
0
0 use0 the
1 0
0system
1
0
0
and
0
1
0under-
0
0
1
0 No 0the 0organization.
0 1 0
procedures, and controls that are anyone associated
cross-referenced with the organi-
role and actions of eacherly
individual.
target and communicate longer1 is the
stand 1 organization
the policy.
1 1 1encumbered
1 1 by
1 1 1 with one another and not treated zation can easily access theTechnology
as isolated policy allows organizations to more
unanswered or lost emails or documents documents. easily and efficiently manage its hundreds to
policies. and associated training.
that are out of sync. thousands of individual documents especially
Contact Carole S. Switzer cswitzer@oceg.org for comments, reprints or licensing requests during
contact Carole S. Switzer cswitzer@oceg.org for comments, reprints or licensing audits and assessments.
requests
©
©2012 OCEG visit www.oceg.org for0other1installments GRC 20/20 Research, LLC • www.GRC2020.com Automation
©2012 OCEG visit www.oceg.org for other installments in the Anti-Corruption Illustrated Series 75
0 1 in the
0 Policy
1 Management
0 1 Illustrated
0 1 Series
0
1 necessary
It is 2 that3individuals
4 ha
questions answered about polici
Defensible GRCQUALITIES QUALITIES OF
OF DEFENSIBLE AND EFFECTIVE DEFENSIBLE ANDand EFFECTIVE
ALITIES QUALITIES
after training OF DEFEN
communicatio
ALITIES OF
OF DEFENSIBLE
DEFENSIBLE AND
AND EFFECTIVE
AND TRAINING COMMUNICATION AND
EFFECTIVE
COMMUNICATION TRAINING 5 6 7 8
MMUNICATION AND TRAINING COMMUNICATION AN
MMUNICATION AND TRAINING VERSION (DATE/TIME) ASK & RESOLVE QUESTIONS
VERSION
EXCEPTIONS(DATE, TIME)
VERSION (DATE, TIME) VERSION (DATE, TIME) TESTING
VERSION (DATE, TIME) 1 to have
2 an auditable
3 4 The organization
TESTING to the needs
policy,to have a
bery2 & Corruption
2
3
3
4 - System
4
1 of 2Record3
The organization needs to have anThe
4 organization needs
auditable
The organization needs to have an auditable
record of the versions and communication
! Exceptions
To
To
ensure understanding,
1ensure
record
cation
should
2 versions
of the
test
3
understanding,
plan, comprehension
and
thetrai
and4 org
comm
the
are to be documente
onorg
cr
record of the versions and communication activities around policies to have
record of around
the versions andtocommunication
activities around policies to have an effective should
and
policiestest
to comprehension
periodically
ensure evaluated.
that they on cr
have
activities policies have an effective 5 6 7 8 compliance program.
activities
5 around policies
6 program.
7 to
8 have an effective program.
compliance policies to ensure
communicated andthat they have
understood.
6 7 8 compliance 5 6 7 8
6 7 8 compliance program. communicated and understood.
UNDERSTAND CONTEXT PROVIDE AUDITABLE RECORDS
QUESTIONS
SYSTEM OF RECORD
QUESTIONS QUESTIONS TRACKING PAST RECORDS
ACCESSING
QUESTIONS It aisway
It is necessary that individuals have necessary
to get that individuals have a way to get
It is necessaryPAST
ACCESSING
The
To organization
defend
questions
should
itself and
answered ! haveanahaec
that individuals
RECORDS
validate
about polici
It is necessary that individuals have a way
questionsto answered
get about policies that remain To defend
of all itself
training
compliance/policyandand validate an eo
communicatio
program the
questions answered about policies that remain after training and communicatio
questions answered about policies that
after remain
training and communication. compliance/policy
they can
should beshow
able what, program
to havewhen, the o
wher
a complet
after training and communication.
after training and communication. should
policy be able to
communication
communication have
took a complet
place.
and traini
policy
past. communication and traini
past.
MEET REQUIREMENTS MANAGE EXCEPTIONS
EXCEPTIONS
EXCEPTIONS EXCEPTIONS DEFENSIBILITY
EXCEPTIONS
! Exceptions !
to the policy, and training/ communi-
Exceptions to the policy, and trai
DEFENSIBILITY
Defending the organizatin in lega
!
!! Exceptions to the policy, and training/
Exceptions
cation plan,to the
are topolicy, and training/
be documented,
communi-
communi-
cation plan, are to be documented, approved,
approved,
cation plan,the
Defending
actions
and
are to be documente
requiresorganizatin
periodically that a 360 in
evaluated.
lega
degre
cation plan, are to be documented, approved,
and periodically evaluated. actions requires that a 360 degre
history of the policy, interactions
and periodically evaluated.
QUALITIES OF DEFENSIBLE AND EFFECTIVE
and periodically evaluated. history of the policy, interactions
and all communications be acces
and
trailsall communications
are defensible.be acces
COMMUNICATION AND TRAINING that
trails that are defensible.
REPEATABLE CYCLE TRACKING
DEMONSTRATE SEQUENCE
TRACKING TRACKING REPEATABLE
The organization CYCLE
should have a c
TRACKING VERSION
The (DATE,should
organization
The organization should have a complete record TIME)have a complete record REPEATABLE
Policy
CYCLE
communication and trainin
of all training and communicatio
Theallorganization
of 1 training should have a complete
of
The record
allpolicies
trainingsoandneeds
organization communications of policies so
to have an auditable Policy communication and trainin
2 and 3 communications
4 of time effort.
they can To guide
show what, behavior
when, wheran
of all training and communications of policies so time effort. To guide behavior anc
contact info@oceg.org for comments, reprints or licensing requests
they
record can
they can show what, when, where, why, and howofshow
the what,
versionswhen,
and where, why,
communication and how
©2014 OCEG visit www.oceg.org for other graphics in the GRC Illustrated Series
organization
communication requires consitent
took place.
they can show what,
communication took when,
place. where,communication
why, andaround
activities how took place.
policies to have an effective organization
and training and requires consitent
learning from thc
communication
5 6 took
7 place.
8 compliance program. and training
previous efforts.and learning from th
previous efforts.
Contact info@oceg.org for comments, reprints or licensing requests ©2017 OCEG

