The evolution of business practices is proving as big of an issue for Security and Risk professionals as the changing threat landscape. Sure, attackers exposed hundreds of millions of personal records and government information in security breaches last year, and there are examples all the time of new, sophisticated attack methods… however Security and Risk pros should also be on the lookout for technology trends that may prove just as difficult to address: Digital disruption creating shockingly more competitive marketplaces, perpetual connectivity intensifying IT user expectations, and the data economy creating incredible new possibilities to leverage the power of existing information. Of course with big business opportunities come big business risks.

Guest post from Researcher Nick Hayes.

Take a second to think back to the year 2009. The US was in the thick of the financial crisis; companies were slashing budgets, and the unemployment rate was in double-digits. And do you remember a little thing called the “swine flu”? The World Health Organization (WHO) deemed the H1N1 strain of the swine flu influenza a global pandemic in June 2009. These were just some of the events top of mind for much of the nation and the broader global community three years ago.

2009 was also the year that the annual Forrester And Disaster Recovery Journal (DRJ) Survey focused on the role of risk management in business technology (BT) resiliency and crisis communications programs. Needless to say, the survey was fairly timely. Forrester found risk management was becoming a more common practice for business continuity teams, but that there was still more room for further collaboration with their risk management counterparts.

Fast forward three years, and the 2012 Forrester/DRJ survey is again focusing on the role of risk management in BT resiliency and crisis communications (you can take the 2012 survey by clicking here). A lot has changed since 2009 with a number of new events, technologies, and organizational challenges currently plaguing business continuity and risk management professionals.

Last week saw news that yet another top GRC software vendor has been acquired, following in the footsteps of Paisley, Archer, OpenPages, among others. BWise has always been an impressive vendor in the GRC space, so first off I think congratulations are in order for both parties.

That said, if you didn’t foresee NASDAQ getting into the GRC software space coming, don’t beat yourself up… after seeing the large technology vendors and content providers enter the space over the past 3 years, this wasn’t an obvious move. But looking a little deeper, NASDAQ’s move makes sense for a couple reasons:

-          NASDAQ’s target market cares about GRC. NASDAQ lists its target roles as marketing/corporate communications, board and corporate secretary, investor relations, and corporate finance. All of these roles have a vested interest in better controls, stronger risk management practices, and improved corporate governance.

-          BWise has always focused on the “G” of GRC. More than any other of the top GRC software vendors, BWise targeted governance professionals with capabilities such as entity management.

-          There are immediate integration possibilities. Among NASDAQ’s corporate solutions are products for board management, whistleblower reporting, and XBRL filing. BWise has a host of capabilities (issue management, process management, policy management, reporting, etc.) that could quickly add value to implementations of those products.

But, as always with a deal like this, both parties will have to show the market how they will address some key questions:

After months of diligent product and vendor evaluations, today we published The Forrester Wave: Enterprise GRC Platforms, Q4 2011. In the next few days, we will also publish The Forrester Wave: IT GRC Platforms, Q4 2011. These two reports feature a total of 20 vendors, all with proven capabilities to help customers tackle their continuously mounting regulatory challenges and manage their complicated risk profiles.

Why two Forrester Waves?

Governance, risk, and compliance functions within large and medium enterprises demonstrate tighter collaboration all the time... audit is working more closely with risk, and compliance programs are consolidating under more centralized control. However, Forrester still sees a gap between the requirements of those responsible for IT risk and compliance and the requirements of those managing risk and compliance outside of IT. No doubt, there is often substantial overlap between these groups, and many of the vendors evaluated have customers using their products to supports both IT and enterprise GRC functions. You’ll notice that of the roughly 60 evaluation criteria for each Wave, there are only 3-4 that differ between them. For now though, they remain basically two distinct markets.

So, what did we learn from the countless hours of briefings, demos, customer surveys, and other research we did for this Wave?

Today IBM announced plans to acquire the Fitch Group’s Algorithmics, a heavy-hitter in financial risk management software and services market, for $387 million.

 Here are my initial thoughts about today’s announcement:

• IBM is making a (relatively safe) bet that operational and financial risk functions will continue to comes together. Regulatory pressures from Basel III, Dodd-Frank, and Solvency II, as well as the competitive realities of the global market, are pushing for banks and insurance companies to have more comprehensive oversight of exposure across all domains of risk. In fact, analytics should be a top priority of any compliance program. It will be some time before IBM (or any other vendor) can deliver a single platform to manage operational, credit, market, liquidity, etc. in one place; however, the addition of Algo’s subject matter expertise and even basic integration of data for a single source of reporting offers customers attractive benefits.
• IBM still faces heavy competition in financial services for both operational risk with its OpenPages product and financial risk with its new Algo offerings... however. there are very few significant competitors that have strength in both. IBM’s announcement today was a strong move against these other few, most notably Oracle and SAS.