After hitting an air pocket in 2008 and 2009 as deals for products to manage Sarbanes-Oxley Act compliance dried up, sales of governance, risk and compliance (GRC) platforms have soared in 2010 as organizations apply risk and compliance requirements more broadly to environmental practices, supply chain partners and human resources.
According to Forrester Research Inc., sales of GRC tools grew 15% to just under $749 million worldwide, an increase from $635 million in 2009. The Cambridge, Mass.-based firm believes the market will continue to thrive well into 2011.
"After talking with some of the larger vendors, as well as the indications we get from the buyers, next year looks like it is going to be a big one for this space," said Forrester analyst Chris McClean, author of the report "Market Overview: GRC Platforms."
To continue this momentum, McClean cautioned that vendors must offer compliance executives more value through risk and compliance content and analytics, while integrating these products with existing IT infrastructure. Eventually, GRC platforms must concentrate more on improving process, loss mitigation and strategic support decisions instead of chasing short-term regulatory pressures, he said, explaining that if vendors "continue to pursue the latest regulatory changes or newsworthy risk concerns, their customers will fail to see the longer-term benefits of GRC programs."
In the report, compliance executives offered up their wish lists for what they most wanted to see in new GRC platforms, including more flexibility, ease of use and closer vendor relationships. They listed their top measurements for success of a GRC product as greater efficiency, risk reduction and strategic support.
If [vendors] continue to pursue the latest regulatory changes or newsworthy risk concerns, their customers will fail to see the longer-term benefits of GRC programs.
Chris McClean, analyst, Forrester Research Inc.
Executives from other organizations that weren't part of the survey confirmed that they will spend more money next year on GRC products but prefer to work with larger companies such as IBM or Oracle Corp. to help them integrate these products with their existing mission-critical applications.
"We won't buy their big, oversized suites, but use their monitoring control software into our existing systems that work across environments," said Eugene Lee, an IT administrator at a national bank in Charlotte, N.C.
Seeing the difficulty customers have in keeping up with risk and compliance requirements, vendors in different market segments are extending their capabilities to offer more support for GRC platforms. Oracle and SAP AG, for example, have both expanded their GRC suites to offer broad risk and compliance management functionality beyond their core focus on access controls management.
"We have bought into point solutions here and there from smaller players, but the feeling now is we need some offerings that give the C-suite a broader view of things. Companies like IBM and Oracle will eventually incorporate many of these point solutions into their products," said Will Havern, an administrator at the Chicago Mercantile Exchange.
McClean predicts that acquisitions, research and development, along with more sophisticated implementations, will lead GRC to ultimately move upward to deliver value at the board and executive levels. As a result, sophisticated companies will look for GRC platforms that can support scenario modeling, performance management and predictive analytics to help them make better strategic decisions.
Let us know what you think about the story; email Ed Scannell, Executive Editor.