GRC isn’t dead

31.07.2008 by Martin Kuppinger

Today I’ve seen a blog entry which claimed that GRC is dead. That reminded me about the closing keynote of our European Identity Conference 2009 where I had a discussion with Paul Heiden of BHOLD Company about GRC. Paul claimed that GRC is just dealing with FUD (fear, uncertainty, doubt) and that there is no real business value in this.

So – is the market for GRC solutions (Governance, Risk Management, Compliance) dead before it really blossomed?

Yes, if GRC is limited to auditing, with focus on some dashboards and some information extraction for auditors.

No, if GRC is understood as something which goes well beyond this and isn’t limited to a narrow one-way-road. And that is how we understand the GRC market and how we have defined this market segment in our GRC Market Report 2008.

There are some real value propositions for GRC solutions, beyond “avoiding penalties” as the classical negative inhibitor:

  • On the lowest level, one standardized approach to GRC issues tends to be more efficient than many point solutions.
  • Much more important is the ability to not only audit but control – Enterprise Authorization Management (or Entitlement Management) is one of the key elements of GRC solutions, providing business control for the access to IT resources.
  • This is, by the way, much more efficient than the granular, isolated management of access controls on lower levels. A relatively small number of business roles and rules usually covers a significant part of all access controls on lower levels in the infrastructure, down to the system level. These lower level controls can be derived, with some added exceptions.
  • The probably most important aspect is that GRC done right enables a more efficient management, focused on exceptions. Defining and measuring risks provides this ability.

From our view, GRC has to be understood as an initiative which is at the core of Business-IT alignment. GRC has the potential to fulfill these (today in most cases unfulfilled) promises of building a link between business and IT.


Unfulfilled Promises on GRC – nothing else

18.07.2008 by Martin Kuppinger

These days I received an invitation from an IT vendors to visit an ECM (Enterprise Content Management) event. The keywords were Governance and Compliance. And the title of the keynote presentation suggested that ECM will solve every threat in these areas companies are facing today. Interestingly but not surprisingly, I have received invitations like that from other vendors – claiming to solve all these issues with other solutions in the fields of IAM (Identity and Access Management), BSM (Business Service Management), or with solutions focused on specific types of business applications like SAP or Oracle Applications.

Interestingly there are very few covering the area of SOA, another of these three letter abbreviations, which might be the fourth field of fulfilling everything a company might require in GRC- or not.

Every one of these companies is providing to GRC – but none of it will ever be able to fulfill all requirements, at least as long as it doesn’t provide offerings for BSM, ECM, IAM, and SOA, for business applications, and for the consulting on methodologies on the Business as well as the IT level. Maybe IBM might at some point of time be the one to deliver – but in the areas of integration as well as solutions specific to the leading business applications there will be gaps at least for a very long time.

With other words: Everyone is promising great things, no one is really delivering.

When you have a look on this issue from a customer perspective, it becomes obvious that there is a strong need to first define a corporate GRC strategy, derive an IT GRC strategy and then to implement it, combining solutions from different vendors for different parts of the problem. Non-strategic GRC investments have to be avoided – they are costly. If there is no overall strategy you will end up with many small, not integrated pieces instead of a GRC solution which really can support your business requirements.

By the way: To support your initiatives in the field of GRC we are now offering “GRC ratings” for vendors, clearly showing in which areas of the big picture of GRC they can deliver today, in which areas they might deliver in the future – and how mature we rate their offerings.

A short note at the end: Someone asked me about the relationship of GRC and ECM. ECM is, besides other functions, about archiving information. And there are many legal requirements for archiving business-relevant information. Thus, ECM is a part of the overall GRC theme.


Services
© 2014 Martin Kuppinger, KuppingerCole