Transforma Insights recently published a report on Governance, Risk and Compliance (GRC) platforms. The GRC platform space is still relatively niche, but recent global disruptions may conspire to move the concept more towards centre-stage. Even in the absence of recent disruptive events, GRC platforms would still help address a key challenge that all organisations (should) confront as they deploy digitally transformative solutions: how to ensure governance, risk, and compliance in the context of a new and enhanced operating model supported by new technology-based solutions?
A GRC platform is a software solution that is intended to support a GRC framework that helps an organisation to align its IT and operational infrastructure and vendor/supplier portfolio with business objectives, while managing risk and meeting regulatory compliance requirements. The aim is to allow companies to effectively manage IT and operational risks and ensure necessary compliance, whilst also reducing associated costs.
A GRC platform is effectively a centralised repository for assets, processes, threats, and vulnerabilities. Potentially a GRC platform may also include additional functionality such as robotic process automation (RPA) to aid with the ingestion of relevant data, and artificial intelligence (AI) powered issue identification and management. Leading providers include IBM, MetricStream, RSA (Archer), SAP, and ServiceNow.
The three key elements of a GRC platform are closely related, with Risk management as the core, central consideration. Governance and Compliance essentially exist to extend risk analyses to consider compliance with relevant regulations and ensure effective management of the organisation.
Overall, a GRC platform is intended to help executives measure, manage, and prioritise risks in business terms and to track KPIs. Interfaces to the system will be via a range of dashboards, customised based on user role. Executives, for example, would view risk at an overall enterprise level, whilst those on the front line would see information that is much more closely related to their daily role. Crucially, the GRC platform enables the connection of these two views in real time, so that when risks are identified on the front line they can be highlighted in near real time to executive levels with appropriate context in terms of significance and degree of severity.
The potential benefits for technology adopters are multiple:
Beyond these core benefits some GRC platform providers offer higher value-added services (such as, for example, tracking regulations and standards), and there are opportunities for the market to develop many new synergistic offerings. One such is ESG, where some GRC platform providers have already extended to support the (very closely related) concept of tracking an organisation’s ESG performance.
The concept may be particularly transformative for systems integrators, since a GRC platform-type offering could potentially provide an opportunity for a systems integrator to reposition as a ‘trusted partner’ for individual end-users, effectively outsourcing entire technology environments and managing these on a vendor-agnostic basis.