Compliance has been one of the dominant themes in the post-Enron age of corporate IT. Many software providers tout their offerings as solutions for complying with the Sarbanes-Oxley Act (SOX) and every other regulatory mandate, industry best-practices framework and corporate internal policy.
As a product segment, compliance has defied easy definition and been dominated primarily by point solutions. Compliance-related offerings range across many established niches, including business intelligence, corporate performance management, business process management, identity and access management, application security, change management, risk management, auditing and archiving.
However, over the past year, a new IT product segment has emerged — governance, risk and compliance (GRC) management — that integrates compliance point solutions into comprehensive, service-oriented architecture (SOA)-enabled enterprise suites. Fueling this trend is the growing realization that companies cannot have one stovepipe GRC management infrastructure for each mandate, but must leverage a single infrastructure across all initiatives. Each new investment in compliance-enabling technologies must integrate through SOA into the company’s core GRC management platform.
The most noteworthy recent development in GRC management was SAP’s late-2006 launch of a comprehensive, modular product platform to address a wide range of GRC requirements. Essentially, SAP validated GRC management as an important new enterprise software platform. At the same time, through its product announcements, the vendor has provided an architectural blueprint for the core GRC management functionality: monitoring, verification and optimization of business controls that have been expressed as structured workflows.
First and foremost, SAP provides a GRC management repository that centralizes compliance frameworks, mandates, policies and rules. It also provides a GRC process tool for modeling enterprise controls, executing the associated workflows and enforcing compliance. Its GRC platform includes a compliance dashboard, which provides a high-level rollup and enables detailed drill-down into key business risks across multiple enterprise levels, organizational entities, business processes and IT infrastructures. SAP’s platform enables automatic aggregation of enterprise business-process risks, provides supporting evidence of compliance, pinpoints control violations and enables prioritization of corrective action. It also includes collaborative tools, role-based views and configurable alerts to support operational enterprise risk management involving process stakeholders.
Other GRC management platform vendors have equivalent features in their product suites; SAP is far from the leader in this emerging segment. Vendors such as BWise , CA , MEGA International and OpenPages have been active in the compliance arena for several years.
One key area of differentiation among these vendors is their ability to facilitate customers’ GRC projects through prepackaged project accelerators. These accelerators consist of bundled regulatory framework libraries, implementation templates, workflows and other metadata to support diverse GRC mandates and best practices, including SOX, the Health Insurance Portability and Accountability Act, Basel II, COBIT and Information Technology Infrastructure Library. The best-of-breed GRC platforms will be those that support ongoing compliance with many overlapping mandates.
A noteworthy recent event in this regard was OpenPages’ January release of its OpenPages Governance Platform 5.0. This release includes the new GRC platform — which integrates formerly separate point solutions — plus new and enhanced solution modules for operational risk management, financial controls management, general compliance management and IT governance. Companies can start with a single compliance initiative, such as SOX, and then implement future compliance initiatives through add-on modules. OpenPages lets organizations manage several overlapping GRC mandates across many jurisdictions and business processes. These all-encompassing GRC suites might seem like overkill. Indeed, GRC point solutions may be easier to justify than a one-size-fits-all suite that demands extensive upfront planning coordination and integration to deliver the promised benefits. Another obstacle to enterprise deployment of these GRC suites is the need to enlist professional services firms to customize project accelerators to a specific client’s corporate environment and requirements.
Few GRC suites will be implemented without extensive, expensive, time-consuming customization. And they will require continuing modifications to framework libraries, control workflows and compliance analytics dashboards to keep pace with the changing business environment. Many GRC-focused products on these platforms will be crafted by vendors’ professional services and systems integration partners on a project- and client-specific basis.
All of which highlights the fact that the GRC market remains heavily weighted toward professional services, judging by the proportion of enterprise compliance budgets spent on auditing, consulting and system integration. When a company chooses a strategic GRC platform, it will, in many cases, also be choosing a process-reengineering partner.