contact Carolereprints
S. Switzer cs
QUESTIONS contact Carole S. Switzer cswitzer@oceg.org for
contact Carole S.www.oceg.org
Switzer cswitzer@oceg.org for
comments,
comments,
©2012 OCEG reprints
visit
or lic
or
www.oceg.olic
© GRC 20/20 Research, LLC • www.GRC2020.com ©2012 OCEG visit for other installments in the Anti-Corruption76Illus
GRC Engagement: Bringing GRC to the Front Lines of the Organization 77
© GRC 20/20 Research, LLC • www.GRC2020.com
GRC Collaboration: Providing Collaboration on GRC Across the Organization
GRC Operationalization: Integrating GRC Across Systems & Processes

GRC Intelligence: Integration of Actionable Content
GRC Mobility: GRC Engagement Anywhere, Anytime
Key Considerations in Evaluating Enterprise GRC Platforms
Client Market GRC Business RFP Solution

References Presence Strategy Value Hype Reach
Check client Determine if the Ensure that the The solution needs Test drive the Determine if the
references. Talk to solution provider solution provider to demonstrate a solution and asked solution meets
the primary has enough shares your clear return of the direct your industry and
reference, but also market definition and value to the questions on geographic needs
ask to talk to momentum or direction for your business in features, to be able to
someone on their differentiating strategy for both efficiency, particularly if the support
team that uses the technology to be today and effectiveness, and features are operations,
solution every day. in the market for tomorrow. agility. natively in the languages, and
the long haul. solution or have to content.
be built out.
NOTE: these are just a selection of some common

elements from GRC 20/20’s RFP template containing
© GRC 20/20 Research, LLC • over 1000 requirements for Enterprise GRC Platforms
www.GRC2020.com 82
Other Considerations in Enterprise GRC Platforms
Cost Information Architecture

