GRC – The Great Risk Con revisited


“Use caution with Forrester Waves and Gartner Magic Quadrants.”
 Leading GRC Analyst. 

In 2008 I wrote a piece for Risk Management Magazine called GRC – The Great Risk Con

The article went on to make a number of controversial comments ranging from an inference which suggested that anyone who uses the GRC term may not know what they’re talking about, through to GRC being a term created by the major IT players in order to create and capture a new market segment. 

I painted the term as unhelpful and mischievous and in the process I’m pleased to say that this caused great debate in this magazine. 

Three years later, little has changed. The GRC software market remains immature. Like other immature markets it’s characterised by acquisition and consolidation at all tiers. The Great Risk Con has become the Great Risk Consolidation. It’s been this way for years. 

My main contention with the GRC category is it lumps things together which don’t necessarily belong together. Risk assessment with compliance; issue tracking with audit work papers; continuous control monitoring with continuous transaction monitoring, e-rooms and collaboration tools, CAATs 2.0, knowledge management, control-self assessment and anything else you can think of thrown in for good measure. 

The lines have been blurred, and the research analysts seem to like the tools that do a bit of everything. 

The reality is there is no one size fits all solution. The field is too dispersed and the segment is still characterised by a number of niche players who are good at what they do. 

One leading GRC analyst estimates that there are over 400 GRC vendors, spanning 19 categories. And this is before considering our local batch from Australia, many of which are quite good. He concludes that in most cases it is more important to ensure your specific needs are met rather than compromising with a one-size-fits-all solution. 

At this stage we’d concur. The market is still immature. There still is innovation happening, some new niches being created and some interesting developments being made. User bases are still fragmented. Systems are still being bought and junked regularly. It also explains why so many systems continue to be built in-house. 

When embarking on a decision to buy, replace, build or configure, time spent up-front on being really clear on your user needs and requirements and nailing those in the first instance is the key to getting this right. 

For now, best of breed trumps best in class. WE suspect it will be this way for many years. 

Todd Davies & Associates assists organisations with GRC systems strategy, design and selection. This article first appeared in the final edition for 2011 of Risk Management Magazine

For information on how we can assist, please go to our Understanding GRC Software page.