Governance, Risk and

Compliance (GRC) software

Business needs and market
trends
David Cau
Director
Business Risk
Deloitte

The importance of a holistic view of risk and compliance

issues and the difficulty to achieve it is often recognised
as a weakness for many organisations. As an indication
that significant improvements may be required at many
organisations, the recent Deloitte Global risk management
survey (eighth edition) reveals that when asked about
their capabilities of their data strategy and infrastructure,
no more than one-third rated them as extremely or very
effective in any area.

As an organisation progresses in developing its risk for Research of Integrated Governance, Risk & Compliance
management, internal audit and compliance practices, (GRC)’ provides a rather comprehensive view of the
the issue of investing in an automated solution to improve concept. In this paper, GRC is defined as “an integrated,
efficiency will arise sooner or later. holistic approach to organisation-wide governance,
risk and compliance ensuring that an organisation acts
Tools for governance, risk and compliance functions ethically correct and in accordance with its risk appetite,
First of all, it is important to clarify the concept of GRC. internal policies and external regulations through the
Although various definitions do exist, the definition alignment of strategy, processes, technology and people,
proposed by Nicolas Racz, Edgar Weippl and Andreas thereby improving efficiency and effectiveness”.
Seufert in their recent research paper ‘Frame of Reference

30
The primary purpose of GRC software is therefore • Audit management functions that support internal
to automate much of the work associated with the auditors in managing work papers, and scheduling
documentation and reporting of the risk management audit-related tasks, time management and reporting
and compliance activities that are most closely associated
• Policy management features that include a specialised
with corporate governance and business objectives.
form of document management that enables the
The primary end users include internal auditors and
policy life cycle from creation to review, change and
the audit committees, risk and compliance managers,
archiving of policies; mapping of policies to mandates
and accountable executives. The key functions of GRC
and business objectives in one direction, and risks and
software are usually the following:
controls in another, as well as the distribution to and
attestation by employees and business partners

31
 • Compliance management functions that support or somewhat concerned about their ability to adapt to
compliance professionals with the documentation, changing regulatory requirements, as well as the lack
workflow, reporting and visualisation of control of flexibility to extend the current systems. Related to
objectives, controls and associated risks, surveys this issue, 75% of organisations are extremely, very
and self-assessments, testing and remediation. At or somewhat concerned about a lack of integration
a minimum, compliance management will not only among systems and 63% of the organisations have
include financial reporting compliance (e.g. SOX issues with an inability to integrate risk analytics from
compliance), but can also support other types of multiple risk systems. Many organisations maintain
compliance, such as industry specific regulation different information systems for specific products
(e.g. ISO 9000) and compliance with internal policies or geographies, sometimes due to past acquisitions,
and it can be difficult and expensive to combine their
• Risk management functions that support risk
output or else to replace them with an integrated
management professionals with the documentation
information system
workflow assessment and analysis reporting
visualisation and remediation of risks (as defined in • Moreover, the pace of regulatory change has put the
ISO31000). This component focuses generally on risks emphasis on the ability of organisations to have risk
and incidents follow-up but may also collect data from systems that can respond quickly to new requirements.
risk analytics tools (Credit Risk, Market Risk, etc.) to This appears to be a concern especially for larger
provide a consolidated view of risks institutions: 40% of large institutions said they were
extremely or very concerned about the ability of
The GRC software market: the business need their risk technology to respond to new regulatory
requirements, as did 44% of mid-size institutions and
• Most organisations are aware of the need for a
only 12% of small institutions
significant improvement in the way they manage
their risk, internal audit and compliance functions • Some of the other top priorities for investment include
through better automation of data and information. risk analytics and risk reporting: risk analytics (53%),
As illustrated by an OCEG survey, 85% of companies real-time risk monitoring (51%) and risk dashboards
interviewed are convinced that they would benefit (44%)
from integrating the use of technology for their GRC
• But the fastest growing business need relates to
activities. The need for a GRC technological solution is
risk data quality and management, with 79 % of
there, but the question remains: which technological
institutions at least somewhat concerned, including
tools will be able to provide the appropriate solution?
40% who are extremely or very concerned.
• In the eighth edition of the ‘Deloitte Global Risk Creating consistent data standards is a challenge for
Management Survey’, organisations cited a number organisations, which often source data from multiple
of concerns about their risk management information locations with incompatible data formats. Further,
technology systems (Figure 2) departments within an organisation may not realise
that they both have a relationship with the same
• Among the main concerns addressed, the ability of
counterparty as each may do business with a different
organisations to easily upgrade or revise their systems
business unit or subsidiary
risk technology, 78% of companies are extremely, very