What does the solution cost to acquire? Is the solution readily configurable and
Implement? Maintain? adaptable to your environment? Does it
require costly customization,
programming, or consultants to adapt?
Ease of Use Integration

Does the solution bring efficiency Does the solution allow for the right
through ease of use and intuitiveness of integration points with other analytic,
the platform? control, and Enterprise GRC solutions?
Security Agility
What is the security architecture of the Does the solution meet not only your
platform? How does the solution current needs but also your long term
provider resolve security issues in their strategy for GRC over the next 3 to 5
platform? years?
NOTE: these are just a selection of some common

elements from GRC 20/20’s RFP template containing
© GRC 20/20 Research, LLC • over 1000 requirements for Enterprise GRC Platforms
www.GRC2020.com 83
Artificial Intelligence in GRC
• Consolidate knowledge from internal and

external sources
• Ensure fast times to analysis and answers
S
IP • Perform concept-based searching
H
PR
NS S
• Develop and manage rules to identify concepts
ED
DE
IO
ED
S
ICT
AT
and topics based on terminology and standards
FI N
NE
D
EN
REL
EP
EV
I FY
TR
• Recommend controls based on benchmarks
R IO
EN
NT
FI N D
ZE
TS
IDE
R IT
LY
• Recommend controls for similar

A NA
IE S
regs/obligations
I'm continuously learning
and making adjustments
based on actions and
• Answer specific questions and conduct
decisions I observe. requested research analysis
• Identify and report on trend
• Prevent data drift or duplication
• Compare policies and documents
• Analyze/compare changed and new regulations
• Categorize and recommend actions to an
I N S I G H T -B A S E D A D JU S T M E N T incident
LA N G U
A G E / T O N E / PA T T E R N A N A LY S I S • Map risks and interdependencies
CO N T
IN U O U S T IO N
M O N I T O R I N G A N D A D A PT A
DA TA A
G G R E G A T I O N / P R I O R I T I ZA T I O N

GRC 20/20 Value Perspective: 3 Angles of GRC Value
ü Financial Capital Savings

ü Human Capital Savings
Efficiency
ü Design Effectiveness GRC ü Agility to Change
Value
ü Operational Effectiveness ü Responsiveness to Events
Effectiveness Agility

Maturing GRC Through 360° Contextual Intelligence Delivers . . .
1. Aware 2. Aligned 3. Responsive 4. Agile 5. Resilient 6. Lean

ü Have a finger on ü Support and ü You can’t react to ü More than fast, ü Be able to bounce ü Build the muscle,
the pulse of inform business something you nimble back quickly from trim the fat
business objectives don’t sense ü Being fast isn’t changes in ü Get rid of expense
ü Watch for change ü Continuously ü Gain greater helpful if you are context and from unnecessary
in internal & align objectives awareness and headed in the threats with duplication,
external and operations to understanding of wrong direction. limited business redundancy and
environment risk of the entity information that impact misallocation of
ü Risk management
ü Turn data into drives decisions ü Have sufficient resources within
ü Give strategic enables decisions
information that and actions tolerances to the risk
consideration to and actions that
can be, and is, allow for some management
information from ü Improve are quick,
analyzed missteps
risk management transparency, but coordinated and ü Lean the
ü Share information
enabling also quickly cut well thought out. ü Have confidence organization
in every relevant
appropriate through the ü Agility allows an necessary to overall with
direction
change morass of data to entity to use risk rapidly adapt and enhanced
what you need to to its advantage, respond to capability and
know to make the grasp strategic opportunities related decisions
right decisions opportunities and about application
be confident in its of resources
ability to stay on
course.

