November 2009

GRC in 2010: $29.8B in Spending Sparked by

Risk, Visibility, and Efficiency
by John Hagerty and Bob Kraus

As both a term and a technology category, governance, risk management, and compliance
(GRC) has arrived in a new state of maturity. Both business and IT leaders indicate that
hair-on-fire issues still get the lion’s share of attention, but companies are thinking bigger and
broader about the role GRC plays in their business. While spending during 2008 and 2009
sagged along with the economy, companies now plan to increase expenditures by nearly 4% in
2010. The emphasis is on better visibility and more efficiency, filtered through a lens of risk.

Enterprise Performance Management

© Copyright 2009 by AMR Research, Inc.

®
AMR Research is a registered trademark of AMR Research, Inc.

No portion of this report may be reproduced in whole or in part without the prior written permission of AMR Research. Any written
materials are protected by United States copyright laws and international treaty provisions.
AMR Research offers no specific guarantee regarding the accuracy or completeness of the information presented, but the professional staff
of AMR Research makes every reasonable effort to present the most reliable information available to it and to meet or exceed any
applicable industry standards.
AMR Research is not a registered investment advisor, and it is not the intent of this document to recommend specific companies for
investment, acquisition, or other financial considerations.
Enterprise Performance Management
GRC in 2010: $29.8B in Spending Sparked by
Risk, Visibility, and Efficiency
by John Hagerty and Bob Kraus
The Bottom Line: After a two-year period of decline, GRC spending growth returns in 2010,
expanding by 3.9% to nearly $30B.
Ask 10 companies to describe governance, risk manage-
ment, and compliance (GRC), and you’ll likely get at
least 20 definitions. Therein lies the rub: GRC is many
things to many people, and not a singular product
with discrete functionality. For some, it’s tightly tied to
security. Others view it as fraud and audit functions.
Where does environmental health and safety (EH&S)
lie? What about sustainability?
Over the last seven years, GRC has continued to change.
Gone is the white-hot fixation on Sarbanes-Oxley (SOX)
compliance. Many organizations view it as yesterday’s
news, even though the principles that underpin SOX
and other regulations have largely been incorporated into
everyday functions as a part of standard procedure.
A more mature approach has emerged to address GRC
fundamentals in all their shapes, sizes, and colors, with
better risk management looming larger in executive
thinking. Business policy has also muscled its way onto
the scene, lending a governance flavor long missing
from the GRC agenda. As one CFO of a large indus-
trial firm put it, “I want no more surprises. We must
operate with our heads up, eyes open, connecting the
dots between risks, policies, compliance mandates, and
overall performance.”
In 3Q09, AMR Research conducted a GRC study to
assess plans, motivations, and spending priorities at
151 U.S. companies of all sizes and across industries.
Enterprise Performance Management | November 2009
November 2009
Our respondents also had a wide range of job responsi-
bilities within their organizations. The study confirmed
what we had suspected: GRC programs and requisite
spending dropped in 2008 and 2009. Just as impor-
tant, however, spending is expected to expand next
year. We reached the following conclusions:
• U.S. companies will spend $29.8B on GRC activi-
ties in 2010, up 3.9%.
• Risk management remains the top GRC
motivation.
• Better visibility leads to an agile response.
• Efficiency equates to operating at the highest
impact and lowest cost.
U.S. companies will spend $29.8B on
GRC activities in 2010, up 3.9%
Any discussion about 2010 GRC spending must be
looked at through the lens of the prior year’s plans
versus the actual results. AMR Research predicted that
companies would spend $32B in the United States
for GRC in 2008. The data gathered at the beginning
of that tumultuous year was optimistic, reflecting the
general mood in the business community that all was
right with the world. GRC spending in particular was
on a rocket ship, heading ever higher.
©2009 AMR Research, Inc. 1
We all know what happened later in 2008. Companies
slammed on the brakes, cut non-critical expenditures,
and began laying off workers—a process that continues
today. Companies reported that spending fell by 5%
between 2007 and 2009, which is not as bad as we
anticipated. But the outlook for 2010 is for growth,
with spending rising 3.9% to near 2007 levels, or
$29.8B (see Figure 1). We’ve also included the original
2008 forecast for comparison purposes (see Figure 2).
What a difference an economic crisis makes.

