The Future of GRC Technology: Reporting from the Customer Perspective

Earlier this year, OCEG released its global 2014 GRC Technology Strategy Survey report and it reveals some expected and some unexpected findings.

More than half of the 273 participants indicate that their organizations are currently underutilizing technology that they have acquired to manage governance, risk and compliance (GRC) needs. Not surprising, really, since they also indicate that more than 80% of GRC solutions being used are department or issue-focused stand-alone solutions that are not integrated with other GRC technology solutions. In fact, 57% report that what they actually are using to manage GRC information is a heavy dependence on spreadsheets.

As a result, 70% report that their currently deployed approach and technology are not aligned to the GRC needs of the organization. They see it and they know it is a problem. And finally, after a half dozen years of largely limited budgets, there appears to be a move toward investing in change. Nearly two-thirds say that they are aligned to take action on future enterprise GRC technology initiatives, and roughly 80% indicate that they are making decisions on an enterprise-wide or multi-department basis.

It’s interesting to see that, unlike the answers in earlier OCEG surveys, the focus seems to be on spending for new technology. In the past, efforts were more often aimed at seeking ways to reuse or revamp existing systems for additional uses. 41% of the survey participants indicate that they plan to buy new GRC technology this year, and another 58% say they plan to make purchases in the next one to two years.

But what are they planning to buy? And how do they expect it to solve the fraternal twin problems of technology being underutilized and segregated?

Michael Rasmussen, the author of our study, indicates that he sees organizations standing at a three-way crossroad intersection deciding which way to go with regard to GRC architecture, with 17% indicating they haven’t a clue which way to turn yet.

One road is to deploy a centralized GRC platform for the entire entity. While there are not a lot of companies that put themselves out there as offering such a complete GRC platform, they are a visible presence in the market and 36% of survey participants choose this option.

The second road is toward a federated GRC architecture; acquiring separate (best of breed where needed) GRC solutions for different aspects of need (e.g. policy management, third party management, etc.) and integrating them when it is necessary or makes sense to do so. This may (probably should) have a centralized GRC hub that each technology can feed into for coordinated reporting and other activities. While this is a path that takes significant analysis, planning and customization of the right combination of technologies, 27% of survey participants indicate their organizations are headed down this path. I predict that when we repeat this survey again in 2016, we will see that this road has more travelers.

And finally, there is the path of centralized and segregated GRC technology. These organizations buy separate solutions (sometimes best of breed) to meet distinct department or risk/compliance area needs, but do not plan to integrate them. This group has 21% of the survey participants.

No matter which road is taken, the top criteria for future GRC purchases are the same. In a 2012 survey we conducted the top three were price, ease of use and functionality. These are still the top three but in a slightly different order with ease of use now in first place and price second. Functionality, the third item people are considering in their decisions, is actually the top driver of the desire to change GRC technology in the first place. Fully 40% of survey respondents say that their existing technology suffers from lack of functionality. Given the way business operations and challenges change rapidly today, it is not surprising that technology selected years ago no longer meets their needs.

Overall, I find the survey results encouraging. There seems to be greater appreciation for the need to truly understand the needs of the ultimate users, the GRC processes and the complexities of the business that depend on effective technology BEFORE making design and purchase decisions. If the time is put into analyzing and understanding these issues, the chances of selecting and effectively using the right technologies are greatly improved.

You can download the full GRC Technology Strategy Survey report at http://hello.oceg.org/grc-technology-strategy-survey-2014/

Carole Switzer, Co-Founder and President of OCEG

OCEG is a nonprofit global think tank with more than 40,000 members, dedicated to helping organizations achieve principled performance. OCEG offers GRC standards, guidelines and resources. www.oceg.org

[ISACA]