Thoughts on EMC’s acquisition of Archer

Chris McClean

What a good way to kick off what should be another exciting year in GRC. Just less than a year ago, Archer Technologies brought consolidation to the IT GRC market with its acquisition of rival Brabeion. The vendor food chain continued today as EMC announced an agreement to acquire Archer into its RSA product division.

Details such as product integration and go-to-market strategy will trickle out slowly of course, but so far, this is a significant deal for a couple of reasons:

  • Archer fills a substantial void in EMC’s product offering, which included many elements of GRC, but no central platform to pull it all together.
  • EMC will introduce the Archer products to a much larger set of potential customers...most notably as a platform to manage security and compliance, but also to customers with requirements for related areas like vendor management or business continuity.
  • It brings another IT heavy-weight fully into the GRC space, with substantial engineering resources to work on product development (but only if Archer continues to be seen as a top priority within RSA).

As we watch this acquisition come together, as well as other upcoming announcements that will make the GRC space even more competitive, here are a few questions to consider:

Read more

Categories:

The new ISO 31000 risk management standard . . . well-written, but not earth-shattering

Chris McClean

By now, many of you have read the newly released ISO 31000 Risk management - Principles and guidelines standard. (Others may have seen its release draft or be familiar with its predecessor the AS/NZS 4360 standard.)

It provides a well-written, step-by-step guide to risk management processes that can be applied to whole organizations, or any part thereof. So far, it has received well-deserved praise for its surprising brevity and consolidated value. These are especially important characteristics for a document with as lofty a goal as standardizing what it calls “an integral part of all organizational processes.”

But if we expect the availability of ISO 31000 to have any sort of revolutionary or game-changing impact in the immediate future, we’re getting way ahead of ourselves.

Read more

Categories:

The Madoff Scandal Widens to Include IT

Chris McClean

The SEC announced on Friday that it is charging two computer programmers for their alleged participation in the Ponzi scheme for which Bernard Madoff pleaded guilty and headed off to jail last March.

In its complaint, the SEC alleges that, “Madoff and his lieutenant Frank DiPascali, Jr., routinely asked (Jerome) O'Hara and (George) Perez for their help in creating records that, among other things, combined actual positions and activity from... market-making and proprietary trading businesses with the fictional balances maintained in investor accounts.”

The SEC further alleges that O’Hara and Perez tried to cover their tracks by deleting hundreds of files, withdrew hundreds of thousands of dollars from their investments through the company, told Madoff they wanted to stop helping him, and then accepted larger salaries and substantial bonuses for their promise to keep quiet.

It will be interesting to watch this case unfold. I was hoping it would get into issues of whether the IT professionals were considered just uninvolved support staff or key participants in the scheme. Considering the evidence SEC claims to have, I don’t think we’ll hear those arguments in this case, but keep an eye out for how the defense comes together. Fraud prevention is a growing area of concern for government, health care, insurance, financial services, and other industries... which means we could be seeing more cases questioning the responsibility of IT to identify and/or prevent such issues.

Categories:

The GRC Groundswell

Chris McClean

Chris McClean

As GRC practices continue to gain traction, I’ve had a lot of great conversations lately with clients about the importance of peer interaction for professionals in governance, risk, and compliance roles. With his finger apparently on the pulse of all major technology trends, Forrester’s Josh Bernoff must see this as well. This week he announced the winners of the 2009 Forrester Groundswell Awards, with two top GRC vendors among the winners. (For those of you not familiar with Josh Bernoff or Groundswell, check out the book info here.)

Read more

Categories:

And the results are in... The Forrester Enterprise GRC Platform Wave 2009

Chris McClean

Chris McClean

The launch of any new research report is exciting, but I’m especially happy to see the publication of the The Forrester Wave™: Enterprise Governance, Risk, And Compliance Platforms, Q3 2009.

The evaluation speaks for itself. Forrester goes through great pains to assure a fair, detailed process that looks into the strengths and weaknesses customers care about most — and this Wave is no exception. But considering the amount of time and effort we spent putting this report together, I wanted to provide some additional thoughts on what I learned during the process:

Read more

Categories:

Granted, the regulatory environment is changing. How will this affect us?

Chris McClean

Chris McClean


We are now approaching the half-way point of 2009, and most of us are still trying to figure out the nature and scope of regulations that will descend in reaction to the massive corporate failures of the last 9 months. Considering the hefty burden brought by Sarbanes-Oxley in reaction to — by comparison — less egregious issues, it’s no wonder risk and compliance professionals are waiting with nervous anticipation.

Read more

Categories:

New Security and Risk Podcast - The GRC Technology Puzzle

Chris McClean

It’s bad enough when your boss puts you on the spot about a recent project you’ve finished...it’s even more interesting when that conversation is recorded for the general public.

Listen to Research Director Rob Whiteley interview me about one of my recent reports in our new podcast, The GRC Technology Puzzle: Getting All The Pieces To Fit.

For those of you interested in why analysts write the reports they do and how they might have done things differently, our podcasts provide a behind-the-scenes look at what customer conversations, market trends, and other issues motivate our research.

This report specifically tackles the increasingly complicated GRC technology landscape, a market segment that includes literally hundreds of vendors vying for their share of corporate budgets. The highlight is a graphic that illustrates the different categories of technology available on the market and the distinct role they play in a broad GRC program.

Categories:

Archer Sets Its Sights On IT GRC Rival, Acquires Brabeion

Chris McClean

Chris McClean

Top contenders in the IT governance, risk, and compliance market merged on Tuesday as Archer Technologies announced it is acquiring Brabeion Software. Forrester projected consolidation as a key GRC market trend for 2009, and we explored the issue further for IT GRC vendors in our report, "Consolidation Looms for the IT GRC Market."

Read more

Categories:

Thomson Reuters Gets A Jump On Holiday Shopping, Acquires Paisley

Chris McClean

Chris McClean

Keep an eye out in the next week for Forrester’s GRC Trends 2009 report, which will take a look at how a decidedly rocky end of 2008 will impact those responsible for various aspects of corporate governance, risk management, compliance, audit, and finance... as well as the product and service firms that serve them.

One trend that we call out in the report is the impending consolidation of the GRC technology landscape, which is a top-of mind issue for many leading vendors in the space.

Wednesday, Thomson Reuters got an early start on this trend with a definitive agreement to purchase Paisley. A leader in the GRC platform and audit management markets, Paisley will be a strong addition to the company's Tax and Accounting group.

Read more

Categories:

Microsoft and BearingPoint see space to play in the Enterprise GRC market

Chris McClean

Chris McClean

Earlier this week in a joint press release, Microsoft and BearingPoint announced the new BearingPoint Enterprise Governance, Risk, and Compliance product offering. Ok... it will be a while before the more veteran enterprise GRC vendors start really losing sleep over this deal. But BearingPoint continues to be a top risk consulting firm, and Microsoft’s reach through the business user community will be an attractive benefit for compliance and risk professionals trying to get hundreds or thousands of staff members to contribute to the GRC program. There’s potential here for sure.

Read more

Categories: