As we discussed yesterday, governance, risk, and compliance (GRC) is a large and fragmented industry. Unlike other areas of enterprise technology, where organizations struggle to understand differences between vendors, the challenge is often to understand what any given “GRC vendor” actually does. We recommended that organizations should begin to assess GRC vendors for their fit according to three dimensions: (1) functional scope, (2) operational scope, and (3) industry scope.
GRC solutions vary widely in their ability to reach across these categories (breadth) as well as the sophistication of their offerings in any one category (depth). From the vendor’s perspective, this is often a question of market and product strategy. There are two common options.
Focus on Breadth
A vendor can maximize their addressable market by seeking to expand the breadth of their exposure across functional capabilities, use cases, and industries. While the strategy opens the door to a great deal of organizations, it often limits a vendor’s ability to develop a great deal of sophistication within any one area. This is the classic “mile wide / inch deep” challenge. Even vendors that focus on common needs of “highly regulated” industries can face challenges going much deeper than lowest common denominators of data and process management. As a result, these solutions may be able to do 80% of the job “out of the box,” but getting to the final 20% requires work to fit the solution to a particular organization’s needs. An important distinction is whether a solution is configurable or customizable, which can have a tremendous impact on the cost and time required to deploy.
MetricStream represents a classic example of this approach. The company focuses on the scope of its software capabilities and is (rightfully) well-regarded for the breadth of its GRC capabilities. It has demonstrated rapid growth and a strategy that focuses on expanding the reach of enterprise GRC within an organization. MetricStream’s strategy creates a lot of opportunity. Its portfolio of capabilities ensures that the company can address a wide array of companies and use cases. Often the company’s solutions are good enough to ensure customers see value at its price point. However, MetricStream (like any organization) has limited resources to put into development and can face challenges when called to support highly specialized needs.
Vendors in this category often include the other “enterprise GRC” players, such as EMC’s RSA Archer, IBM OpenPages, BWise, Thomson Reuter’s Accelus, or SAP GRC. However, smaller providers such as ACL and AdaptiveGRC also take this approach. As a group, these providers tend to focus on platforms that reach across risk and compliance roles to eliminate information silos. Of course, individual providers focus on and stand out in particular areas. For example, SAP (which just launched a new audit management and analytics solution) has historically demonstrated a focus on finance, supply chain, and IT operations.
A breadth strategy does imply that a solution is shallow. Nor is there’s anything wrong with this approach. It does mean that an organization has a responsibility to evaluate whether the solution matches its particular risk and compliance portfolio. Organizations with more specialized needs may find that a niche GRC application is a better fit. At the same time, offerings that focus on the breadth of capabilities are often best suited to organizations planning to build true, unified GRC environments.
Focus on Depth
In the second scenario, the vendor focuses on a particular need or audience. The most extreme examples of this phenomenon are the niche solutions that only address one need. This often takes the form of an operational focus (e.g. financial GRC or IT GRC), an industry-tailored focus, or an even more niche application, such as social media risk.
These solutions face smaller addressable markets but are able to dedicate resources in an extremely targeted manner. Given that GRC implementations often address a single “point” need, rather than an enterprise vision, depth-orientated solutions can often offer easier deployment and greater impact within the scope of the investment. The tradeoff is that organizations may end up with solutions that can’t be scaled into integrated, enterprise environment. This tradeoff depends on the vendor’s focus, with industry-orientated providers often best positioned to balance breadth and depth in their offerings.
Vendors that focus on “use case” range across a spectrum from providers like The Network and NAVEX Global, who both target compliance management to even more security-orientated applications, such as Modulo (which despite its recent march towards “enterprise GRC” is still best suited to IT risk) or Actiance, which targets social media risk and compliance. Wolters Kluwer’s ARC Logics and Summix provide examples of an industry-focused platform. The two solutions solely target financial and insurance industries. Between the solutions, the company offers a comprehensive set of governance, risk, and compliance functions that are adaptable and closely-tailored to industry-specific needs. The company also draws on a library of content and best practices as well as consulting services. QUMAS is another example of this approach, focusing on enterprise platform capabilities within healthcare and bio-science industries.
Generally, depth-orientated vendors are less likely to appear in a wave or a quadrant, but the solutions are often the strongest offering within their area of focus. Still, when considering these solutions, companies should also consider the potential to scale the solution to future needs before making the investment. An industry-orientated solution may possess the breadth of capabilities needed to support an enterprise deployment, but solutions focused on a particular operational need or niche use case will usually mean that the organization must turn to another vendor if it hopes to grow its platform.
Selecting the right GRC vendor is, in part, a function of determining which sort of solution best fits an organization’s needs and constraints. A focused, niche provider may help respond to a very specific need at an appropriate cost, but close the door to future expansions. By contrast, a solution that focuses on breadth may involve more upfront costs and less depth of support for a particular use case, but provide greater enterprise value in the long run.
The success of a GRC investment depends on tradeoffs between the solution’s investment cost, fit for the immediate need case, fit for industry needs, ease of implementation, and potential for future expansion. As such, organizations will want to understand their goals before exploring solutions, both for the deployment and for it’s plans for future use. This should generate at least an initial understanding of what sort of solution best fits. However, the processes that fall under the purview of GRC involve too many variables and the solution landscape is too fragmented to offer easy answers.