32
Figure 1: Would your organisation benefit from integrating Figure 2: How concerned is your organisation about each of the following
and streamlinning use of technology for GRC activities issues for its risk management information technology systems?
enterprise-wide?

Risk data quality and management 40% 39% 79%

100
Risk technology adaptability to
changing regulatory requirements 34% 44% 78%
80
Lack of integration among systems 31% 44% 75%

60 85,6% Lack of flexibility to extend

34% 36% 70%
the current systems
High cost of maintenance
40 and vendor fees 18% 52% 70%

Lack of performance for more

frequent and timely reporting 21% 48% 69%
20
Inability to respond to time 25% 43% 68%
14,4% sensitive and ad-hoc requests
0
Yes No Inability to integrate risk analytics 18% 45% 63%
from multiple risk systems
Lack of integrated risk and 20% 40% 60%
finance reporting for economic

Out-of-date methodologies 20% 36% 56%

Lack of cross-asset-class risk

10% 45% 55%
calculations

The need for a GRC Constraints in aggregation and

reporting of risk analytics
13% 38% 51%

technological solution is Inability to source required 8%

functionality from a single vendor
42% 50%

there, but the question Lack of product and asset class

coverage
12% 37% 49%

remains: which Inability to capture increasing

volumes
10% 29% 39%

technological tools will be Lack of aggregation of trading 10% 25% 35%

able to provide the and banking books
0 10 20 30 40 50 60 70 80

appropriate solution? Extremely/very concerned Somewhat concerned

33
 The GRC software market: the offering significant price differentiation. Price is key, as sometimes
Market overview the business case for GRC software is often strongly
The GRC market as defined by the technology industry is questioned and budgets for GRC software are often
about 10 years old, and buyers have high expectations for limited in most of the companies and licence fees or, more
the performance of GRC software. globally, the Total Cost of Ownership (TCO), namely the
cost of development, implementation, licence fees and
Up to now, from a technical perspective, organisations maintenance of a GRC solution is usually similar.
have generally opted for risk management systems
installed in-house, whether developed internally or by Most of the recent market studies forecast an annual
vendors, rather than hosted externally. Indeed, according rate of increase of 10% over four years. Indeed toward
to a recent Deloitte survey, roughly 40% of organisations the end of 2011, after the market had grown 18% in
said they were likely to make a major investment over 2010, Forrester Research data suggested a CAGR of 14%
the next 12 months. Among these organisations, 45% or so through 2015. TechNavio, for its part, has recently
were considering internally-developed applications, while forecast that the Global GRC software market will grow
41% would rather opt for third-party vendor applications at a CAGR of 9.2% over the period 2012-2016, driven by
installed in-house (41%). Third-party vendor applications “increasing demand for comprehensive solutions”, which
hosted by a vendor (20%) were cited less often as a target seems to favour the biggest players in the industry, such as
for major investment. Data privacy concerns around EMC, IBM, Thomson Reuters and the big ERP players (SAP
confidential information being hosted off-site may well and Oracle), though it is worth mentioning that projected
be a reason this last approach seems to be adopted less growth rates in previous years have been even higher.
often.
A strong consolidation, with a shift from best-of-breed
The GRC software market is dominated by key players players to well-established vendors will also be a key
like IBM, RSA Archer, Thomson Reuters, SAP or Oracle. market trend. This consolidation trend will be driven by
Deloitte has established strong strategic and technical the need for greater investment in complex risk analytics
alliances with these key players in order to better serve to face the ‘big data’ problem of the vast majority of
the clients that have opted for these softwares. But the organisations.
market is still offering a significant place to niche players
(e.g. MetricStream, Sword, Checkpoint, Mega and Aris). Differentiation today is also about the ability to deliver
Moreover, the GRC market seems to be thriving, as more against multiple use cases, and provide advanced risk
companies realise that they pretty much have to invest management functionality, with analysis of the impact of
in this area, and so the market landscape might rapidly risks on strategic objectives and business performance,
evolve as a result. domain expertise in multiple highly regulated industries,
ease of use—including mobile capabilities—and
It is important to mention that this market segmentation configurability.
is more a question of size of vendor rather than a

