Professional Documents
Culture Documents
2020 08 State of The GRC Market
2020 08 State of The GRC Market
2020 08 State of The GRC Market
ü Others pay for either individual or group access to specific GRC 20/20
Research Briefings. Individual access is for the individual only and slides or
login are not to be shared with others or viewed as a group.
MONITOR
INDUSTRY EMPLOYEES
TECHNOLOGY
SOCIETAL FORCES
PROCESSES
IT
STANDARDS
MISSION
VISION
VALUES
STRATEGY
PRINCIPLED PERFORMANCE
LIKELIHOOD
IMPACT
§ Disconnected departments managing GRC related § An integrated approach that balances GRC
activities in different ways with little or no collaboration management centralization with distributed
with other departments participation and collaboration
GRC Strategy
GRC Process
GRC Information
GRC Technology
Action Items
Analyzed to
understand relationships
Integrated and
mapped together
to provide context
Distributed & Disconnected
GRC Data Points
GRC 1.0
SOX Captivity
2002 - 2007
GRC 2.0
Enterprise GRC
2007 - 2012 GRC 3.0
GRC Architecture
2012 - 2017 GRC 4.0
Agile GRC
2017 - 2021 GRC 5.0
Cognitive GRC
2021+
Feature/Functionality
Aware
Efficient 6 1
Resilient
5
Agile 2 Aligned
GRC
Agile 4 3 Responsive
Platforms
Solutions
Solutions are technologies that are more focused in what they
do. They tend to solve specific problems and come at a segment
from a narrower perspective. They can compliment a platform or
run independently from it.
Advanced
high
high
§ Solutions that go beyond
common features and
distinguish themselves with a
Value to Organization
Cost to Implement
capabilities.
Common
§ Solutions with features that are
commonly found in the market
across primary competitors in
the segment.
Basic
§ Solutions that have the basic
elements needed, but are not
as feature rich as solutions that
have a lot of market traction.
low
low
Enterprise GRC Capability to manage an integrated architecture across multiple GRC areas in a structured strategy, process, information and technology architecture.
Audit Management Capability to manage audit planning, staff, documentation, execution/field work, findings, reporting, and analytics.
Control Monitoring & Enforcement Capability to automate the detection and enforcement of internal controls in business processes, systems, records, transactions, documents, and information.
Business Continuity Management Capability to manage, maintain, and test continuity and disaster plans, and implement these plans expected and unexpected disruptions to all areas of operation.
Compliance & Ethics Management Capability to manage an overall compliance program, document and manage change to obligations, assess compliance, remediate non-compliance, and report.
Environmental Management Capability to document, monitor, assess, analyze, record, and report on environmental activities and compliance.
Health & Safety Management Capability to manage, document, monitor, assess, report, and address incidents related to the health and safety of the workforce and workplace,
Internal Control Management Capability to manage, define, document, map, monitor, test, assess, and report on internal controls of the organization.
IT GRC Management Capability to govern IT in context of business objectives and manage IT process, technology, and information risk and compliance.
Issue Reporting & Management Capability to notify on issues and incidents and manage, document, resolve, and report on the range of complaints, issues, incidents, events, investigations, and cases.
Legal Management Capability to manage, monitor, and report on the organization’s legal operations, processes, matters, risks, and activities.
Physical Security Management Capability to manage risk and losses to individuals and physical assets, facilities, inventory, and other property..
Policy & Training Management Capability to mange the development, approval, distribution, communication, forms, maintenance, and records of policies, procedures and related awareness activities.
Quality Management Capability to manage, assess, record, benchmark, and track activity, issues, failures, recalls, and improvement related to product and service quality.
Risk Management Capability to identify, assess, measure, treat, manage, monitor, and report on risks to objectives, divisions, departments, processes, assets, and projects.
Strategy & Performance Management Capability to govern, define, and manage strategic, financial, and operational objectives and related performance and risk activities.
Third Party Management Capability to govern, manage, and monitor the array of 3rd party relationships in the enterprise, particularly risk and compliance challenges these relationships bring.
Audit Content & Intelligence Content providers of audit templates, forms, and intelligence.
Business Continuity Content & Intelligence Content providers of business continuity templates, forms, and intelligence
Compliance Content & Intelligence Content providers of regulatory libraries, regulatory intelligence, compliance forms and templates.
Environmental Content & Intelligence Content providers of environmental intelligence, forms, and templates.
Health & Safety Content & Intelligence Content providers of health & safety libraries, content, forms, and templates.
Internal Control Content & Intelligence Content providers of internal control libraries, forms, and templates.
IT GRC Content & Intelligence Content providers of IT GRC/security control libraries, threat and vulnerability intelligence, forms, and templates.
Legal Content & Intelligence Content providers of legal databases, libraries, legislation tracking, forms, templates, and spend intelligence.
