/ciol/media/agency_attachments/c0E28gS06GM3VmrXNw5G.png)
Follow UsNEW DELHI, INDIA: When Sarbanes-Oxley Act was passed, not many public companies which had to comply with it, greeted it with enthusiasm. Many felt it was a case of over-regulation. What irked companies initially was not just the need to be transparent at each step but also the huge cost of compliance.
Today, many companies have moved out of that phase and are realizing the virtues of streamlining organizational processes, which include more efficient use of resources as well as better management of enterprise risk in a more complex and globalized business environment.
More mature companies are also recognizing the need to take a more holistic approach to “proactively introduce enterprise governance policies” rather than “implement point solutions for regulation specific practices and procedures.”
This is because many of the enterprises today have to comply with multiple regulatory requirements based on the multiple businesses that they are in, and multiple geographies that they operate in.
Also, with complexity of business increasing with outsourcing relationships and ecosystems playing a greater role in the organizational delivery chain, the need to proactively manage risk has also become crucial.
Not surprisingly, enterprises and their outsourcing service providers have turned to IT for help. The market for IT products and services that help the corporations establish and measure practices for better corporate governance as well as manage their enterprise risk and regulatory compliance needs better is called Governance, Risk & Compliance (GRC) market.
This umbrella term, when coined, included all the specific pieces of software used for specific applications as well as horizontal tools for enterprise risk management. Now, it also includes the huge risk and compliance consulting market.
Though analysts differ on the definition and hence sizing of the market, the estimates of three analysts, taken together, give a good idea of the size and dynamics of the market. Forrester Research was the first to define this market and identify the vendors in this space.
Last year, the firm estimated the GRC software platform market alone was $810 million and would reach $1.3 billion in 2011. Forrester divided it into four areas: policy and procedure management; risk and control assessment; risk analytics and investigations management.
It did not include GRC spending in areas such as security, contract management, environmental compliance, quality etc. Also, it did not track the services market.
The then Forrester analyst Michael Rasmussen who had analyzed the market has since started a research and consulting firm called Corporate Integrity and has been tracking the GRC market.
In a recent (March 2008) research called 2008 GRC Drivers, Trends and Market Directions, the firm has estimated that the GRC market in 2008 would be approximately $52.1 billion.
The research distributes it among GRC professional services ($40.6 billion), GRC Technology ($9.3 billion) and GRC Information/Content ($2.2 billion). AMR Research, another firm that tracks this market is a little conservative.
It estimates the total market to be worth $32 billion this year, with services accounting for $21.5 billion. The AMR research also notes that for the first time since 2003, the GRC budget focus in enterprises have shifted to operational and risk management whereas regulatory compliance programs have become a necessary but not top-of-mind initiative for senior executives.
It is necessary to point out here that the G in GRC market is enterprise governance that spans across organizational functions such as finance, legal, HR, audit, outsourcing etc. IT governance is just one part.
All the discussion about IT is because IT enables most of the GRC activities and not because of IT’s own governance, which is a small subset of the entire GRC spending.
In fact, financial control software still dominates the market. While many large companies are preferring to get the pieces from their enterprise software vendors such as IBM, Oracle and SAP, prompting the vendors to aggressively build this to their portfolio, there is no dearth of pure play players.
In fact, some of the market leaders include companies like Bwise, Certus, Strategic Thought, MEGA, OpenPages, Axentis, Qumas, Compliance 360. We expect a lot of M&A in this space in the next twelve months.
We also expect that the traditional IT services providers such as IBM Global Services, Accenture, and TCS will play an increasingly important role in GRC plans of corporations.