After months of diligent product and vendor evaluations, today we published The Forrester Wave: Enterprise GRC Platforms, Q4 2011. In the next few days, we will also publish The Forrester Wave: IT GRC Platforms, Q4 2011. These two reports feature a total of 20 vendors, all with proven capabilities to help customers tackle their continuously mounting regulatory challenges and manage their complicated risk profiles.
Why two Forrester Waves?
Governance, risk, and compliance functions within large and medium enterprises demonstrate tighter collaboration all the time... audit is working more closely with risk, and compliance programs are consolidating under more centralized control. However, Forrester still sees a gap between the requirements of those responsible for IT risk and compliance and the requirements of those managing risk and compliance outside of IT. No doubt, there is often substantial overlap between these groups, and many of the vendors evaluated have customers using their products to supports both IT and enterprise GRC functions. You’ll notice that of the roughly 60 evaluation criteria for each Wave, there are only 3-4 that differ between them. For now though, they remain basically two distinct markets.
So, what did we learn from the countless hours of briefings, demos, customer surveys, and other research we did for this Wave?
Forrester's Security and Risk Management clients often describe the frustration they feel when they are not included in important initiatives until after decisions have been made. Lately, this situation has been especially pronounced among decisions to enter partnership agreements based on service, performance, and cost considerations... with risk management only brought in later to identify and mitigate potential points of exposure.
At the same time, Forrester's Sourcing and Vendor Management professionals find themselves facing their own challenges when it comes to managing the risk of partner relationships. In a Q3, 2011 suvey of 575 Sourcing and Vendor Management professionals, top concerns related at "X-as-a-service" relationships included the lack of recourse if a vendor fails or goes out of business, the lack of a clear way to assess risk of a third party, and inability to manage how providers are handling data. ( Source: Forrsights Services Survey, Q3 2011)
In order to bridge this gap, Security and Risk Management professionals need to deliver a streamlined way to insert risk identification, analysis, and evaluation steps within their organization's existing vendor management lifecycle. Forrester customers who have taken this approach - for example, by introducing short, 10-15 question surveys to determine whether more detailed vendor risk assessments are warranted - report better oversight of vendor risk and better involvement in the decision making process. In some cases, Security and Risk Management professionals have even reported casting a decisive thumbs-down vote to block a new vendor contract because it represents unacceptable risk.
Today IBM announced plans to acquire the Fitch Group’s Algorithmics, a heavy-hitter in financial risk management software and services market, for $387 million.
Here are my initial thoughts about today’s announcement:
IBM is making a (relatively safe) bet that operational and financial risk functions will continue to comes together. Regulatory pressures from Basel III, Dodd-Frank, and Solvency II, as well as the competitive realities of the global market, are pushing for banks and insurance companies to have more comprehensive oversight of exposure across all domains of risk. In fact, analytics should be a top priority of any compliance program. It will be some time before IBM (or any other vendor) can deliver a single platform to manage operational, credit, market, liquidity, etc. in one place; however, the addition of Algo’s subject matter expertise and even basic integration of data for a single source of reporting offers customers attractive benefits.
IBM still faces heavy competition in financial services for both operational risk with its OpenPages product and financial risk with its new Algo offerings... however. there are very few significant competitors that have strength in both. IBM’s announcement today was a strong move against these other few, most notably Oracle and SAS.
In my new report, The Risk Manager's Handbook: How To Measure And Understand Risks, I present industry best practices and guidance on ways to articulate the extent or size of a risk. More than the interpersonal, political, and leadership skills required of a risk management professional, defining how risks are measured and communicated is where I believe they prove their worth. If risk measurement techniques are too complicated, they may discourage crucial input from colleagues and subject matter experts... but if they are too simple, they won't yield enough relevant information to guide important business decisions. Great communication skills can only hide irrelevant information for so long.
This report includes factors to use in the risk measurement process, ways to present risk measurement data in meaningful ways, and criteria to use when deciding which of these methods are most appropriate. As always, your feedback is welcome and appreciated.
In addition, I will be covering a related topic with our Security and Risk Council in a session called Creating A High-Impact Executive Report along with my colleague Ed Ferrara at Forrester's upcoming IT Forum: Accelerate At The Intersection Of Business And Technology, May 25-27, in Las Vegas. Please join us if you can make it. Later in the week, I will be available for 1-on-1 meetings with attendees, and I'll also present sessions on linking goverannce and risk and establishing good vendor risk management practices. I hope to see you there.
Of all the client inquiries and advisories we get related to risk management, one of the most frequent topics of discussion continues to be the role of risk management. Who should be involved? How? What should our objectives be? How should we measure success?