34
GRC software market view in Luxembourg Key trends affecting the GRC software market
The GRC software market is still emerging in Luxembourg, The functions of GRC software are evolving on the basis
but the situation is rapidly evolving and differs among of several trends, which include:
sectors.
• A growing need for internal audit features as
organisations face increasing regulatory requirements,
In Luxembourg the banking sector is already well
GRC oversight and demands for more business
equipped with various niche solutions covering one
performance audits
specific aspect of risk (market risk, credit risk, operational
risk, liquidity risk) and compliance. This sector is facing • An increasing need for regulatory content services
the issue of a lack of integration of its various solutions and change management to deal with regulatory
and has difficulty in migrating or integrating the various proliferation. In the aftermath of the 2008 global
applications into an overarching structure. However, the financial crisis, GRC has to support the transparency
recent CSSF circular 12/552 is already contributing to the objectives of regulators and decision making by
development of the GRC market as this new regulation business leaders. Currently the regulatory focus of the
recommends more and more efforts on common software is on anti-corruption and bribery
governance on risk and compliance issues.
• The development of risk analytics to support
integration of risk management and performance
Investment management, a key sector in Luxembourg, is
management
up to now significantly underequipped with GRC software.
The main reason seems that investment management • The emergence of third-party risk management to
sector is highly fragmented with various actors, who are ensure that third parties do not present unacceptable
still overwhelmed by the operational management/set compliance and risk
up of regulations, such as AIFMD or EMIR. Moreover, it
• A focus on operational technology and critical
has to be said that the vast majority of GRC players is not
infrastructure protection, which increases the variety
offering the appropriate solutions to this sector: both
and volume of risk and control data (‘big data’
pricing models and key features proposed by GRC vendors
management)
are not yet fully adapted to this market.

The insurance sector is increasingly interested in GRC

solutions, but either local players are part of international
groups and have to use (or wait for) the corporate
solution or they are small and cost is often perceived
Moreover, the GRC market seems to be
as a key hindrance for a the implementation of a GRC
software.
thriving, as more companies realise that
they pretty much have to invest in this
The industry and public sector is increasingly ready and
interested in GRC software and is generally starting its area, and so the market landscape might
GRC project with the implementation of an operational
risk application/module. New regulations such as REACH,
rapidly evolve as a result
CLP or quality-related recommendations are also pushing
the industrial sector to enhance its holistic approach of
risk, internal audit and compliance.

