2016 GRC Technology Strategy

(1)

An OCEG Benchmark on the Use of GRC Technology within Organizations

2016 GRC Technology Strategy

(2)

About OCEG . . .

OCEG is a global, nonprofit think tank and community. We invented GRC. We inform, empower and help advance more than 50,000 members on governance, risk management, and compliance (GRC).

Independent of specific professions, we provide content, best practices, education, and certifications to drive leadership and business strategy

through the application of the OCEG GRC Capability Model™ and Principled Performance®. An OCEG differentiator, Principled Performance enables the reliable achievement of objectives while addressing uncertainty and acting with integrity.

Our members include c-suite, executive, management, and other

professionals from small and midsize businesses, international corporations, nonprofits, and government agencies. We assist them and their

organizations in developing and implementing GRC capabilities that enable Principled Performance by providing authoritative resources for integrating the governance, assurance and management of performance, risk and compliance.

For more information visit http://www.oceg.org or contact us at info@oceg.

The OCEG 2016 GRC Technology Strategy Survey was designed and analyzed by GRC 20/20 Research . . .

GRC 20/20 Research, LLC (GRC 20/20) provides clarity of insight into governance, risk management, and compliance (GRC) solutions and strategies through objective market research, benchmarking, training, and analysis. We provide independent and objective insight into leading GRC practices and processes, including market dynamics and intelligence; risk, regulatory and technology trends; competitive landscapes; market sizing; expenditure priorities; and mergers and acquisitions.

For more information go to www.GRC2020.com or contact GRC 20/20 at [email protected].

(3)

MetricStream GRC solutions strengthen risk management, regulatory compliance, and quality management while driving business performance.

“OCEG’s Survey clearly shows that GRC is past the tipping point with a majority of organizations (73%) firmly on the road to integrated GRC. We too see accelerated adoption of integrated GRC architectures - organizations are seeking agile GRC technology that makes GRC simple, and provides the analytics and agility needed to achieve superior business performance.”

Yo Delmar, VP GRC

SAP GRC solutions enable organizations to navigate risk and manage controls and compliance confidently in the context of business strategy and performance.

“Once again, OCEG is providing

meaningful data that make the business case for improving GRC capabilities. The finding that the top two objectives in acquiring new GRC technology are to increase GRC related analytics and visibility and to improve consistency of GRC information is key. This indicates understanding that a strong information architecture that enables better data integrity and consistency is essential; a view that SAP shares and supports.”

Workiva Wdesk gives organizations the flexibility to identify and adapt to changing internal control, risk, and compliance management needs

“The OCEG GRC Technology Survey is the must read guide for GRC practitioners. This survey provides a comprehensive perspective on the diverse use of GRC technology, the continued reliance on spreadsheets, documents and emails, and the

importance of ease of use and SaaS for future technology investments.”

Mike Rost, Vice President

The 2016 OCEG GRC Technology Strategy Survey is made possible through the support of the entire OCEG GRC Solutions Council and the following survey sponsor members:

(4)

Preface

If you’ve taken the time to read this survey, it’s likely you have a certain level of interest in governance, risk management, and compliance (GRC). There’s no shortage of information on the subject. An Internet search will throw up all sorts of tips, views and best practices designed to help those responsible for these areas.

OCEG is the framework body for GRC. We advocate Principled Performance and the role of GRC to enable organizations to reliably achieve objectives while addressing uncertainty and acting with integrity.

This OCEG survey is focused on GRC technology strategy and understanding the use of GRC technology in the current state of organizations and the planned future state of where GRC technology architecture is headed. At OCEG we want to see that GRC becomes part of your organization’s DNA through the proper implementation and use of GRC technology.

We hope this survey report provides you with some valuable insights.

(5)

Governance, risk management, and compliance (GRC) is something every organization does — though not all do it well. Every organization has some approach to governing the organization, managing risk, and approaching compliance. It does not matter if an organization uses the label GRC; the simple truth is every organization does GRC in some form. Some organizations have mature and structured processes and reporting on GRC that brings together an integrated and orchestrated view of GRC processes and information. Other organizations have fragmented approaches where some

aspects of GRC are more mature than others but fail to have an overall coordinated strategy.

The use of technology for GRC depends on organization strategy. Some organizations look to develop an enterprise technology architecture (or platform) for GRC. Other

organizations lack a coordinated strategy and have different departments going in different directions. Whether at an enterprise level or a department, GRC maturity depends on how well GRC processes, information, and technology enable the organization to be efficient, effective and agile to reliably achieve objectives [governance] while addressing uncertainty [risk management] and acting with integrity [compliance].

The proper selection and use of GRC technology is a primary factor in measuring GRC maturity within organizations. From one perspective, we all use technology in GRC. GRC technology is commonly understood from the low-end of using documents, spreadsheets, and email to manage GRC information, processes and reporting to the high-end of a federated GRC architecture that integrates information and technology from across the enterprise in an ecosystem of GRC processes and information. There is a wide range of approaches in between.

OCEG’s 2016 GRC Technology Strategy Survey takes aim at understanding organization’s current use, planned future use, strategy, and satisfaction with their use of technology to support GRC within their organizations.

Michael Rasmussen

OCEG Fellow & Co-Chair of OCEG GRC Solutions Council The GRC Pundit @ GRC 20/20 Research, LLC

(6)

5 Key Takeaways from the 2016 OCEG GRC Technology Strategy Survey

1 GRC strategies involve more departments and are often an enterprise level

_{decision for many organizations.}

2 Medium-sized organizations (1,001 to 10,000 employees) are the most

_{likely to adopt new GRC platforms as they have been underserved.}

3 Ease of use grows as the #1 factor organizations are looking for in GRC

_{technology as the complexity of legacy solutions has burdened them.}

4 GRC & risk analytics together are the GRC technology that is most needed

_{by organizations across the board.}

5 GRC budgets are increasing in the majority of organizations, while only 5%

_{of respondents state they are decreasing.}

(7)

Current State of GRC

Technology

(8)

14%

21%

38%

27%

GRC

Integration

Somewhat Standardized

We have standardized some processes and use of technology but not across the entire

Substantially to Fully Integrated

We have integrated processes and technology across many or all organizational silos of operation.

Siloed

Our processes and technologies remain

largely siloed

Partially Integrated

We have integrated processes across many organizational silos, but we have not yet completely addressed

integrating technology that supports these processes

Current Level of GRC Integration

Of the 290 survey respondents from organizations

implementing GRC strategies, 14% stated they were well along their way to being substantially or fully integrated, 21% were partially integrated, and 38% were just beginning their GRC journey of being somewhat standardized.

Together, this means that 73% of organizations have embarked on the road of GRC with only 27% of respondents indicating

they remain largely siloed with no enterprise or

cross-department collaboration on areas of GRC in their organization. This shows that nearly three-quarters of organizations

responding to this survey have some strategy in place to align, integrate, and collaborate on GRC across departments.

(9)

Current Level of GRC Integration, Comparison by Organization Size

When you look at the level of GRC integration results by the size of organizations it reveals that the medium-sized organizations are the most siloed and in need of integration. Smaller organizations tend to have less to integrate and their needs are simpler. Large organizations have had the most focus on GRC integration and represented the largest segment of integrated to partially integrated.

It is the medium-sized organizations that have grown beyond the simpler needs of their smaller counterparts and mirror proportionally the complexity of large organizations that have the most work to do in GRC integration.

20%

8%

15%

14%

22%

25%

15%

21%

38%

33%

45%

38%

20%

34%

25%

27%

All Organizations . . .

Small Organizations (1 to 1,000 Employees) . . .

Medium Organizations (1,001 to 10,000 Employees) . . .

(10)

14%

4%

21%

24%

38%

42%

27%

30%

Organization level of alignment of technology with GRC needs?

Utilization of existing technology for GRC

Current Alignment & Utilization of Technology for GRC

While 73% of organizations indicate they have some

collaboration and integration on GRC across departments, the current state of GRC technology alignment and utilization is moderate with a lot of room for improvement.

Only 28% of organizations describe their alignment of GRC technology in positive terms (excellent or good), with 42% stating fair (or neutral), and 30% indicating it is poor.

The same goes for utilization of GRC technology, with 35% indicating positive terms (excellent or good), 38% are fair/ neutral, and 27% state is poor.

However, given the fact that the predominant technology used for GRC is documents, spreadsheets and emails in many organization it becomes clear why so many respond with fair or poor technology utilization and alignment.

(11)

Use of GRC Technology

16%

12%

27%

10%

35%

GRC

Software

Best of Breed

We have multiple best of breed GRC solutions that we use across the organization, but none is a central core for GRC

Single GRC Platform

We have one GRC solution for the entire organization

Department Silos

We have a GRC solution in my department but I am unaware of

GRC Architecture

We have a core GRC solution that integrates with multiple best of breed solutions for GRC

No GRC Solution/Unsure

We do not have any GRC solutions being used in our organization

Organizations approach GRC technology in different ways. Some organizations (16%) try to do everything GRC related with one single GRC platform. This works for some organizations, but others see the need for best of breed solutions (27%) that remain loosely integrated but no one solution being the core. In between the single GRC platform and best of breed

approach are organizations that have best of breed solutions

but a single core GRC solution that brings everything together (12%). This allows for greater flexibility in focused solutions while still providing a core for overall GRC reporting.

Other organizations focus on disconnected department

solutions (10%), while many state they have no GRC technology in place or are unsure. These organizations are the ones most likely using a maze of documents, spreadsheets, and emails.

(12)

Use of GRC Technology, Comparison by Organization Size

19%

7%

16%

23%

4%

6%

12%

30%

23%

29%

27%

9%

8%

16%

10%

19%

46%

42%

35%

Single Platform

GRC Architecture

Best of Breed

Department Silos

No/Unsure

All Organizations . . .

Small Organizations (1 to 1,000 Employees) . . .

Medium Organizations (1,001 to 10,000 Employees) . . .

Large Organizations (10,001+ Employees) . . .

The use of GRC technology varies by organization size. Smaller organizations indicate a greater propensity toward best of breed or department siloed solutions. Medium sized organizations have a greater focus on a single GRC platform and best of breed solutions. Large enterprises, have the greatest focus on a GRC architecture where there is a single platform

at the core that is supported by best of breed solutions where they make sense.

It is in small to medium-sized organizations where there is no GRC technology implemented and the greatest opportunity for implement.

(13)

(14)

GRC Platform Strategy Going Forward

33% 37% 13% 17%

A federated "GRC

Platform" for

certain categories

and "best of breed"

A centralized "GRC

Platform" for the

entire enterprise

across all relevant

categories to your

business

A distributed range of

"best of breed" solutions

in different categories

that operate

independently of each

other

Unsure

Does your

organization prefer a

singe GRC solution or

do you prefer to

purchase best of

breed solutions for

specific needs and

departments?

Looking to the future, organizations state they have a greater propensity to focus on a GRC architecture (37%) with a core platform for enterprise GRC reporting and management that is supported by best of breed solutions where they make sense. A strong percentage of organizations (33%) state they will focus on a single centralized GRC platform for the entire organization.

What is really interesting, is that only 13% of respondents indicated that they want a best of breed non-integrated

approach to GRC. In contrast, 70% of organizations (33% single platform and 37% GRC architecture) state that they have a strategy going forward for GRC integration.

(15)

Preference of SaaS or Traditional Software for GRC

The acceptance of SaaS (Cloud) GRC implementations has grown strongly over the past several years. Of the 290 respondents, 31% prefer SaaS while 39% prefer a traditional on-premise implementation.

However, when you filter the respondents by those that indicate they are leading their organizations GRC strategy the preference for SaaS grows to 45%. This means that the GRC technology decision maker has a strong GRC SaaS implementation preference.

(16)

GRC Technology Expansion Strategy

24%

52%

12%

In-House

Development

Purchasing New

GRC Solutions

Unsure

How would you

characterize your

organization's

strategy for procuring

technology solutions

for GRC?

Expanding Use of Existing GRC Solutions

In context of expanding GRC technology, a majority of

organizations indicate that they are first looking to expand on their existing GRC solutions (52%) followed by those purchasing new GRC solutions (24%).

This is often the case when organizations already have a strong investment in a GRC platform and are looking to build out its capabilities further with the expansion into new areas of GRC in the organization that need attention. This is the case for those that rely on old technology or are encumbered by manual processes and a maze of documents, spreadsheets, and emails.

(17)

Top 8 Objectives in Acquiring New GRC Technology

Increase GRC Analytics

& Visibility

Improve Consistency

of GRC Information

Reduce GRC

Complexity

Regulatory Compliance

Requirements

57

%

51

%

38

%

37

%

Reduce Risk in the

Organization

Improve Performance

In the Organization

Lower or Avoid GRC

Costs

Increase Reliability of

GRC

36

%

33

%

27

%

15

%

The top two objectives of organizations in acquiring new GRC technology are to increase GRC related analytics and visibility and to improve consistency of GRC information. These two objectives rank significantly higher than the other factors organizations scored.

Interestingly, these two are related. To have good analytics requires a solid information architecture with strong data

integrity and consistency. Organizations have been plagued by data integrity and consistency problems for GRC, particularly when done in spreadsheets, documents, and emails. Some organizations have reported to GRC 20/20 as much as 80% of FTE staff time doing nothing more than manual reconciliation and report building from documents, spreadsheets, and emails.

(18)

Top 8 Criteria in New GRC Purchases

Ease of Use

Price

Functionality

Configurability

53

%

41

%

40

%

39

%

Industry Focus

Customer Service

Integration Capabilities

Company

Stability/Viability

26

%

23

%

21

%

16

%

When it comes to top criteria for new GRC purchases, organizations are looking for ease of use (53%). Many legacy GRC implementations have been plagued with complexity, bespoke build outs, broken upgrades, and poor user

experience. It is logical to see that ease of use has become the number one concern and criteria when evaluating new GRC solutions.

This has grown over the past four years. This same survey in 2012 has ease of use (45%) listed second after price (53%). The 2014 survey had ease of use (49%) displace price (46%) for the number one criterion. Now in 2016 this gap grows further with ease of use being 53% and price dropping to 41%.

