After a two-year decline, governance, risk and compliance (GRC) spending is expected to grow to $29.8 billion in 2010, up nearly 4% over the $28.7 billion spent in 2009, according to new data from AMR Research Inc. in Boston.
"The GRC market in the U.S. took a hit in 2008 and 2009," said AMR analyst John Hagerty. "Now companies are seeing the light at the end of the tunnel."
The predicted increase returns GRC spending to its peak level of $29.9 billion in 2007, and is slightly more than the $29.4 billion spent on GRC in 2008.
The bulk of the spending -- nearly 70% -- is pegged for people and processes, rather than technology, with:
- $14 billion going to internal services, including day-to-day management and tasks across business, IT, legal and audit.
- $6.6 billion for external services, encompassing consulting, implementation and processes outsourced onshore and offshore.
- $9.2 billion for technology, including software, hardware and integration.
Risk mitigation, cost reduction, top motivators for GRC spending
The uptick in spending parallels a growing interest in GRC, a relatively new approach that aims to coordinate the people, processes and technologies involved in governance, risk management and compliance. Governance, risk and compliance inquiries were up at Forrester Research Inc., Gartner Inc. and the nonprofit Open Compliance & Ethics Group this year, according to people who cover the GRC field there.
While taking a comprehensive and risk-based approach to GRC remains a challenge, said Chris McClean, an analyst at Cambridge, Mass.-based Forrester, companies increasingly are making the organizational effort required to get a better handle on risk. "We are beginning to see a lot more interest from clients in a formal approach to risk and compliance," McClean told SearchCompliance.com.
Companies have tended to treat risk management and compliance as separate activities, resulting in redundant controls and sometimes greater exposures. Mitigating risk and reducing cost are the top two motivators for GRC, the AMR survey found. Organizations that take a more comprehensive approach in theory should not only see their compliance and risk management costs go down but also turn their improved visibility to competitive advantage.
[Companies] need to ... look at GRC as a way to improve their business programs by streamlining processes, by providing better security, data quality.
John Hagerty, analyst, AMR Research Inc.
"I tell companies they need to mine the hidden gold and look at GRC as a way to improve their business programs by streamlining processes, by providing better security, data quality," Hagerty said.
The growing interest in governance, risk and compliance last year was no doubt spurred by the need to reduce risk in a poor economy, McClean said. However, like Hagerty, he added that he expects GRC to remain high on corporate agendas in 2010 as companies increasingly become convinced of the benefits of taking a comprehensive approach to risk and compliance.
The AMR survey also showed evidence of a growing maturity around GRC capability. When asked to rate their "GRC capabilities" on a scale of zero to five, most companies (53%) said they operated at the highest levels of maturity (a four or five), significantly higher than in years past, Hagerty said.
Whether the business line's optimism is justified is another matter, said Hagerty, who was more inclined to believe the considerably less sanguine scoring by the IT survey respondents: 25% rated their organization's GRC capabilities as either nonexistent or ad hoc. "I think IT point of view is probably right. They see the situation across the enterprise," he said.
Let us know what you think about the story; email Linda Tucci, Senior News Writer.