Sitting in the SAP Insider GRC conference this week has been instructive in terms of understanding what’s next in the world of governance, risk and compliance, a market segment that, at least at SAP, is outpacing the growth of the overall enterprise software industry in a significant way.
Many think the big issue in the nascent GRC market is how to get companies to buy into a “big GRC” enterprise-wide deployment, others think the big issue is aligning strategy and execution – as in making sure that the knowledge that GRC software enables is matched by an ability to actual do something constructive with that knowledge.
Both are definitely among the top two issues facing the GRC market today.
But perhaps the biggest issue of all is the need to expand the demand for GRC across the enterprise by reaching out beyond the traditional buyer/user base that has defined the GRC market up to now: the office of the CFO and the CIO.
While these are still worthy consumers of GRC functionality, the ability of this concept to become ubiquitous in the enterprise craves a concerted effort to enlist a broad base of users who may not even know of or understand what GRC means to them.
That ignorance is more about nomenclature than anything else, particularly when it comes to risk. Every business lives and dies by its ability to quantify and manage risk, even if the term is hardly ever used as a call to action. And, importantly, most companies’ risk management and remediation processes are barely automated, if at all – a great opening for enterprise software solutions. Whatever you call it, from picking products and markets to assessing competitive threats, from scheduling new product introductions to timing product end of life, risk assessment, management and remediation are daily events at most companies, with a high rate of participation by a wide range of users.
That this trio of processes – risk assessment, management, and remediation – are already part of the standard operating procedure of many companies makes market education relatively easy. That is because the easiest kind of enterprise software to sell is the software that automates what people are already used to doing in an un-automated way. Much of GRC fits this bill, and that means it will be a whole lot easier to explain, and consume, than a product or capability that has never been tried before some software vendor brought it to market.
But there’s still that problem of linking the user who spends at least part of their day dealing with risk with a software solution that is risk-based. There are few if any job titles that include the term “risk”, nor are there many project teams that are tasked with managing risk in a way that would make it easy for a GRC vendor to target them with a marketing campaign. Which is why most of the effort is directed at CFOs and CIOs, who by dint of legislative and regulatory requirements, can be counted on to get the GRC message.
If GRC is to fulfill its potential, and in particular begin to expand deeper into the enterprise, those daily risk takers, and risk assessors, and risk mitigators, will all need to be plugged into the product mix as tightly as possible. And that means finding a way to engage them in the conceptual messaging, and help these users be part of the vanguard that elevates GRC to its rightful place as an important part of the genuine value that enterprise software can deliver.
There are a number of areas in which GRC concepts can be made readily identifiable by a wider range of users. Sustainability is one: as functionality that enables sustainable practices in areas such product development, plant management, supply chain, and global trade become more widespread, the obvious tie-in to risk management is relatively easy to make. Likewise supply chain risk: problems relating to strategic parts outages, for example, have a broad impact on important businesses processes that in turn impact myriad internal users – from product designers to after-market service support. Targeting these users with supply chain risk solutions is a natural, and potentially effective, way to broaden the overall understanding of the GRC opportunity.
In the end, as with many new opportunities in enterprise software, GRC is a ready platform for expanding the strategic uses of enterprise software to a much wider constituency – the casual user – than has been traditionally the case. If the vendors can succeed in getting these users to take the GRC opportunity to heart, the market pull will be substantial. Because at the end of the day, the great thing about GRC, particularly the risk portion, is that it can put dollars on the table, a compelling argument for any P&L driven organization.
If only they knew what GRC meant to them, and how valuable it could be…..