(19)

Organization Alignment on GRC Technology Initiatives Going Forward

11%

43%

30%

14%

2%

Somewhat

Disagree

Strongly Agree

Strongly Disagree

Somewhat

Agree

Unsure

We have sufficient

organizational

alignment to produce

action on

GRC technology

initiatives

Organization alignment on GRC technology initiatives going forward is improving dramatically. A total of 54% of organizations report that they agree (somewhat to strongly agree) that they have sufficient organizational alignment to produce action on new GRC technology initiatives.

This is interesting when you compare the responses discussed earlier on current GRC technology alignment was only 28%. This shows significant change from current technology alignment to future technology alignment going forward. A shift from 28% in the current environment to 54% for future decisions and collaboration on GRC technology across the organization,

(20)

Who is Making Future GRC Technology Decisions

47%

35%

7%

9%

2%

Single

Department

Enterprise

Unsure

Is the decision to

purchase made at an

enterprise level, multiple

departments working

together, single

department, or

group/issue level?

Multiple

Departments

Group/Issue Level

With the increased organizational alignment on future GRC technology spending is also shared responsibility in making purchase decisions on GRC technology.

For 47% of respondents, purchasing new GRC technology is an enterprise-wide decision across GRC related roles and departments. When considered that another 35% of respondents state this is a multi-department decision, but not quite full enterprise, this brings this figure up to 82% indicating that GRC technology spending involves multiple parts of the organization.

(21)

Where Does Enterprise GRC Budget Come From

24% 18% 12% 12% 21% 13%

In the official IT

budget

Split between the

IT, GRC and/or

business budgets

My organization has not

budgeted resources for

any GRC enabling

technology for 2016

Unsure

Does your

organization prefer a

singe GRC solution or

do you prefer to

purchase best of

breed solutions for

specific needs and

departments?

In a GRC budget

In business

budgets (e.g., HR,

finance)

The budget for GRC technology purchases varies by organizations responding to the survey.

The largest segment (24%) indicates it is a shared budget split between IT, GRC groups, and the business. Next (18%), respondents indicated it was from purely the IT budget.

A smaller segment indicated that they have a specific GRC budget (12%) that new technology purchases come from which is also the same about (12%) that indicated that it is business budgets.

(22)

GRC Budgets Increasing in 2016 GRC Budgets Increasing in 2016

19%

17%

19%

3%

1%

21%

Spending Staying

Same as Last Year

25%+ GRC

Spending Increase

25%+ GRC Spending Decrease

Unsure

Do you see overall

GRC spending (on all

aspects, not just

technology) in 2016

increasing or

decreasing in

your organization?

10% to 25% GRC

Spending Increase

Up to 10% GRC

Spending Increase

10% to 25% GRC Spending Decrease

Up to 10% GRC Spending Decrease

What is particularly interesting is the strong growth in GRC budgets for 2016. A total of 55% of respondents indicate that GRC budgets are increasing, while only 5% indicate that GRC budgets are decreasing.

This shows that organizations continue to make a strong and expanding investment of GRC related technology now and into the future.

(23)

Risk Management &

Analytics

Compliance

Management

Audit Management &

Analytics

Enterprise GRC

Platforms

42

%

37

%

36

%

35

%

IT GRC Management

Policy Management

Business Continuity

Management

Internal Control

Management

30

%

25

%

24

%

22

%

For 2016, organizations (across all sizes) indicate that their greatest focus on GRC technology investment is in risk

management and analytics. Respondents were given seventeen categories to choose from and the top eight are represented in the chart on this page.

Risk management is growing within organizations and many are moving beyond simple heat maps and stop light diagrams of risk to provide deeper analytics and risk management capabilities that align to business objectives and performance.

(24)

Top 8 Spending Increases in Large Organizations

Compliance

Management

IT GRC Management

Risk Management &

Analytics

Automated Control

Monitoring &

Enforcement

64

%

59

%

58

%

58

%

Quality Management

Enterprise GRC

Platforms

Business Continuity

Management

Policy & Training

Management

58

%

56

%

53

%

52

%

For large organizations (those over 10,000 employees), the top area of GRC technology spending is in compliance management. This is indicative of the complex array of global regulations and compliance mandates that large organizations have to deal with.

These organizations also show a higher propensity to purchase IT GRC management, followed by risk management/analytics, and control automation and enforcement.

(25)

Top 8 Spending Increases in Medium Organizations

Enterprise GRC

Platforms

Risk Management &

Analytics

IT GRC Management

Audit Management &

Analytics

71

%

68

%

57

%

52

%

Compliance

Management

Strategy &

Performance

Management

Policy & Training

Management

Automated Control

Monitoring &

Enforcement

51

%

51

%

49

%

44

%

Mid-sized organizations (1,000 to 10,000 employees) show the greatest interest in purchasing enterprise GRC platforms going forward. The mid-market for enterprise GRC solutions is opening up as they follow the large organizations that have focused on enterprise GRC over the last decade.

