In my ongoing work with clients, I try as often as possible to stress the importance of flexibility in GRC programs. Internal processes and technology implementations must be able to accommodate the perpetually fluctuating aspects of business, compliance requirements, and risk factors. If GRC investments are made without consideration for likely requirements 1 to 2 years down the road, decision makers aren’t doing their job. And if vendors don’t offer that flexibility, they shouldn’t be on the shortlist.

News outlets over the past year have given us almost daily examples of change in the GRC landscape. The recent stories coming out of Davos have been no exception... giving us some truly fascinating debates on the necessity and detriment of regulations. As quoted in a Wall Street Journal article on Sunday, Deutsche Bank AG Chief Executive Josef Ackermann argued against heavy-handed regulation, saying, "We should stop the blame game and we should start looking forward... if you don't have a strong financial sector to support the this recovery... you're making a huge mistake and you will regret that later on," he said. French President Nicholas Sarkozy summed up the opposing argument in his keynote, explaining, "There is indecent behavior that will no longer be tolerated by public opinion in any country of the world... That those who create jobs and wealth may earn a lot of money is not shocking. But that those who contribute to destroying jobs and wealth also earn a lot of money is morally indefensible."

What a good way to kick off what should be another exciting year in GRC. Just less than a year ago, Archer Technologies brought consolidation to the IT GRC market with its acquisition of rival Brabeion. The vendor food chain continued today as EMC announced an agreement to acquire Archer into its RSA product division.

Details such as product integration and go-to-market strategy will trickle out slowly of course, but so far, this is a significant deal for a couple of reasons:

• Archer fills a substantial void in EMC’s product offering, which included many elements of GRC, but no central platform to pull it all together.
• EMC will introduce the Archer products to a much larger set of potential customers...most notably as a platform to manage security and compliance, but also to customers with requirements for related areas like vendor management or business continuity.
• It brings another IT heavy-weight fully into the GRC space, with substantial engineering resources to work on product development (but only if Archer continues to be seen as a top priority within RSA).

As we watch this acquisition come together, as well as other upcoming announcements that will make the GRC space even more competitive, here are a few questions to consider:

The SEC announced on Friday that it is charging two computer programmers for their alleged participation in the Ponzi scheme for which Bernard Madoff pleaded guilty and headed off to jail last March.

In its complaint, the SEC alleges that, “Madoff and his lieutenant Frank DiPascali, Jr., routinely asked (Jerome) O'Hara and (George) Perez for their help in creating records that, among other things, combined actual positions and activity from... market-making and proprietary trading businesses with the fictional balances maintained in investor accounts.”

The SEC further alleges that O’Hara and Perez tried to cover their tracks by deleting hundreds of files, withdrew hundreds of thousands of dollars from their investments through the company, told Madoff they wanted to stop helping him, and then accepted larger salaries and substantial bonuses for their promise to keep quiet.

It will be interesting to watch this case unfold. I was hoping it would get into issues of whether the IT professionals were considered just uninvolved support staff or key participants in the scheme. Considering the evidence SEC claims to have, I don’t think we’ll hear those arguments in this case, but keep an eye out for how the defense comes together. Fraud prevention is a growing area of concern for government, health care, insurance, financial services, and other industries... which means we could be seeing more cases questioning the responsibility of IT to identify and/or prevent such issues.

The launch of any new research report is exciting, but I’m especially happy to see the publication of the The Forrester Wave™: Enterprise Governance, Risk, And Compliance Platforms, Q3 2009.

The evaluation speaks for itself. Forrester goes through great pains to assure a fair, detailed process that looks into the strengths and weaknesses customers care about most — and this Wave is no exception. But considering the amount of time and effort we spent putting this report together, I wanted to provide some additional thoughts on what I learned during the process: