Posted by: Linda Tucci
I’ll start with the possibly infuriating hypothesis: There’s money to be made from governance, risk and compliance (GRC) software by vendors, of course, but also for enterprise IT shops. And it is probably not in the standalone GRC management platforms that focus on documentation, but in platforms that focus on automated controls and continuous monitoring of risk.
SAP and Oracle have sniffed out where the money is in GRC, and maybe IBM. (Thomson Reuters, the global information company that acquired Paisley in 2008, and Wolters Kluwer, which bought Axentis last year, are also betting on a GRC jackpot, but it’s a different pot from the one pursued by the ERP players.)
To back up: The marketplace for GRC management platforms is premised on the belief that the problem with enterprise governance, risk and compliance is that the three areas are typically handled in separate parts of the enterprise and shouldn’t be. Coordinating the many compliance obligations that an enterprise faces — to reduce redundancy, improve efficiency, etc. — is hard. Coming up with an effective governance structure for the legions of corporate employees who have some hand in mitigating risk and meeting compliance requirements is also hard. GRC management platforms promise to identify, coordinate and document all the IT, operational and financial functions involved in GRC.
Compliance is good. Documentation is good. Fixing is even better. Back to the money part.
ERP vendors Oracle and SAP are upping their stakes in the GRC market. Oracle, which has offered GRC software for a number of years, announced in December its Oracle Enterprise GRC Manager (the acquired Stellent product re-architected to run on Fusion middleware) and its latest release of Oracle Enterprise GRC Controls for, if it should say so itself, “a unique, closed-loop approach to regulatory compliance, risk management and controls automation.” SAP’s focus in GRC has always been on the automated controls, rather than documentation, claiming that extensive manual reporting is unnecessary if problems are corrected as they arise. When this kind of continuous controls monitoring is applied to enterprise performance for the purpose of detecting and preventing violations of business rules — duplicate or late payments, for example, out of warranties — companies are not only staying in compliance, they are saving and making money. If, as some analysts believe, this is where the GRC market is heading, SAP and Oracle have a leg up — at least among their customers.
That’s the hot air. There’s a plan to bring the argument down the earth.
Starting soon, SearchCompliance.com will devote a section to new products and product developments in GRC, not just from the names mentioned here but also from the flotilla of vendors (about 40) that address the many aspects of this $30 billion spend. (Suggestions for a catchy name for our product news section, preferably with a double entendre, are welcome.) As we follow the products, we hope it will become clearer to you (and us) where GRC technology is headed and how these products can not only help keep your company out of jail but also contribute to its bottom line.
Meantime, rebuttals to the follow-the-money hypothesis are welcome. As well as any inside tips on which GRC vendors will end up owning the space. (I already got one from someone who’s followed Oracle for two decades. To paraphrase: Once they’ve made up their mind to go after this space, they’ll crush everyone in their path.)