Professional Documents
Culture Documents
GRC in 2010: $29.8B in Spending Sparked by Risk, Visibility, and Efficiency
GRC in 2010: $29.8B in Spending Sparked by Risk, Visibility, and Efficiency
GRC in 2010: $29.8B in Spending Sparked by Risk, Visibility, and Efficiency
As both a term and a technology category, governance, risk management, and compliance
(GRC) has arrived in a new state of maturity. Both business and IT leaders indicate that
hair-on-fire issues still get the lion’s share of attention, but companies are thinking bigger and
broader about the role GRC plays in their business. While spending during 2008 and 2009
sagged along with the economy, companies now plan to increase expenditures by nearly 4% in
2010. The emphasis is on better visibility and more efficiency, filtered through a lens of risk.
®
AMR Research is a registered trademark of AMR Research, Inc.
No portion of this report may be reproduced in whole or in part without the prior written permission of AMR Research. Any written
materials are protected by United States copyright laws and international treaty provisions.
AMR Research offers no specific guarantee regarding the accuracy or completeness of the information presented, but the professional staff
of AMR Research makes every reasonable effort to present the most reliable information available to it and to meet or exceed any
applicable industry standards.
AMR Research is not a registered investment advisor, and it is not the intent of this document to recommend specific companies for
investment, acquisition, or other financial considerations.
Enterprise Performance Management
November 2009
The Bottom Line: After a two-year period of decline, GRC spending growth returns in 2010,
expanding by 3.9% to nearly $30B.
Ask 10 companies to describe governance, risk manage- Our respondents also had a wide range of job responsi-
ment, and compliance (GRC), and you’ll likely get at bilities within their organizations. The study confirmed
least 20 definitions. Therein lies the rub: GRC is many what we had suspected: GRC programs and requisite
things to many people, and not a singular product spending dropped in 2008 and 2009. Just as impor-
with discrete functionality. For some, it’s tightly tied to tant, however, spending is expected to expand next
security. Others view it as fraud and audit functions. year. We reached the following conclusions:
Where does environmental health and safety (EH&S) • U.S. companies will spend $29.8B on GRC activi-
lie? What about sustainability? ties in 2010, up 3.9%.
Over the last seven years, GRC has continued to change. • Risk management remains the top GRC
Gone is the white-hot fixation on Sarbanes-Oxley (SOX) motivation.
compliance. Many organizations view it as yesterday’s • Better visibility leads to an agile response.
news, even though the principles that underpin SOX
and other regulations have largely been incorporated into • Efficiency equates to operating at the highest
everyday functions as a part of standard procedure. impact and lowest cost.
$28.7B
+3.9%
$27.3B
$25B
*The spending numbers for 2008 and 2009 have been revised to reflect actual spending.
Source: AMR Research, 2009
$35B
$33.5B
$32.1B
$29.9B
$27.3B
What’s included in GRC spending estimates? Risk management remains the top
By our definition, GRC spending encompasses more GRC motivation
than software products. It includes three major areas:
It came as no surprise that better management and
• Technology, including software, hardware, and inte- mitigation of business risk is the primary investment
gration requirements driver for GRC. Add in the fear factor, the risk of
• External services that encompass consulting, imple- non-compliance, and you quickly see risk carries a lot
mentation, and outsourced processes conducted of weight in GRC decisions (see Figure 3). It’s an even
onshore and/or offshore stronger motivation than in early 2008, the last time we
• Internal efforts needed to make GRC management conducted this study.
a reality within companies, including day-to-day
When we analyze the results by company size, with
management and execution tasks across lines of
business, IT, legal, and audit roles 5,000 employees roughly translating to $1B in revenue,
we find smaller firms are significantly more sensitive
This fully loaded spending prediction constitutes a to risk as a motivation to implement GRC programs.
complete picture of what companies spend on GRC While risk looms large at companies over 5,000
programs. As Table 1 shows, GRC is still an intensely employees, it’s not the only issue on the plate.
human effort, with more than two-thirds (internal
efforts and external services) spent on people-related Interestingly, this fixation on risk management has not
expenditures. translated to purchases of risk management software.
GRC customer inquiries during the last year nearly
Table 1: 2010 GRC spending by category
always start with a risk discussion, but they quickly
Technology $9.2B
transition to what actions should be taken to best miti-
gate those risks. Consider the following examples:
External services $6.6B
• A Fortune 100 retailer implemented an account rec-
Internal efforts $14.0B onciliation application to reduce the risk of flawed
Source: AMR Research, 2009 financial controls.
9%
Risk/cost of non-compliance
17% Companies with less
than 5,000 employees
Reduction in overall 5%
cost of GRC Companies with 5,000
21%
or more employees
Automation, efficiency, and 14%
repeatability of GRC activities 14%
Establishment of a 16%
legally defensible
information environment 20%
Provide internal and external 16%
transparency of financial and
operational performance 9%
40%
0: 4%
Non-existent 1%
1: 22%
Initial/ad hoc 9%
IT
2: 9%
Repeatable, but intuitive Line of business
9%
3: 22%
Defined process 19%
4: 35%
Managed and measurable 44%
5: 8%
Optimized 17%
50%
Reporting 10%
Enterprise applications 7%
20%
Other 2%
40%
Other 9%
40%