The evaluation speaks for itself. Forrester goes through great pains to assure a fair, detailed process that looks into the strengths and weaknesses customers care about most — and this Wave is no exception. But considering the amount of time and effort we spent putting this report together, I wanted to provide some additional thoughts on what I learned during the process:
We are now approaching the half-way point of 2009, and most of us are still trying to figure out the nature and scope of regulations that will descend in reaction to the massive corporate failures of the last 9 months. Considering the hefty burden brought by Sarbanes-Oxley in reaction to — by comparison — less egregious issues, it’s no wonder risk and compliance professionals are waiting with nervous anticipation.
For those of you interested in why analysts write the reports they do and how they might have done things differently, our podcasts provide a behind-the-scenes look at what customer conversations, market trends, and other issues motivate our research.
Keep an eye out in the next week for Forrester’s GRC Trends 2009 report, which will take a look at how a decidedly rocky end of 2008 will impact those responsible for various aspects of corporate governance, risk management, compliance, audit, and finance... as well as the product and service firms that serve them.
One trend that we call out in the report is the impending consolidation of the GRC technology landscape, which is a top-of mind issue for many leading vendors in the space.
Pouring over endless details of risks, regulations, taxonomies, and technologies can sometimes give us a narrow view of the world, so it seems worthwhile to take a minute to mark the 125th anniversary of the cataclysmic eruption of Krakatoa this week. For those of us that want to think big but can’t remember that far back, this week is also the 3rd anniversary of Hurricane Katrina’s devastating sweep across a wide stretch of the US Gulf Coast.
Earlier this week in a joint press release, Microsoft and BearingPoint announced the new BearingPoint Enterprise Governance, Risk, and Compliance product offering. Ok... it will be a while before the more veteran enterprise GRC vendors start really losing sleep over this deal. But BearingPoint continues to be a top risk consulting firm, and Microsoft’s reach through the business user community will be an attractive benefit for compliance and risk professionals trying to get hundreds or thousands of staff members to contribute to the GRC program. There’s potential here for sure.
Overarching causes described in the report are not surprising; control failures, an overly aggressive focus on short-term growth, and excessive risk taking are among the high level issues addressed. Also in the report, however, are scores of more detailed explanations of control failures in more than 20 different categories. Specific problems on the list include:
One of the most substantial trends we expected to see in governance, risk, and compliance in 2008 is the tightening of regulations in response to major risk management failures. Yesterday, we saw a clear example of that, as the US Senate approved a bill that would nearly double the size of the Consumer Product Safety Commission, largely in response to the massive toy recalls that took place last year.
Also this week, the UK’s Medicines and Healthcare Products Regulatory Agency showed signs of cracking down on disclosure of drug trial results after problems persisted with certain anti-depressant drugs in relation to teenage suicide (even though criminal charges will not be filed).
The sub-prime issue may likely be the next major target for legislative changes, although most discussion seems to be focused on consumer protection at this point, not tighter control over lenders.