MetricStream is the second vendor presented in our weekly survey answer series.
Over the last months we conducted a small vendor survey to find out more about software companies’ idea of GRC, their products and future developments. From now on we are going to publish the answers of a new company each week. You can find them in the GRC Technology / Software Vendors category. The first vendor presented is CA.
Do you remember being challenged to define GRC in a few words - in meetings, lunch discussions or at the water cooler? “It’s Governance, Risk and Compliance” might be an easy answer, but it does not draw out the underlying concept.
Through a review of over 100 GRC publications we have developed a single-phrase definition of GRC we would like to validate with your help. We invite you to take part in our anonymous, two-minute GRC definition survey: http://survey.grc-resource.com
Feel free to share the survey link with other GRC professionals!
Thank you & regards,
Nicolas Racz
Last Thursday I attended the European Identity Conference 2009 in Munich. Europe’s largest conference on identity management is organised by Kuppinger Cole + Partner, a Munich-based analyst firm that also covers the broader picture IM is embedded in, namely GRC. For this reason the program included several “integrated GRC”-related talks on Thursday. The main GRC platform vendors present were CA, IBM, Oracle and SAP.
Talking to the IM people as well as to several consultants and vendors dealing with GRC I noticed yet another time that ideas of GRC are either non-present or strongly diverging. This is partly owed to the fact that the IM people at the conference are - of course - dealing with technological and regulatory IM issues in the first place. My feeling was that these people consider GRC to be an opaque concept that might affect them in the mid-term future, but not so much today.
Fortunately there were experts of integrated GRC as well. Frank Fischer, who is leader of Security@IBM, elaborately laid out IBM’s idea of GRC to me. Prior to the conference I noticed that there was hardly any information on IBM’s GRC perspective on their website www.ibm.com. Fischer pointed out that the German subsidiary has recently created a website briefly explaining IBM’s GRC approach. If you speak German, have a look. I gained two interesting insights from our conversation. Firstly IBM strongly emphasises the “R” as the leading methodology in GRC. Compliance is included through the risk of non-compliance. Good governance is the result of an effective risk management process. Secondly IBM has abandoned the technology-oriented view and is focusing on content. Sure they employ proprietary (but mostly third-party) tools to support GRC processes, but as Fischer correctly put it, even the best risk management tool is useless if your risk quantification methods are insufficient. In his opinion GRC people are trying to do too much at the same time. They should first focus on getting few key risk indicators right, then think of technologies to support enterprise-wide GRC initiatives.
GRC as an end more than a means - this notion was present in all presentations I attended. Rob Fijneman of KPMG noted that GRC does not move quickly enough. In 2006 his multinational clients told him they expected integrated tools within two years; however, GRC tools are still fragmented today. Martin Kuppinger stated that the development of GRC tools probably needs another 2-3 years until companies can make reasonable long-term decisions concerning their GRC platform. In analysis, he currently would not put any software vendor into the top right quadrant (probably referring to the Gartner quadrant, which is defined by the dimensions “ability to execute” and ”completeness of vision”).
A short panel on the lack of GRC standards led to the conclusion that most industries’ processes are not mature (standardised) enough for general standards to be derived. Do standards even make sense in an evolving area whose primary characteristic is disagreement? As long as vendors are using proprietary workflows for simple processes like user provisioning in their software, it is needless to speak about standards for risk indicators.
To sum it up, ID2009 promoted the view that GRC still has a long way to go. Both processes and technology are not sufficiently mature.
The European Identity Conference 2009 is going to be held in Munich from May 5 to 8.
“European Identity Conference (EIC) is the place to meet with enterprise technologists, thought leaders and experts to learn about, discuss and shape the market in most significant technology
topics such as Identity Management and Governance, Risk Management and Compliance (GRC). With
its world class list of speakers, a unique mix of best practices presentations, panel discussions,
thought leadership statements and analyst views in 4 parallel session streams, EIC has become an
absolute must-attend event for enterprise IT leaders from all over Europe.”
May 7 (Thursday) offers various talks and presentations on GRC. I am going to be there myself on that day. Feel free to read more about the conference or to register on [www.id-conf.com].
CA’s Christopher Fox explains why investments in GRC pay off even in times of a recession.
[Why GRC makes sense in a down economy]
If you are using or planning to use products of SAP’s GRC portfolio, you can register now to take part in the virtual conference GRC2009. Online sessions will be available from April 20 onwards.
The conference offers jumpstart sessions and four tracks:
Track 1: New strategies and technologies for GRC
Track 2: Compliance, controls, and audit best practices
Track 3: Global GRC strategies for financial and supply chain teams
Track 4: IT governance, security, policies and risk management
Check out Michael Rasmussen’s new blog entry on the largest GRC software vendor. He is giving away some interesting facts on GRC market size and definition and comes up with an answer that might surprise you.
[Who is the largest GRC vendor?]
Aberdeen Group’s Stephen Walker recently moderated a podcast featuring prominent participants from three major IT-GRC vendors: Chris Fox (Senior Principal of GRC at CA), John DiMaria (Director of Professional Services at eFortresses) and Roland Mosimann (CEO of Aline) discussed best practices in Enterprise IT-GRC. You can listen to the podcast after free registration at ITGRCForum.com or download the transcript directly from GRC Resource. ITGRCForum.com also offers the opportunity to ask questions to the participants of the panel discussion.
In his most recent blog entry, Michael Rasmussen of Corporate Integrity shares his thoughts on ultimate platforms for third party / supply chain risk and compliance.