Policy & Training Content & Intelligence Content providers of policy libraries, training courses, and policy and training related content, forms, and templates.
Risk Management Content & Intelligence Content providers of risk intelligence feeds, risk libraries, loss data, risk forms, and templates.
Third Party Management Content & Intelligence Content providers of third party management intelligence, due diligence, watch lists, negative news, ratings, monitoring, forms, and templates
Issue Specific Content & Intelligence Content providers of content and intelligence related to specific issues, regulations, and risks (e.g., bribery/corruption, conflict minerals, labor)
Industry Specific Content & Intelligence Content providers of industry specific content and intelligence.
Audit Services Services focused on external audits as well as internal audit staffing and management.
Consulting Services Services focused on GRC related management and strategy consulting.
Legal Services Services focused on legal matters and advice related to GRC.
Outsourced Services Services that are outsourced such as specific GRC functions, monitoring, certification, etc.
Systems Integration Services Services focused on implementation, build out, and development of GRC related information and technology architecture and solutions.
Broader Market Size – GRC Technology Market (not Content or Professional Services)
When considering a broader view of the GRC EcoSystem
NOTE: assumes a 20% overlap in market size estimates in segments (total of all segments size is $13,002 Billion)
• EH&S Management
• IT GRC/Security Management
• Operational Resiliency – BCM and Risk
Management
– Going forward, during crisis not as much
• Policy & Training Management
• Third Party GRC Management
© GRC 20/20 Research, LLC • www.GRC2020.com 39
2020 – Overall Market by Geography
37%
44%
5%
5%
2%
2%
5%
Miscellaneous GRC Platform & Architecture Tools To be an Enterprise GRC Platform requires a single
platform architecture that has multi-department (e.g.,
enterprise wide) use across the following areas, at a
minimum:
– Enterprise/Operational Risk Management,
– Compliance Management
– Internal Control Management
– Issue Management (e.g., incident, case, investigations)
– NOTE: most Enterprise GRC Platforms offer a range of
additional module beyond these.
IT Security Solutions
1
Drivers
Trends
1 Exponential growth in regulatory, risk and No platform does everything. Organizations are
business change is making scattered GRC looking toward an information and technology
Constant processes and information constantly behind GRC architecture that integrates GRC, though there
and exposing the organization. often is one central core platform.
Change Architecture
2 The growing array of 3rd party relationships with 2 Enterprise GRC Platforms are no longer self-
increased regulatory and risk exposure is bearing contained solutions to manage GRC workflow
Growing down on organizations to include in GRC and tasks, they require strong integration
strategies. capabilities into a range of business systems.
Relationships Integration
3 Many organizations still find they are 3 In a GRC architecture approach, organizations
Scattered encumbered by silos of information that is Best of Breed are looking toward a common hub and core for
Information disconnected, and often have several Where it Enterprise GRC but allow for best of breed
disconnected GRC platforms in different areas. solutions where they make sense.
& Platforms Makes Sense
13% 8%
Internal Audit Other
NORTH AMERICA
38%
42%
5%
ASIA
4%
CENTRAL/SOUTH AMERICA
3% MIDDLE EAST
OCEANIA
2% AFRICA
6%
Company
39% Configurability 16% Stability/Viability
2015
2017
2019
0 10 20 30 40 50 60 70 80 90 100
We have integrated processes and technology across many or all organizational silos of operation
We have integrated processes across many organizational silos, but we have not yet completely addressed integrating technology
that supports these processes
We have standardized some processes and use of technology but not across the entire enterprise
36%
Reputation Risk 59%
36%
Legal Risk 60%
57%
Financial Risk 59%
22%
Competitive Risk 32%
35%
Third Party Risk 56%
46%
Cyber-Security Risk 67%
73%
Compliance Risk 78%
78%
Operational Risk 84%
33%
Strategy Risk 59%
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
Siloed Integrated
506 respondents from organization in 2020
OCEG/GRC 20/20 GRC Strategy Survey
Satisfaction of GRC Integration from those Who Integrated
Failed to meet
Where your organization expectations
has integrated processes 7% Provided benefits that
for governance, assurance 19%
exceeded expectations
and/or management of
performance, risk and
compliance (GRC), the
results have:
Provided benefits that
met expectations
74%
Other 2%
Reduced impact on operations from siloed and uncoordinated risk assessments 50%
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
Percent
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
Percent
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
Percent
Other 5%
None 4%
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
Percent
0 0 0 0 0 0 0 UR OF
E
3 S:
violations. to be done
1 1 1 1 1 1 1
differently.