Figure 1: 2010 GRC spending forecast*

$30B $29.9B $29.8B

$29.4B

$28.7B

+3.9%

$27.3B

$25B

2006 2007 2008 2009 2010

*The spending numbers for 2008 and 2009 have been revised to reflect actual spending.
Source: AMR Research, 2009

“I want no more surprises. We must operate with our

heads up, eyes open, connecting the dots between risks,
policies, compliance mandates, and overall performance.”
—CFO of a large industrial firm

2 ©2009 AMR Research, Inc. Enterprise Performance Management | November 2009

 Figure 2: GRC market size, original forecast—2008–2009 ($B)
$35B
$27.3B
2006
What’s included in GRC spending estimates?
By our definition, GRC spending encompasses more
than software products. It includes three major areas:
• Technology, including software, hardware, and inte-
gration requirements
• External services that encompass consulting, imple-
mentation, and outsourced processes conducted
onshore and/or offshore
• Internal efforts needed to make GRC management
a reality within companies, including day-to-day
management and execution tasks across lines of
business, IT, legal, and audit roles
This fully loaded spending prediction constitutes a
complete picture of what companies spend on GRC
programs. As Table 1 shows, GRC is still an intensely
human effort, with more than two-thirds (internal
efforts and external services) spent on people-related
expenditures.
Table 1: 2010 GRC spending by category
Technology
External services
Internal efforts
Source: AMR Research, 2009
Enterprise Performance Management | November 2009
$33.5B
$32.1B
$29.9B
2007 2008 2009
Source: AMR Research, 2009
Risk management remains the top
GRC motivation
It came as no surprise that better management and
mitigation of business risk is the primary investment
driver for GRC. Add in the fear factor, the risk of
non-compliance, and you quickly see risk carries a lot
of weight in GRC decisions (see Figure 3). It’s an even
stronger motivation than in early 2008, the last time we
conducted this study.
When we analyze the results by company size, with
5,000 employees roughly translating to $1B in revenue,
we find smaller firms are significantly more sensitive
to risk as a motivation to implement GRC programs.
While risk looms large at companies over 5,000
employees, it’s not the only issue on the plate.
Interestingly, this fixation on risk management has not
translated to purchases of risk management software.
GRC customer inquiries during the last year nearly
always start with a risk discussion, but they quickly
$9.2B
transition to what actions should be taken to best miti-
gate those risks. Consider the following examples:
$6.6B
• A Fortune 100 retailer implemented an account rec-
$14.0B onciliation application to reduce the risk of flawed
financial controls.
©2009 AMR Research, Inc. 3
 • A global fast-food company used transaction moni-
toring software to enforce company policy on travel
and entertainment card purchases because it was
uncomfortable with potential exposure associated
with fraud and/or brand risk.
• A global electronics conglomerate attacked a poten-
tially thorny security nightmare by implementing a
segregation-of-duties system to mitigate immediate
exposure and continuously monitor its application
landscape for the future.

Figure 3: What drives investments in GRC?

Better manage and mitigate 38%

risks in the business 28%

9%
Risk/cost of non-compliance
17% Companies with less
than 5,000 employees
Reduction in overall 5%
cost of GRC Companies with 5,000
21%
or more employees
Automation, efficiency, and 14%
repeatability of GRC activities 14%
Establishment of a 16%
legally defensible
information environment 20%
Provide internal and external 16%
transparency of financial and
operational performance 9%

40%

Source: AMR Research, 2009

4 ©2009 AMR Research, Inc. Enterprise Performance Management | November 2009

 Self-assessed GRC maturity is at an
all-time high
You hear it in questions asked, and you see it in decisions
made. Organizations have definitely matured in their
GRC thinking. But are all constituents on the same page?
One of the first questions we asked survey participants
was to assess their company’s GRC maturity on the
standard five point Capability Maturity Model (CMM)
scale. Overall, 53% of companies indicate that they
operate at the highest levels of maturity (score of 4 or 5).
This is significantly higher than results from past years.
But there are different points of view (see Figure 4).
Line of business is much more confident with its
approaches and processes. IT doesn’t always see it
that way: it believes there is more work to do, and
nearly one-fourth of the IT respondents believe their
firms are just in the early phases of the GRC process.
Maturity is always in the eye of the beholder. One
person’s “optimized” may be another person’s
“defined process.” But processes have improved, and
the majority of companies feel they are on top of the
GRC process.

Figure 4: GRC maturity self-assessment (CMM five-point scale)

0: 4%
Non-existent 1%

1: 22%
Initial/ad hoc 9%
IT
2: 9%
Repeatable, but intuitive Line of business
9%
3: 22%
Defined process 19%

