Companies Look To Contain Risk With GRC Software

The tech industry calls it GRC, for governance, risk management, and compliance, and it's a yawner compared with Web 2.0 and other exciting technology innovations. Yet it's growing fast: Businesses in Germany, Japan, and the United States collectively will spend $32.1 billion on GRC-related technologies and services this year, up 7.4% from last year, according to a new report by AMR Research. That's a slight drop over market growth of 8.5% last year, but still remarkable, considering that Congress enacted the biggest driver of compliance technologies, Sarbanes-Oxley, nearly six years ago.

"The economy going to hell in a hand basket doesn't change anything about GRC investments," says AMR analyst John Hagerty. Among the survey's 420 business and IT executive respondents, reached in February and March, 65% say they're increasing their GRC budgets this year, while 26% expect to spend the same amount.

That helps explain why software vendors are upping the appeal of their GRC offerings, which, broadly speaking, automate access to and control of business applications and monitor transactions for unusual activity. Last week, Oracle announced Application Access Controls Governor 8.0, the fruit of its acquisition last October of a company called LogicalApps. Updates include a service-oriented framework and integration templates that let IT departments embed access controls into non-Oracle software. Other features include the ability to generate executive dashboards and reports, and to create a repository for managing policies and automating tasks related to regulatory control.

Last month, SAP upgraded its GRC apps, some of which came from the company's acquisition of GRC vendor Virsa Systems in 2006, including a new feature in its Access Control app that detects conflicting employee roles and initiates mitigating workflows and, in its Process Control application, the ability to monitor compliance in non-SAP software.

SECURITY IN SHEEP'S CLOTHING
While compliance is still the primary reason to use GRC software, companies increasingly look to it to protect them against all sorts of risks, including fraud and money laundering, says Chris McClean, a Forrester Research analyst. AMR's Hagerty agrees, adding that another way to view GRC is as "security in sheep's clothing," but primarily for defending the integrity of data and systems within the firewall. IDC analyst Kathleen Wilhide says rising auditing costs, particularly associated with quarterly 10-K filings, also are encouraging companies to deploy company-wide GRC systems.

Some software is marketed specifically for GRC, such as Oracle's and SAP's offerings. But GRC technology also gets lumped into broader categories, such as process management and even business intelligence. SAP executive VP Doug Merritt, who launched the company's GRC efforts in 2006, says sales have taken off "faster than any other app area at SAP" in recent years. Little wonder, then, that SAP Ventures, the company's investment arm, last month joined several firms in a $15 million round of funding for Silicon Valley startup LogLogic, which makes software for managing IT logs that "hold a complete audit trail of user activity."

SOX encouraged businesses to develop company-wide strategies for reducing risk, rather than the knee-jerk, siloed approaches that existed previously. Among U.S. respondents to AMR's survey, 38% say they're addressing GRC issues globally and 36% say they're addressing them domestically, while just 25% say their efforts are at the division or line-of-business level.