A strong second to enterprise GRC is the focus on risk management and analytic solutions within mid-sized organizations.

(26)

Top 8 Spending Increases in Small Organizations

Risk Management &

Analytics

Strategy &

Performance

Management

Compliance

Management

Enterprise GRC

Platforms

62

%

56

%

54

%

53

%

IT GRC Management

Issue Reporting &

Management

Policy & Training

Management

Quality Management

50

%

48

%

45

%

44

%

Small organizations (those under 1,000 employees) show the greatest focus in spending on risk management and analytics as well as strategy and performance management solutions.

These two areas show a natural relationship in many small organizations where risk management and strategy/ performance management are run out of the finance department. It is only logical that they look at risk and performance closely together and shows the strong relationship each has on the other.

(27)

(28)

Enterprise GRC Platforms

Enterprise GRC delivers a range of cross-department

functionality across GRC functional areas into an integrated technology ecosystem. For some this is a single GRC platform for the entire organization. For others it is an integrated

architecture in which there can be a core platform that often extends and integrates into a range of other solutions and data sources.

To be an Enterprise GRC Platform requires a single platform architecture that has multi-department (e.g., enterprise wide) use across the following areas, at a minimum:

Enterprise/Operational Risk Management Compliance Management

Internal Control Management

Issue Management (e.g., incident, case, investigations) NOTE: most Enterprise GRC Platforms offer a range of

additional module beyond these.

Spreadsheets, Documents & Emails

§ 53% in Small Organizations

§ 51% in Medium Organizations

§ 35% in Large Organizations

Solution Built & Supported by IT

1 Commercial Solution in this Area

2+ Commercial Solutions in this Area

§ 6% in Small Organizations § 4% in Medium Organizations § 17% in Large Organizations

45 %

11 %

25 %

9 %

(29)

Enterprise GRC Platforms

Do you plan to spend more/same/less on GRC solutions in the following categories over

the next 3 years?

S

61 %

_{Spending More}

7 %

_{Spending Less}

3%

Unsure

32 %

_Same Don’t Knows Filtered Out

Across All Organizations

Small Organizations § 53% Spending More § 44% Same § 3% Spending Less Medium Organizations § 71% Spending More § 27% Same § 2% Spending Less Large Organizations § 56% Spending More § 28% Same § 16% Spending Less

53

%

71

%

56

%

(30)

Audit Management & Analytics

Audit Management & Analytic technologies are used by auditors to manage and perform audits.

Audit management solutions are used to manage audit cycles – this includes audit planning, resource scheduling/ calendaring, work paper management, audit execution, audit process management, and audit reporting. They also support a risk-based approach to audit planning to prioritize audits based on the risk to the business.

Audit analytic solutions utilize data analytics and continuous auditing (automated control enforcement & monitoring) to extract insights from operational and financial data to assist in audits and provide assurance.

Spreadsheets, Documents & Emails

Solution Built & Supported by IT

1 Commercial Solution in this Area

2+ Commercial Solutions in this Area

41 %

14 %

38 %

10 %

(31)

Audit Management & Analytics

Do you plan to spend more/same/less on GRC solutions in the following categories over

the next 3 years?

S

46 %

_{Spending More}

6 %

_{Spending Less}

3%

Unsure

48 %

Across All Organizations

39

%

52

%

45

%

(32)

Automated Control Enforcement & Monitoring

Automated Control Enforcement & Monitoring technologies provide the capability to automatically and continuously

monitor, enforce, test, assess, and report on controls within the organization.

This category of software is also often referred to as

Continuous Control Monitoring (CCM) or Automated Controls. This includes the capability to test, on a continuing or periodic basis, data and activity against defined rules to identify and report potential errors, the failure of controls, or inappropriate actions – including tests of business transactions, network activity, intrusion attempts, the sharing of confidential

information or intellectual property, systems access, etc. Also included in this area is the ability to do GRC data analytics, monitoring, and mining.

Automated control solutions include: transaction,

configuration, fraud, AML, segregation of duties, master data, identity & access, process, end-user computing application, and social media control solutions

Spreadsheets, Documents & Emails

Solution Built & Supported by IT

1 Commercial Solution in this Area

2+ Commercial Solutions in this Area

29 %

18 %

17 %

8 %

(33)

Automated Control Enforcement & Monitoring

Do you plan to spend more/same/less on GRC solutions in the following categories over

the next 3 years?

S

48 %

_{Spending More}

6 %

_{Spending Less}

3%

Unsure

46 %

Across All Organizations

39

%

44

%

58

%

(34)

Business Continuity Management

Business Continuity Management technologies model, record and direct the responsibilities, plans, actions and

execution of continuity and disaster plans, testing of operating procedures, alternatives, information back-ups, data recovery and restoration processes during expected and unexpected disruptions to all areas of operation.