4: 35%
Managed and measurable 44%

5: 8%
Optimized 17%

50%

Source: AMR Research, 2009

Enterprise Performance Management | November 2009 ©2009 AMR Research, Inc. 5

Better visibility leads to an agile
response
No one wants to be caught unprepared. External factors
beyond your control, such as a new law, regulation, or
market disruption, can’t always be predicted.
What is visibility? For one group, it is key performance
indicators (KPIs) or key risk indicators (KRIs) that can
be defined, measured, and monitored for movement
and improvement. For a second segment, visibility
means establishing a framework of processes, risks,
controls, and policies—either self-generated or sourced
from an independent third party—by which you can
measure progress toward articulated goals. A third
Figure 5: 2010 GRC software investments priorities
Compliance management
Business process management
Continuous control monitoring
Security (internal/external)
Risk management
Sustainability software
Document/records management
Reporting
Collaboration, training, and e-learning
Enterprise applications
6 ©2009 AMR Research, Inc.
approach is to establish detailed monitoring programs
to assess business transactions or IT actions in near-real
time and flag anomalies for investigation and correc-
tion. In reality, visibility is a function of all three.
Investments planned for 2010 are skewed toward defin-
ing the GRC universe for the company, then manag-
ing and monitoring against it (see Figure 5). This is a
shift from prior years, where companies focused on the
piece parts—document repositories, dashboard build-
ers, etc.—that would be needed to build a compliance
management system. The top three software invest-
ments areas companies expect to invest in include com-
pliance management, business process management,
and continuous monitoring products.
18%
17%
16%
15%
14%
12%
11%
10%
8%
7%
20%
Source: AMR Research, 2009
Enterprise Performance Management | November 2009
Efficiency equates to operating at the
highest impact and lowest cost
Streamline. Automate. Improve. Monitor. These
words have become the new GRC mantra. We saw
earlier in Figure 3 that cost reduction is a powerful
motivator for further GRC investment. Cost reduc-
tion is also prominent in any discussion of benefits
companies hope to achieve as a result of GRC spend-
ing (see Figure 6). Now, there’s even more urgency for
spending in one area to pull double- or triple-duty to
maximize payback.

Figure 6: Additional benefits of GRC investments

Streamline business processes 37%

Better quality 36%

More secure environment 28%

Improve audit effectiveness 28%

Better visibility to operations 26%

Support globalization efforts 21%

Other 2%

No other business process is

5%
supported with GRC technology

40%

Source: AMR Research, 2009

Enterprise Performance Management | November 2009 ©2009 AMR Research, Inc. 7

We drilled a bit deeper regarding monitoring preferences
and discovered that nearly 60% of companies indicated
that monitoring already is or soon will be part of their
overall approach, compelled by cost, risk, compliance,
and policy and procedure needs. Of that group, over
60% have automated monitoring to some extent.
But there is more to do. System configuration, security
and access privileges, and the monitoring of business
transaction/process (largely financial activities) are
Figure 7: Continuous monitoring value proposition
Reduce cost of compliance
Close holes in existing
processes
Better enforce company
policy and procedure
Reduce/eliminate fraud
Reduce manual testing
of controls
Reduce audit feeds
Other 9%
8 ©2009 AMR Research, Inc.
moving up the list in terms of priorities. A VP of audit
for a manufacturer said it best: “Monitoring is ideally
suited for technology automation. Define the rules,
execute continuously, flag the exceptions, evaluate the
results, tune the rules, and do it all again…it’s a perfect
continuous improvement cycle.” You can see these
themes echoed in the responses from survey partici-
pants when we asked about the value of continuous
monitoring—cost reduction, fraud reduction, process
improvement, and policy enforcement.
39%
36%
34%
27%
25%
20%
40%
Source: AMR Research, 2009
Enterprise Performance Management | November 2009
Conclusions
• After a two-year period of decline, spending growth
returns in 2010, expanding by nearly 4% to
$29.8B.
• Companies indicate they have mature processes in
place. Additional spending will be targeted at GRC
outcomes, not GRC piece parts.
• Risk management remains the top motivator for
GRC spending. But spending on risk management
software isn’t the beneficiary. Companies want solu-
tions that mitigate risk, not just monitor it.
• Visibility and efficiency underpin the majority of
investments for 2010, as companies attempt to
operate with heads up, eyes open, and as efficiently
as possible.

Enterprise Performance Management | November 2009 ©2009 AMR Research, Inc. 9

Research and Advice That Matter
AMR Research is the No. 1 independent
advisory firm serving supply chain, operations,
and technology executives. Founded in 1986,
AMR Research focuses on the intersection
of business processes with value chain and
enterprise technologies. We provide our
clients in the consumer products, life sciences,
manufacturing, retail, and technology sectors
with subscription advisory services and
expert-led Peer Forums. To learn more about
our research and services, please visit
www.amrresearch.com.

More information is available at

www.amrresearch.com. Your comments are
welcome. Reprints are available. Send any
comments or questions to:

AMR Research, Inc.

125 Summer Street
Boston, MA 02110
Tel: +1 (617) 542-6600
Fax: +1 (617) 542-5670