35
 GRC software selection Deloitte holistic approach
Usual approach: vendor selection based on The key driver for the holistic approach of a GRC software
‘quadrants’ selection process is the agnostic position of Deloitte
Most companies that are opting for third-party GRC regarding technological solutions.
software tend to base their GRC software selection on
GRC market ‘quadrants’ analysis, mostly performed by The main purpose is to find the solution that gives the
Gartner and Forrester. Instead of simply showing statistics best value for money for clients. Deloitte uses a well-
or ranking companies in lists, GRC market ‘quadrants’ use proven methodology that will guide the client through
a two-dimensional matrix to illustrate the strengths and the evaluation process for software options, allowing the
differences between vendors. client to make a decision based on a sound analysis. The
selection process generally encompasses seven phases (as
The most common criteria used by these quadrants are illustrated in figure 3).
the ability to deliver GRC functions (audit management,
compliance management, policy management and risk It will be important to start a GRC selection project with
management) and a credible presence in the marketplace a deep analysis of the client’s business needs and context
(an existing enterprise GRC client base, a growth strategy in order to formalise the functional coverage. Then, a
and brand, support capabilities, a strategy for and clear view on the client’s current IT environment (existing
investment in continued innovation in GRC solutions specialised solutions or enterprise solutions—ERP) has to
and related products, geographical reach and financial be obtained. These analyses will help to see if the best
strength). option will consist in developing a new solution internally,
buying a packaged solution or opting for a best-of-breed
However, these quadrants may lead companies to limit solution. These reviews will also enable to evaluate if,
their GRC tool selection process only to the vendors given the current situation, the implementation is realistic.
mentioned in the quadrants, or even only consider players
from the leader’s quadrant and initiate their choice only If the best option identified consists in the implementation
from an IT standpoint, rather than also considering the of a third-party/vendor solution, it will be necessary to
business needs. see how we can identify the best solution on the market
from the wide range of software currently available. Five
key areas of criteria will enable to select a list of potential
candidates that will be able to make live demo (based on
specific client requirements). Lastly, price negotiations and
final technical adjustments discussions will come into play
in order to select the target solution.

Deloitte’s specialists will therefore help clients throughout

their selection process, providing specific support when
it comes to performing an analysis of requirements, and
helping to draft calls for tender, conducting research
on the software market and offering a selection of
appropriate suppliers or making the final decision through
coaching, support and analysis.

36
In a nutshell, integration is the key idea regarding the current and future situation of GRC software. There is a need for
integration of the decision process within the organisations. Too often, decisions concerning GRC technical solutions
are taken at department level and only cover a specific aspect of the GRC spectrum. There is a need for technical
integration, as most of the companies have to deal with existing solutions. There is also a trend for integration among
the GRC solution providers, driven by the need for greater investment in complex risk analytics to face the ‘big data’
problem of the vast majority of the organisations. In fact the need for integration is rather logical as it is the essence of
GRC itself.

Figure 3
Project management and coaching

6. Test and
1. Scope 2. options 3. Support for RFP 4. Extended list 5. Shortlist 7. Final selection
scenarios

Validate scope Identification of Definition of Pre-selection of Selection of a Test scenarios and Selection of the
and confirm possible software selection criteria and an extended list shortlist of solutions demonstrations solution implemen-
approach options support in crafting of of solutions tation strategy
specifications

Communication (objectives, results, relevance)

Figure 4
1. Functional coverage 2. Technical architecture 4. Costs
• Are the answers regarding specific • Is the software available in multiple • Is the implementation of the solution clearly
functions clear or are they deliberately versions for multiple environments described (e.g integration of existing data, time
vague? (Windows, Linux, Unix, etc.)? required for setup, time and cost required for the
• Functional coverage is not perfectly This demonstrates the suppliers’s customisation of the solution)?
matching with the expectations experience working in various technical • Is the cost of consultants that will implement the
environments solution clear (fixed price? travel costs?)?
• Is the solution modular? • Is the cost of licenses clearly defined?
This will facilitate further development • What does the maintenance contract exactly
(sustainability) cover?

3. User friendliness 5. Vendor characteristics

• Design of screens • Has the vendor replied in a timely manner? This is
• Predictive text input a measure of the seriousness of the supplier and
• Number of entries required for the available resources
operation • Does the vendor understand the requirements?
• Level of customisation of reports • Are the vendor references comparable? Some
vendors have many references... in other
continents... or other products.
• Is the vendor a ‘market maker’ or a ‘market
follower’?

37