Spreadsheets, Documents & Emails

Solution Built & Supported by IT

1 Commercial Solution in this Area

2+ Commercial Solutions in this Area

54 %

17 %

16 %

4 %

(35)

Business Continuity Management

Do you plan to spend more/same/less on GRC solutions in the following categories over

the next 3 years?

S

45 %

_{Spending More}

7 %

_{Spending Less}

3%

Unsure

48 %

Across All Organizations

42

%

41

%

53

%

(36)

Compliance Management

Compliance Management technologies support the overall coordination of legal, regulatory, contractual, values, ethics, and corporate obligations and responsibilities with associated compliance documentation, assessments, tasks, and records. This includes the ability to monitor, document, and manage changes to the regulatory environment and other obligations; to document all obligations of the organization; to perform compliance assessments against obligations; manage regulator and stakeholder interactions on compliance; and report on the state of compliance to regulators and stakeholders.

Spreadsheets, Documents & Emails

Solution Built & Supported by IT

1 Commercial Solution in this Area

2+ Commercial Solutions in this Area

52 %

20 %

28 %

8 %

(37)

Compliance Management

Do you plan to spend more/same/less on GRC solutions in the following categories over

the next 3 years?

S

56 %

_{Spending More}

7 %

_{Spending Less}

3%

Unsure

36 %

Across All Organizations

54

%

51

%

64

%

(38)

Environmental Management

Environmental Management technologies help monitor, analyze, record, and report organizational activity focused on compliance with environmental laws and regulations, related corporate policy related to managing environmental controls and conditions, and assessing the environmental impact of the corporation’s operations, strategies, and plans.

Spreadsheets, Documents & Emails

Solution Built & Supported by IT

1 Commercial Solution in this Area

2+ Commercial Solutions in this Area

31 %

11 %

2 %

(39)

Environmental Management

Do you plan to spend more/same/less on GRC solutions in the following categories over

the next 3 years?

S

31 %

_{Spending More}

7 %

_{Spending Less}

3%

Unsure

62 %

Across All Organizations

23

%

30

%

43

%

(40)

Health & Safety Management

Health & Safety Management technologies manage the regulatory and policy-based guidelines and processes for protecting and reporting on the workforce, workplace, resources-under-management and external environment impacted by an organization’s activities.

Spreadsheets, Documents & Emails

Solution Built & Supported by IT

1 Commercial Solution in this Area

2+ Commercial Solutions in this Area

32 %

15 %

16 %

4 %

(41)

Health & Safety Management

Do you plan to spend more/same/less on GRC solutions in the following categories over

the next 3 years?

S

37 %

_{Spending More}

12 %

_{Spending Less}

3%

Unsure

51 %

Across All Organizations

33

%

32

%

45

%

(42)

Internal Control Management

Internal Control Management technologies provide the ability to define, document, map, monitor, test, assess, and report on controls within the organization, including process and systems documentation.

These solutions document internal controls, provide control assessments/self-assessments, and manage this through workflow, tasks, and reporting.

Spreadsheets, Documents & Emails

Solution Built & Supported by IT

1 Commercial Solution in this Area

2+ Commercial Solutions in this Area

49 %

17 %

27 %

7 %

(43)

Internal Control Management

Do you plan to spend more/same/less on GRC solutions in the following categories over

the next 3 years?

S

45 %

_{Spending More}

6 %

_{Spending Less}

3%

Unsure

49 %

Across All Organizations

40

%

44

%

51

%

(44)

Issue Reporting & Management

Issue Reporting & Management technologies provide issue intake and investigations management.

Issue reporting solutions (e.g. hotline, whistleblower) provide a confidential, independent resource for individuals to report observations related to issues as well as potential acts of fraud, theft, inappropriate or illegal behavior, negligence or other impropriety.

Investigations management solutions are used to manage investigations, issues, incidents, events, or cases: they

specifically provide consistent documentation and processes for the management of events — from reporting, to managing and documenting the investigation, to recording the loss and business impact.

Spreadsheets, Documents & Emails

Solution Built & Supported by IT

1 Commercial Solution in this Area

2+ Commercial Solutions in this Area

46 %

20 %

34 %

9 %

(45)

Issue Reporting & Management

Do you plan to spend more/same/less on GRC solutions in the following categories over

the next 3 years?

S

47 %

_{Spending More}

6 %

_{Spending Less}

3%

Unsure

47 %

Across All Organizations

48

%

44

%

48

%

(46)

IT GRC Management

IT GRC Management technologies are used to govern and direct information and technology (IT) strategies in the context of business.

The governance function of IT is the alignment, strategy, and direction of IT to support the business.

A core component of IT GRC Solutions is the ability to manage and monitor security, risk, and compliance across IT systems throughout the organization and across significant business relationships.

