Prediction for 2008: three letters and a new category. They are—cue the drum roll, please—G R, and C, also known to occasionally stand for governance, risk and compliance. “What?” you say. “We already have solutions for Sarbanes Oxley and that’s plenty.” Yes, but SOX started a snowball rolling down a hill, leaving us with something that could be as big as CRM—or even bigger.
To be sure, GRC is going to be mostly a back office phenomenon, but it will inevitably have important influence on the front office, too. In fact, we’re already seeing some of that influence in CRM. In the last two years, there has been an up-tick in interest in financially oriented applications for the front office—applications like compensation management and CPQ (configuration, pricing and quotation), to name a couple. These applications provide financial controls to front-office processes that sometimes run away from us despite good intentions. GRC will be bigger than any of that because the issues of governance permeate all parts of a company, front to back, including IT, purchasing, HR, as well as sales, marketing and service—CRM’s turf.
‘It seems as though there’s more talk about the market size and maturity model than about what GRC is and how to get it.’
A company faces all kinds of risks from many dimensions, and part of the job of a management team is to gauge and understand those risks. Increasingly, managers are being held to account for predicting risk and then doing as much as possible to mitigate it. When risk turns into a problem, it usually ends up costing something, and that cost affects the bottom line, which is why governance is important and controls figure in the picture.
Here’s a realistic scenario and proof for why a company can’t just analyze risk with a calculator or a spreadsheet. A company operating in Europe—and someday probably everywhere—now has exposure to pollution risk. The Kyoto Protocol puts a cap on emissions, and if you go over your cap, you need to buy carbon credits to balance out your exposure. Credits are sold on exchanges calibrated by the ton of carbon dioxide. It sounds good until you realize the world produced about 24 billion tons of CO2 in 2007. By the way, credits traded between 20 and 30 euros over the summer (2007), so the risk can be substantial.
Now consider the company that buys hydro-electric power. Such a company would have very little exposure because hydro power is green. But what happens if there is a winter that is so unusually cold and dry that the snow pack that would normally melt and fill a reservoir behind a dam doesn’t materialize? The same company has to buy more power than anticipated and from a coal-burning power plant. The best way to proceed isn’t so obvious, anymore, which is why a system that monitors and reports on all of a company’s risk exposure can be a very good thing.
There are risks in most things a company does. For instance, is IT capturing and safeguarding customer information in accord with best practices? Does HR hire and manage with consistency, following all regulations and best practices? Do all departments keep good records of their decisions and activities, and are those records easily accessed and audited?
Since Enron, Tyco and many others, there has been a rising demand by shareholders, governments and other stakeholders for greater and more consistent transparency from corporations. GRC systems are not simply ways to calculate risk, they are part of a solution that tracks, reports and audits it—hence, the governance and compliance parts of the solution. More importantly, GRC has the potential to help the corporate world to regain public trust. We have spent a lot of brain cycles on the customer experience in CRM, but according to a new book, Authenticity: What Consumers Really Want, by the fathers of customer experience, James Gilmore and B. Joseph Pine II, too many customer experiences are fake. Companies need ways to demonstrate that they walk the walk. GRC provides the capability to do that by measuring, recording and making available evidence of corporate behavior. In a word, it promotes transparency.
The GRC market can best be described today as embryonic. There is an association for it, and there are a few analysts covering it, but the coverage so far is very high level. It seems as though there’s more talk about the market size and maturity model than about what GRC is and how to get it. I’d say the market is where CRM was in the late 1990s, when there were lots of individual applications that didn’t talk to each other but badly needed to. The necessary integration eventually materialized, and a $14 billion market grew out of it. GRC has many of the same attributes, not the least of which is the fact that just about every company on Earth needs it.
More than parallels with CRM, there will be interesting integration points with the front office. Applications—like CPQ and compensation management—that currently fall into the front office bucket might find themselves more closely aligned with the back office through sales and procurement management and HR functions in GRC.
GRC is going to take a little while to unfold; in some important ways, like mind share. It isn’t a market yet. Next year will be transitional—when we all start paying attention to GRC. That should be enough to start the typical early market stampede. Look for a pattern of big company early adopters, a lot of confusion about the definition of GRC and a discussion about point solutions versus a suite and a platform. It should all start soon.