Two Things to Note . . .
Complimentary Inquiry RFP Development & Support

§ Organizations evaluating or considering § GRC 20/20 has an extensive library of RFP
GRC solutions are free to ask GRC 20/20 on requirements across a range of GRC
our understanding and comparison of capability areas presented in this
solutions in the market to meet your GRC presentation.
requirements. § GRC 20/20 can be engaged in RFP
§ Inquiries are single focused questions that development and support projects to
can be answered in under 30 minutes. streamline your process, gain perspectives
§ Complimentary inquiry is only available to learned from other organizations, and to
organizations evaluating or considering GRC keep solution providers honest in their
solutions for their internal use. responses.

Questions?
Michael Rasmussen, J.D. GRC 20/20 Newsletter
LinkedIn: GRC 20/20
The GRC Pundit & OCEG Fellow
LinkedIn: Michael Rasmussen
mkras@grc2020.com
+1.888.365.4560 Twitter: GRCPundit
Blog: GRC Pundit
MARKET RESEARCH BRIEFING

Governance, Risk Management & Compliance Insight

2020 08 State of The GRC Market

Uploaded by

Copyright:

Available Formats

You might also like

2020 08 State of The GRC Market

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

2020 08 State of The GRC Market

Uploaded by

Copyright:

Available Formats

2020-08

2020 State of the GRC Market

MARKET RESEARCH BRIEFING

ü GRC 20/20 Research Briefings are copyrighted and protected material.

ü GRC Advisor Enterprise Subscribers get access to live and recorded

© GRC 20/20 Research, LLC • www.GRC2020.com 2

Complimentary Inquiry RFP Development & Support

© GRC 20/20 Research, LLC • www.GRC2020.com 3

1) GRC Market Definition & Overview

2) GRC Market Segmentation & Sizing

3) GRC Market Drivers & Trends

4) GRC Technology Advice & Directions

© GRC 20/20 Research, LLC • www.GRC2020.com 4

Realize that everything connects to everything else.

I never saw a wreck and

© GRC 20/20 Research, LLC • www.GRC2020.com 7

Source: Thomson Reuters Regulatory Intelligence – Cost of Compliance

© GRC 20/20 Research, LLC • www.GRC2020.com 9

© GRC 20/20 Research, LLC • www.GRC2020.com 10

The Winchester Mystery House

© GRC 20/20 Research, LLC • www.GRC2020.com 11

Ø High cost of consolidating GRC information;

Ø Difficulty maintaining accurate GRC

Ø Failure to trend across GRC assessment

Ø Redundant approaches limit correlation,

Ø Lack of agility to respond timely to changing

© GRC 20/20 Research, LLC • www.GRC2020.com 13

© GRC 20/20 Research, LLC • www.GRC2020.com 14

The Official Definition of GRC . . .

GRC is a capability that enables an

© GRC 20/20 Research, LLC • www.GRC2020.com 16

Governance Risk Management Compliance

Internal Risk/Business Change MERGERS &

contact Carole S. Switzer cswitzer@oceg.org for comments, reprints or licensing requests

External Risk Change $

contact Carole S. Switzer cswitzer@oceg.org for comments, reprints or licensing requests

contact Carole S. Switzer cswitzer@oceg.org for comments, reprints or licensing requests

REGULATORY & LEGAL

TECHNOLOGY MARKET DEM

©OCEG, Contact support@oceg.org for comments, reprints or licensing

© GRC 20/20 Research, LLC • www.GRC2020.com 19

RISK ASSESSMENT IDENTIFIED POLICIES

©OCEG, Contact support@oceg.org for comments, reprints or licensing

© GRC 20/20 Research, LLC • www.GRC2020.com

Top-down federated GRC

Division Division or business unit

Management being done at a

Risk Managed in context of a

Distributed GRC Management Federated GRC Management

© GRC 20/20 Research, LLC • www.GRC2020.com 22

© GRC 20/20 Research, LLC • www.GRC2020.com 23

© GRC 20/20 Research, LLC • www.GRC2020.com 24

Strategic process optimization

better capital allocation

© GRC 20/20 Research, LLC • www.GRC2020.com 26

Usability Cost of Ownership Configurability

Scalability Adaptability Integration

Analytics A.I. Future Proof