Spreadsheets, Documents & Emails

Solution Built & Supported by IT

1 Commercial Solution in this Area

2+ Commercial Solutions in this Area

37 %

17 %

31 %

5 %

(47)

IT GRC Management

Do you plan to spend more/same/less on GRC solutions in the following categories over

the next 3 years?

S

56 %

_{Spending More}

5 %

_{Spending Less}

3%

Unsure

39 %

Across All Organizations

50

%

57

%

59

%

(48)

Legal Management

Legal Management technologies administer the collection of facts related to events and legal cases under investigation, for use in verifying their circumstances, in order to provide valid information for testing by independent parties with the confidence that the information provided is related to these events.

Discovery tools assist in managing and communicating discovery holds and uncovering, segmenting, organizing and storing electronic forms of evidence that can be used in an investigation, both before and after the occurrence of the related events, including tools that separate potential discovery documents from their original locations and repositories.

This category of technology also includes systems for retention management that integrate with content/document systems to manage the storage, disposition, and retention of information.

Spreadsheets, Documents & Emails

Solution Built & Supported by IT

1 Commercial Solution in this Area

2+ Commercial Solutions in this Area

44 %

14 %

15 %

6 %

(49)

Legal Management

Do you plan to spend more/same/less on GRC solutions in the following categories over

the next 3 years?

S

31 %

_{Spending More}

7 %

_{Spending Less}

3%

Unsure

62 %

Across All Organizations

16

%

30

%

48

%

(50)

Physical Security Management

Physical Security Management technologies enhance physical asset and individual protection, and the authorization and monitoring of access to an organization’s facilities and

property. This category of technology also includes systems to manage physical loss and theft.

Spreadsheets, Documents & Emails

Solution Built & Supported by IT

1 Commercial Solution in this Area

2+ Commercial Solutions in this Area

37 %

16 %

7 %

(51)

Physical Security Management

Do you plan to spend more/same/less on GRC solutions in the following categories over

the next 3 years?

S

34 %

_{Spending More}

8 %

_{Spending Less}

3%

Unsure

58 %

Across All Organizations

25

%

39

%

40

%

(52)

Policy & Training Management

Policy & Training Management technologies mange the development, approval, distribution, communication, forms, maintenance, and records of organization policies, standards, procedures, guidelines and related training and communication awareness activities. This includes solutions used to train

individuals on policy and risk areas to employees and extended business relationships.

Elements of gamification, eLearning, learning management, document/content management are part of this segment from a GRC perspective.

Forms and disclosure management solutions (e.g., conflict of interest, gifts & entertainment/hospitality) are included in this segment as they relate and support organization policies.

Spreadsheets, Documents & Emails

Solution Built & Supported by IT

1 Commercial Solution in this Area

2+ Commercial Solutions in this Area

41 %

24 %

26 %

8 %

(53)

Policy & Training Management

Do you plan to spend more/same/less on GRC solutions in the following categories over

the next 3 years?

S

49 %

_{Spending More}

6 %

_{Spending Less}

3%

Unsure

45 %

Across All Organizations

45

%

49

%

52

%

(54)

Quality Management

Quality Management technologies record, benchmark, track and manage activity related to product and service quality assessments and certifications, production failures, product recalls, design and delivery improvements and their related regulatory guidelines.

Spreadsheets, Documents & Emails

Solution Built & Supported by IT

1 Commercial Solution in this Area

2+ Commercial Solutions in this Area

42 %

16 %

12 %

7 %

(55)

Quality Management

Do you plan to spend more/same/less on GRC solutions in the following categories over

the next 3 years?

S

44 %

_{Spending More}

4 %

_{Spending Less}

3%

Unsure

52 %

Across All Organizations

44

%

31

%

58

%

(56)

Risk Management & Analytics

Risk Management technologies support the identification, assessment, evaluation and response, and monitoring of risks and opportunities of risk across the organization. This includes the ability to monitor changes in the external and internal contexts to alert an organization to changing risk conditions (e.g., geopolitical, economic, competitor, technology, and natural disaster) that can impact business.

These systems help identify specific causes and execute historical review, simulation, interpretation and projection of impacts on an organization’s operations or assets given the potential consequences of events and the likelihood of events occurring sequentially or simultaneously.

This category includes enterprise risk management systems, operational risk management systems, as well as specialized risk applications.

Spreadsheets, Documents & Emails

Solution Built & Supported by IT

1 Commercial Solution in this Area

2+ Commercial Solutions in this Area

56 %

17 %

31 %

7 %

(57)

Risk Management & Analytics

Do you plan to spend more/same/less on GRC solutions in the following categories over

the next 3 years?

S

63 %

_{Spending More}

6 %

_{Spending Less}

3%

Unsure

31 %

Across All Organizations

62

%

68

%

58

%

(58)

Strategy, Performance, & Process Management

Strategy, Performance & Process Management technologies include solutions for identifying and managing corporate strategies, goals, and objectives and cascading them through the organization; optimizing operational and financial

performance against those objectives; and providing valuable information for decision-making and reporting purposes.

