Last Thursday I attended the European Identity Conference 2009 in Munich. Europe’s largest conference on identity management is organised by Kuppinger Cole + Partner, a Munich-based analyst firm that also covers the broader picture IM is embedded in, namely GRC. For this reason the program included several “integrated GRC”-related talks on Thursday. The main GRC platform vendors present were CA, IBM, Oracle and SAP.
Talking to the IM people as well as to several consultants and vendors dealing with GRC I noticed yet another time that ideas of GRC are either non-present or strongly diverging. This is partly owed to the fact that the IM people at the conference are – of course – dealing with technological and regulatory IM issues in the first place. My feeling was that these people consider GRC to be an opaque concept that might affect them in the mid-term future, but not so much today.
Fortunately there were experts of integrated GRC as well. Frank Fischer, who is leader of Security@IBM, elaborately laid out IBM’s idea of GRC to me. Prior to the conference I noticed that there was hardly any information on IBM’s GRC perspective on their website www.ibm.com. Fischer pointed out that the German subsidiary has recently created a website briefly explaining IBM’s GRC approach. If you speak German, have a look. I gained two interesting insights from our conversation. Firstly IBM strongly emphasises the “R” as the leading methodology in GRC. Compliance is included through the risk of non-compliance. Good governance is the result of an effective risk management process. Secondly IBM has abandoned the technology-oriented view and is focusing on content. Sure they employ proprietary (but mostly third-party) tools to support GRC processes, but as Fischer correctly put it, even the best risk management tool is useless if your risk quantification methods are insufficient. In his opinion GRC people are trying to do too much at the same time. They should first focus on getting few key risk indicators right, then think of technologies to support enterprise-wide GRC initiatives.
GRC as an end more than a means – this notion was present in all presentations I attended. Rob Fijneman of KPMG noted that GRC does not move quickly enough. In 2006 his multinational clients told him they expected integrated tools within two years; however, GRC tools are still fragmented today. Martin Kuppinger stated that the development of GRC tools probably needs another 2-3 years until companies can make reasonable long-term decisions concerning their GRC platform. In analysis, he currently would not put any software vendor into the top right quadrant (probably referring to the Gartner quadrant, which is defined by the dimensions “ability to execute” and ”completeness of vision”).
A short panel on the lack of GRC standards led to the conclusion that most industries’ processes are not mature (standardised) enough for general standards to be derived. Do standards even make sense in an evolving area whose primary characteristic is disagreement? As long as vendors are using proprietary workflows for simple processes like user provisioning in their software, it is needless to speak about standards for risk indicators.
To sum it up, ID2009 promoted the view that GRC still has a long way to go. Both processes and technology are not sufficiently mature.
The European Identity Conference 2009 is going to be held in Munich from May 5 to 8.
“European Identity Conference (EIC) is the place to meet with enterprise technologists, thought leaders and experts to learn about, discuss and shape the market in most significant technology
topics such as Identity Management and Governance, Risk Management and Compliance (GRC). With
its world class list of speakers, a unique mix of best practices presentations, panel discussions,
thought leadership statements and analyst views in 4 parallel session streams, EIC has become an
absolute must-attend event for enterprise IT leaders from all over Europe.”
May 7 (Thursday) offers various talks and presentations on GRC. I am going to be there myself on that day. Feel free to read more about the conference or to register on [www.id-conf.com].
If you are using or planning to use products of SAP’s GRC portfolio, you can register now to take part in the virtual conference GRC2009. Online sessions will be available from April 20 onwards.
The conference offers jumpstart sessions and four tracks:
Track 1: New strategies and technologies for GRC
Track 2: Compliance, controls, and audit best practices
Track 3: Global GRC strategies for financial and supply chain teams
Track 4: IT governance, security, policies and risk management