Demystifying the GRC Marketplace
The Truth about marketing risk solutions in GRC
The public is not aware of a huge market in risk solutions used by risk, compliance, audit and IT professionals globally. There is no agreed upon metric to measure the size and growth of the GRC marketplace, which is an acronym for a technology platform designed to management organizational governance, risk and compliance activities and the mandates of regulatory compliance.
No two research firms agree on the size, scope or future direction of the GRC marketplace and the projections of growth in this space are pure fiction. The primary reason for this lack of transparency is because there is a lack of standards for what a GRC platform offers. Secondly, mature GRC platform solution providers are now owned by publicly traded firms seldom disclose GRC’s contribution to earnings, sales and growth in financial statements. And lastly, GRC platform providers use their own proprietary yardstick to measure size, scope and growth.
Gartner’s Magic Quadrant, Forrester’ Wave, and IDC’s MarketScape GRC researchers do not provide any insight into the functional capability of the GRC platform solutions themselves.
Instead, marketing jargon is the preferred method for obscuring what risk solution providers actual do to help you manage risk! It is amazing that the top three researchers have provided nothing but magical thinking to describe a category of technology to manage the administration of a range of risk categories. The Big Three GRC researchers have damaged the marketplace and stunted the opportunity for GRC solution providers to grow by obfuscating the limitations and useful functionality of risk solution providers. In simple terms, they fail the basics in advertising…not telling the truth!
GRC has never penetrated more than one-third of the potential market for risk solutions in the 22 years that I have followed the market category and conducted research on the habits of risk professional’s use of risk tools. There exists a real need for robust solutions in risk management, unfortunately, GRC solutions only scratch the itch but do not solve the problem. Let me explain!
99% of all GRC solution providers use subjective measures to capture “risks”. I use the term risk lightly because the vast majority of data captured in GRC platforms are not risks at all. The data is typically representative of operational failures in management. In fact, the failure of GRC is that it does not manage anything of value. In 2002, the U.S. Congress drafted a new regulatory regime called Sarbanes-Oxley (SOX) after the two senators who wrote the law. Sarbanes-Oxley is an exhaustive piece of legislation designed to prevent fraud which was rampant in the late 1990’s and early 2000’s.
You remember Enron, Tyco, WorldCom…yeah! Those firms became the poster children of fraud. Not withstanding, that in 1985, with backing from the Securities and Exchange Commission, the Committee of Sponsoring Organizations of the Treadway Commission was formed to prevent fraud in financial reporting. Unfortunately, the S.E.C. has failed to enforce its own legislation and fraud has continued unabated with many of the organizations would drafted the rules to prevent fraud becoming the facilitators of fraud.
In 1999, before Gartner, Forrester and IDC coined the term, “GRC”, to describe a fledgling new industry to manage risks, many of risk professionals designed our own systems to keep track of the work product needed to demonstrate to regulators that a working risk management program existed in the firm. Technology is ideally suited for proving a believable facade of credibility without having to prove it actually works! And, it did what it was designed to do, convince regulators that a robust risk process existed even though it provides little evidence of anything but administrative check on the regulatory checklist. The value of that information is questionable as a strategic source of exposure firms are facing in actuality.
Subjective risk assessments and subjective probabilities are “educated” guesses of risk, not actual risk exposures. No matter how fancy the charts and graphs, subjective risk assessments are projections of wishful thinking that is mostly an underestimation or overestimation of a real risk. GRC platforms allow risk professions to automate the administrative burden of the risk involved in managing risk. Not more so than an Excel spreadsheet tells you the time of the day without a mathematical formula. GRC does less than that!
GRC is not based on any scientific foundation or rigorous risk analysis. In fact, the industry is similar to the traveling drug elixir salesmen who traveled the town circuits in the turn of the 19th century selling a product that promised a cure for every ailment, but cures none. The problem is risk professionals around the world are seeking help to solve real problems, complex problems every day! With that said, I believe that there is a place for GRC solution providers as enablers to more efficiency and transparency if they choose to pursue these paths. That is why I founded the GRCIndex!
My goal is two-fold: 1) Demystify the functional capability of GRC; 2) Provide clear guidance for how these tools work allowing risk professionals top select the tools that best fit their risk programs. Simple! There is one less obvious goal….to encourage designers of GRC to enhance the functional capability of their tools to actual provide new insights into hidden risks. More on that in upcoming articles!
The GRCIndex removes marketing jargon and focuses on the functional capability of GRC solution providers but we go further and explain how each module within the platform provides different and unique functional capability. We at the GRCIndex believe that GRC solutions can be helpful when you understand how these tools work and you understand the limitations of these systems. There are a few exceptional vendors who have functional capability that is more robust than others but the vast majority are different versions of the same functional capability.
If you want the honest truth about GRC solution providers, we plan to produce hundreds of reports on the diversity and scope of solution providers that exist globally. But whatever you do, don’t believe the hype and overpay for a GRC solution that you don’t need. Contact us first!