Spreadsheets, Documents & Emails

Solution Built & Supported by IT

1 Commercial Solution in this Area

2+ Commercial Solutions in this Area

57 %

14 %

10 %

8 %

(59)

Strategy, Performance, & Process Management

Do you plan to spend more/same/less on GRC solutions in the following categories over

the next 3 years?

S

47 %

_{Spending More}

9 %

_{Spending Less}

3%

Unsure

44 %

Across All Organizations

56

%

51

%

29

%

(60)

Third Party Management

Third Party Management technologies provide organizations the ability to govern third party relationships (e.g., vendor, supplier, contractor, consultant, service provider, outsourcers, agent) and the lifecycle of onboarding, contracts, due diligence screening, performance monitoring, risk management,

compliance management, quality and service level management, and off-boarding.

The third party GRC specific solutions record, and maintain the communication, attestation, and assessment of policies, contractual compliance, risk and compliance assessments, and audits across extended business relationships.

Third party screening solutions are used to vet third parties and validate them against databases such as politically exposed persons, watch lists, social accountability, and more.

Spreadsheets, Documents & Emails

Solution Built & Supported by IT

1 Commercial Solution in this Area

2+ Commercial Solutions in this Area

46 %

12 %

17 %

7 %

(61)

Third Party Management

Do you plan to spend more/same/less on GRC solutions in the following categories over

the next 3 years?

S

41 %

_{Spending More}

11 %

_{Spending Less}

3%

Unsure

48 %

Across All Organizations

44

%

31

%

50

%

(62)

Survey Demographics

&

(63)

57%

19%

12%

509 Respondents

Other

60 respondents marked Other.

Professional Services Firms

96 respondents were from Professional Service Firm providing GRC services and solutions (96 respondents).

Organizations

Using/Considering GRC

Solutions

290 respondents were from organization using or considering GRC solutions/technology.

GRC Solutions Providers

63 respondents were from GRC Solutions/Technology Providers offering GRC related technology solutions.

Survey Respondents by Breakout of GRC Buyers vs. Providers

This survey report focuses only on the 290 respondents from organizations using or considering GRC solutions.

(64)

41%

P u bl i c l y Tr ade d

31%

P r i v at e l y H e l d

9%

No n -P r o f i t

St at e -O w n e d/ C r o w n

3%

5%

E du c at i o n

11%

G o v e r n m e n t

Survey Respondents by Type of Organization

290 respondents from organization using or considering GRC solutions/technology

(65)

25%

R i sk M an age m e n t

17%

I T / Se c u r i t y

17%

C o m pl i an c e

13%

Au di t

34%

O t h e r

Survey Respondents by GRC Role in Organization

(66)

12% 4% 12% 24% 28% 15% 1% 4%

Executive/C-Suite

Senior Vice President

Vice President

Director

Manager

Professional

Administrative

Other

Survey Respondents by Seniority in Organization

(67)

Lead the Enterprise GRC Strategy to integrate GRC across the organization

1%

12%

51%

36%

Participate in the Enterprise GRC Strategy in my organization

Exposure is only within department and not aware of broader context of GRC

Unsure

Survey Respondents by Role in GRC Strategy

(68)

EUROPE

2 5

%

4 9

%

5

%

6

%

5

%

6

% NORTH AMERICA CENTRAL/SOUTH AMERICA MIDDLE EAST OCEANIA ASIA

4

% AFRICA

Survey Respondents by Geographic Presence

(69)

Large Enterprise

10,001+ Employees

37 %

Medium Enterprise

1,001 to 10,000 Employees

37 %

Small Enterprise

1 to 1,000 Employees

26 %

Survey Respondents by Size of Organization

(70)

OCEG’s GRC Standards Library helps to jump-start and improve your approach to achieving Principled Performance.

(71)

OCEG has a range of resources that help organizations understand, apply, and communicate Principled Performance and GRC.

Certifications

Surveys

OCEG One-Minute Polls GRC Maturity

GRC Metrics & Measurement GRC Technology Strategy

GRC Illustrated

OCEG has developed over 60 GRC illustrations that are info-graphics to help organizations understand and communicate Principled Performance and GRC.

(72)

Members of OCEG’s GRC Solutions and Executive Council collaborate to develop educational materials on the benefits of advancing GRC processes and technologies, as well as key resources to assist companies in maturing GRC strategy.

(73)

www.OCEG.org

4835 E. Cactus Road, Suite 225 Scottsdale, Arizona 85254 United States of America

[email protected] @OCEG

+1 (602) 234-9278

2016 GRC Technology Strategy

An OCEG Benchmark on the Use of GRC Technology within Organizations