Archer Sets Its Sights On IT GRC Rival, Acquires Brabeion

Chris McClean

Top contenders in the IT governance, risk, and compliance market merged on Tuesday as Archer Technologies announced it is acquiring Brabeion Software. Forrester projected consolidation as a key GRC market trend for 2009, and we explored the issue further for IT GRC vendors in our report, "Consolidation Looms for the IT GRC Market."

This was a strong move for Archer, as other, larger vendors are closely eying the IT GRC space for acquisition potential. Along with the acquisition of Paisley by Thomson Reuters last month in the Enterprise GRC space, this is just the beginning of what’s to come over the next 12-18 months. The GRC market as a whole is extremely broad and ripe for growth, but it is also crowded with niche vendors. Market leaders and enormous outsiders will be eager to scoop up as much of the pie as possible, which means more deals are on the way.

Stay tuned.



re: Archer Sets Its Sights On IT GRC Rival, Acquires Brabeion

Chris, Forrester pretty much made the initial definition of the "GRC" space. The trouble I have is that GRC may be a term recognized by analysts, consultants, and vendors, but it is not consistent with governance frameworks - such as the King Code (version III now out in draft), OECD, ASX, etc.In these, governance includes risk management; risk management, in turn (looking at the COSO ERM model, for example) includes compliance. G, R, and C and part of the same - G. (Interestingly, if you use the other definition of GRC, where C stands for Control, you get the same result: control is included in risk management.)Is there a chance we can get away from GRC as a term of usage and just refer to Organizational Governance and be consistent with international frameworks? That would also mean we would be talking the same language as practitioners, boards, etc.

re: Archer Sets Its Sights On IT GRC Rival, Acquires Brabeion

Thanks for responding... I appreciate your input. While corporate governance can be perceived and executed in very different ways, I think most companies we speak with understand that risk management and compliance play key roles.The difficulty here is that corporate governance incorporates so many aspects of the business (transparency, disclosure, strategy, stakeholder rights, etc.) that using a single umbrella term at this point doesn’t seem especially helpful. Pretty soon, you would have hundreds of different programs - and therefore, technologies - throughout the organization bearing the governance label. GRC is a more focused and definable set of programs that will carry strong similarities from one business unit to another or from one company to another.That said, your point is well taken about the dependent relationships of governance, risk, and compliance. Ultimately, we may use a different term to describe the aspects of governance that relate to risk and compliance. But to me, it seems that the term GRC has helped frame conversations in a way so that compliance, risk management, audit, and other professionals can work together to improve business performance.On a related note, I’m looking forward to attending sessions tomorrow at SAP’s GRC2009 conference.