In an upcoming Security & Risk Council member meeting in London, I plan to take members through each of the five steps of ISO 31000 in an interactive workshop. We will discuss how to build repeatable and consistent processes, demonstrate that process to stakeholders, improve strategy and planning, and show support for relevant corporate functions and business units. If you’re interested in discussing this idea with me and other members of the Security & Risk Council, please consider joining us on March 16 in London. In order to qualify to attend, you must be a senior-level security and/or risk management executive in a $1B+ organization. Please click here for more details on the S&R Council or on the member meeting itself.
Details have been elusive thus far, but reports indicate that multiple breaches occurred, resulting in “suspicious files” on the company’s servers. A statement released by Nasdaq assures us that its trading systems and customer data were not compromised, and those in the know tend to agree that infiltrating the trading systems would be substantially more difficult than breaking into the web environment and leaving a few files behind. As the investigation continues, hopefully we'll learn more, but what can we take away from this story so far?
The list of attractive hacker targets continues to grow. Whoever perpetrated this breach chose not to go after traditionally lucrative targets like customer/employee data or a more difficult and devastating attempt to dismantle one of the world’s biggest exchanges. Instead the target was a more accessible set of extremely sensitive corporate data – details about mergers, acquisitions, dividends, and earnings. Without much sophistication, criminals could use this information to execute rather impressive “insider trading” transactions or simply find an outlet like WikiLeaks for some of the more embarrassing tidbits.
This week we published the first in a series of reports I'll be writing to help clients calculate the return on investment of GRC technologies. This report, How To Measure The ROI Of A GRC Platform, outlines the key factors and suggested metrics to show what GRC can do for your organization.
Of course, my first recommendation is to exhaust your arsenal of arguments before falling back into ROI terrain. GRC is about improving oversight, strengthening controls, and finding ways for the business to succeed within the boundaries of risk tolerance. But these board-level issues can quickly give way to questions of costs and savings... so it's good to be prepared.
The considerations for costs (software, hardware, maintenance, implementation, etc.) are not much different than other large IT projects, nor are the associated risks (requirements, scope, adoption, integration, etc.). What's tough is articulating the benefits. The report offers much more detail, but generally the success factors of a GRC implementation fall into three categories. These are:
Efficiency, which includes product and process consolidation as well as facilitation of processes such as policy development and distribution, risk and control assessments, incident/issue management, data/report aggregation.
Risk reduction, which includes decreases in audit and examination findings, reduction in regulatory fines, faster remediation of issues, and the secondary benefits of these improvements, such as deceased cost of capital and lower insurance costs.
On the heels of Forrester's GRC Market Overview last month, this week we published my Governance, Risk, And Compliance Predictions: 2011 And Beyond report. Based on our research with GRC vendors, buyers, and users, this paper highlights the aggressive regulatory environment and greater attention to risk management as drivers for change. Specifically, here is a brief summary of the top five trends we will see next year:
Increasing vendor competition will continue to bring more choices and more confusion. Strong market growth will encourage more technology and service vendors to get into the market, which means the fragmentation (which I've discussed previously) and confusion will continue.
It will come as little surprise to most of you that the overall GRC market is still saturated with relatively small vendors, many of which continue to struggle to maintain their market niches. At the same time, a handful of market leaders (notably BWise, IBM/OpenPages, MetricStream, RSA/Archer, and Thomson Reuters/Paisley) continue to distance themselves from the rest of the pack, while several large competitors (including Oracle, SAP, SAS, Software AG, and Wolters Kluwer) put more and more pressure on the market all the time.
It's been interesting to watch these vendors that competed head-to-head regularly for SOX compliance deals now drifting further apart . . . some focusing more on risk management and analytics, some strengthening their compliance and content offerings, some building deeper integration with IT systems, and others building bridges into audit departments. The current environment of increased government oversight and regulation — and in some cases, reform of whole industries — worldwide promises to bring a strong resurgence to the GRC platform market overall, which means increased competition both from veteran vendors and newcomers alike.
Rarely does vendor consolidation reflect such fragmentation of a market.
Picking up on the recent acquisition trend of independent market leaders, IBM today announced plans to acquire long-time GRC heavyweight OpenPages to strengthen its business analytics offerings, including Cognos and SPSS. It's a good fit for both companies and certainly won't surprise anyone who has been following the space... the OpenPages platform leans on Cognos for its reporting capabilities, so they already have a head start on product integration. The two have also proven successful in the past by combining forces on large risk management implementations, so there are already established use cases to reference.
This deal is most interesting, however, when you consider the other acquisitions of top GRC vendors. Less than two years ago, Paisley was acquired by Thomson Reuters to strengthen its tax and accounting business and content delivery, while EMC acquired Archer Technologies earlier this year as a dashboard (at least initially) to pull together IT risk data and processes as part of its RSA security offerings. While OpenPages has historically competed with Paisley in financial controls management and has recently been moving more into Archer's core IT risk and compliance domain, this acquisition will likely turn the company more toward higher-level corporate performance and enterprise risk management. The GRC vendors will still compete regularly, but their unique selling propositions are starting to look more and more unique all the time.