tor or regulator, it is often necessary ganizational
to policy program. The
PO
L
LATICY V
provide positive evidence of policy com- 0 0 0 0 0 0 0 ION IO-
0 S:
EXC
Repository Consistency 0
right metrics will help ensure policies 1 0 1 0 1 0 AN EPTIO
D NS
TIODEVIA
pliance. Preserving a full view of the policy 0 0 0 0 0 0 0 NS -
are effective at establishing desired 0 1 0 1
Technology creates a consistent environment 0 1 0
history andenables
Technology audit trail (including
policy key data and
implementation
behaviors efficiently, and agile 1 1 1 1 1 1 1 • Policy implementation and/or enforcement is • Exceptions must be documented and
points such as
enforcement bythe owner,
creating who read it,
a repository of all policies, 1 track
to conduct assessments, 0 issues
1 of 0 1 0 1 not always possible. Exceptions can happen available to auditors and regulators upon
enough to accommodate the de- 0 corrective
0 actions.
0 0 0 0 0 when the organization cannot comply with a request. Organizations 4 IMPLEMENT that demonstrate & ENFORCE
01 0 11 0 to1more
00 1 10 1 1 1
non-compliance, and take
who was trained,
procedures, and controls 0 that are
acceptance 1 cross-referenced
acknowl- 0 of1a dynamic
mands 0 and1 distributed
0 allows
Technology 1 organizations 00 0 1 0 1 0
policy, when the policy is too subjective, or clear procedures for Evenpolicy
withexception
good communication, policies aren’t always fol-
1 0 0 01 00 1 1 1 1 1 1
improvements
an accurate and complete policy control
0plan. 10 00 1 sufficient authority. Limits should be set so policy revisions are made or the organization
environment is operating 0 0 0 0 0 0 and0assessments. 0 010 0 0
contact Carole S. Switzer cswitzer@oceg.org for comments, reprints or licensing requests
©2012 OCEG visit www.oceg.org for other installments in the Anti-Corruption Illustrated Series
Repository 0 1effectively.
0 1 0 1 Consistency
0 1 0 1 0 0 10 0 1 00 0 1 0 1 0 1
exceptions are regularly reviewed and not
0
granted for extended or unreasonable time
is brought into full compliance.
0 THE 0 0 0 0 Technology
0 0 0 0 environment
0 0 0 0 0 0 0 0 0 0
1 BENEFIT0 and 1 OF 0 TECHNOLOGY
Contact Carole S. Switzer cswitzer@oceg.org for comments, reprints or licensing requests Contact Carole S. Switzer cswitzer@oceg.org for comments, reprints or licensing requests periods. Contact Carole S. Switzer cswitzer@oceg.org for comments, reprints or licensing requests
0 implementation 1
Contact Carole S. Switzer cswitzer@oceg.org for comments, reprints
Technology enables policy 0 creates
1 a consistent
or licensing
©2012
0 1 0 1 0 1 0 1 0
requests for other installments in the Policy Management Illustrated Series©2012 OCEG visit www.oceg.org for other installments in the Policy Management Illustrated Series
OCEG visit www.oceg.org
1 0 1
©2012 OCEG visit www.oceg.org for other installments in the Policy Management Illustrated Series
they
record can
they can show what, when, where, why, and howofshow
the what,
versionswhen,
and where, why,
communication and how
©2014 OCEG visit www.oceg.org for other graphics in the GRC Illustrated Series
organization
communication requires consitent
took place.
they can show what,
communication took when,
place. where,communication
why, andaround
activities how took place.
policies to have an effective organization
and training and requires consitent
learning from thc
communication
5 6 took
7 place.
8 compliance program. and training
previous efforts.and learning from th
previous efforts.
Security Agility
What is the security architecture of the Does the solution meet not only your
platform? How does the solution current needs but also your long term
provider resolve security issues in their strategy for GRC over the next 3 to 5
platform? years?
PR
NS S
• Develop and manage rules to identify concepts
ED
DE
IO
ED
S
ICT
AT
FI N
NE
D
EN
REL
EP
EV
I FY
TR
R IO
EN
NT
FI N D
ZE
TS
IDE
R IT
LY
IE S
regs/obligations
I'm continuously learning
and making adjustments
based on actions and
• Answer specific questions and conduct
decisions I observe. requested research analysis
• Identify and report on trend
• Prevent data drift or duplication
• Compare policies and documents
• Analyze/compare changed and new regulations
• Categorize and recommend actions to an
I N S I G H T -B A S E D A D JU S T M E N T incident
LA N G U
A G E / T O N E / PA T T E R N A N A LY S I S • Map risks and interdependencies
CO N T
IN U O U S T IO N
M O N I T O R I N G A N D A D A PT A
DA TA A
G G R E G A T I O N / P R I O R I T I ZA T I O N
Efficiency
Value
ü Operational Effectiveness ü Responsiveness to Events
Effectiveness Agility