Insight Community

This all depends on the sector they are in, and where they are geographically. In the US, retailers are already being hit at the top by PCI DSS, and in the short term this will affect the smaller companies. HIPAA affects healthcare, GLBA the financial insitutions. SOx affects everyone, but it's quite lazy to just rely on that. The US also has the Patriot Act and SB1386 for disclosure of breaches, which helps to support these regulations. There are also Pharmaceutical regulations with CFR21. All of these will be tightened as the markets expand and requirements become more individual, however at present they all share a broad base in COBIT, ITIL, ISO17799/27001, etc.

In Europe, PCI DSS is further off, but worth considering. EU Data Protection Laws are not very strict, but in November this year there should be a change in this. Also MiFID is coming in November which is scaring a lot of people in the financial arena across Europe. With the introduction of the SEPA (Single European Payment Area) we can expect to see PCI to take off with more backing, and therefore greater financial regulation across the board. Healthcare varies from country to country however. You tend to find most companies in Europe either following something broadly ISO related or COBIT/ITIL based if they are interested in GRC. For many this is because they have a US parent company or customer, so these rules also apply to them.

Broadly speaking, the small-cap companies will be safe in the short term, there are bigger fish to fry for the time being. GRC is there to catch Enron, Worldcom, TJX, etc. In the long term however, everyone will have to become compliant with some sort of business regulation. It will eventually get to a point where business systems are compliant BEFORE they are deployed, but that will not happen in the next 3-5 years. Whether the regulators will catch up with small-cap companies in this timeframe is open to debate. In PCI, maybe if you are in the US, probably not in Europe. GLBA/FSA could happen any time. SOx, anytime, HIPAA, probably more of a threat in the US. There are many factors and just because you have avoided audit today, doesn't mean they aren't planning to get you tomorrow. It's always a good idea to achieve minimum compliance, and there are usually grades or levels that you need to achieve based on your size, which means it is not out of reach.

Small-cap companies are resigned to the fact that Sarbanes-Oxley and wider GRC issues are here to stay. Some will view the cost of compliance as too high and consider offshoring to more favorable regimes like the United Kingdom where it has been made clear that any attempt to impose SOX style legislation will be resisted. For those that choose to remain in the US, SOX will impact but the extent will depend on a number of factors. However, SOX is but one issue in the universe of possible GRC solutions.

Most analysts see GRC as a mixture of:

1. Process documentation
2. Transaction monitoring and
3. Business process management/monitoring

Depending on which software company one speaks with different approaches emerge. SAP and Oracle are the leaders in this regard from a market share perspective and while not always appropriate to small-caps, their different approaches provide an interesting lens into how the market is developing.

SAP is endeavoring to cover all the possible ground, taking an all encompassing approach aligned to its somewhat monolithic view of the world. In SAP's world everything connected with GRC is applied as layers to existing software implementations that provide for automating as many GRC processes as possible. However, SAP has so far restricted its market to its larger customers where it can command the seven figure price tags common in current implementations.

SAP itself has been through a rigorous IT systems risk assessment and is concentrating on a wide range of business risk issues in promoting its solutions. Its latest take is to jump on the 'green' bandwagon, discussing carbon neutral issues and readying the rollout of tools. Amit Chatterjee, who leads this group says (watch for the sales language):

This solution will automatically extract non-financial indicators from the backend, allow analytics, drill down and benchmarks. This can be the first step to integrating financial and non-financial indicators. Management of the triple-bottom-line (financial, social and environmental issues) will become as powerful, transparent and accountable as one can expect from SAP.

It is important to note that while SAP is telling a strong story, it has very few comprehensive customers reference sites.

Oracle on the other hand believes in a different approach where tracking mechanisms are aligned behind pre-defined strategy. It argues that in situations where there may be ongoing business change, it is very difficult to satisfactorily apply rigid processes of the kind SAP implementations are likely to imply. That may well be marketing talk because we're in the very early stages of seeing how wider GRC scenarios will pan out. Nevertheless, Oracle can rightly point to an acquired set of tools from Novaris (documentation), Versa (transaction monitoring) and Hyperion (BPM) as representing a comprehensive approach that delivers on the flexibility Oracle proposes. This inevitably means that Oracle is offering a toolkit approach, best summarised from their product offerings displayed at last year's Oracle Open World.

However - like SAP, Oracle prefers to play 'big ticket.'

In recent times, Oracle has shown that it can scale down to small-cap companies but whether it has the appetite to do so in this new market remains to be seen. That leaves a big question mark over the market.

Small-cap companies are not going to stomach the big fees and costs that larger companies have absorbed. This provides opportunity for smaller players to make headway.

Before discussing alternatives, it is worth considering a completely different approach as advocated by Lord & Benoit. In the L&B methodology, it starts with 'virtual' risk assessment using COSO Guidance for Smaller Public Companies as a way of identifying risks throughout the business and on into its IT systems. L&B claim that using COSO allows them to typically save companies 30-50% of compliance costs. Interestingly, the range of issues that L&B identify are much more to do with basic understanding and the narrative that surrounds GRC. That fits well with my thinking that GRC starts with a cultural shift towards recognizing risks, their source and the need to adopt a risk based culture. This has very little to do with IT as such but is an absolute requirement to understanding GRC implementations.

For example, there is very little point in documenting the requirement for a segregation of duties unless the company officers understand the implications. Similarly, there is no point in having a policy designed to compensate for carbon emissions by tree planting without understanding what types of tree are best planted in which environment. These may have very little to do with IT but are essential pre-cursors to any sustainable GRC implementation. In turn, I would expect to see a simplified process, transaction monitoring and BPM model emerging from that offered by the larger vendors. So for example CODA offers CODA Control, a system designed to:

make key processes and accounting activities more visible, repeatable, controlled and auditable

independent of the underlying systems.

The question then becomes - is GRC something you can apply as a set of general technologies? The short answer is no. Each industry has its own myriad of regulation and while the focus is on SOX - to which general approaches can be applied - the same cannot be said for industries like pharmaceuticals, semi-conductor, energy utilities and food manufacture (as examples). It seems to me that software vendors who choose to apply a broad brush need take care to ensure they bear in mind the individual needs of each sector. In this context, companies like MEGA International are likely to take on increasing importance. MEGA offers a range of services that have proven successful across a broad range of industries, topic areas and customers. Again, these solutions are independent of the underlying systems and are likely to prove more attractive to the small-cap buyer.

However, the larger problem is figuring out what happens over the next 3-5 years and whether specific vendors will emerge as significant players. I doubt it. Once you get below the top tier of companies, there is a myriad of possible systems that small-cap companies might be using so any attempt to offer a 'blanket' general solution set won't work. However, there is considerable scope for vendors that offer independent solution sets to prosper. That will almost certainly mean that multiple vendors will be required to help manage different parts of the GRC landscape.   

GRC largely focuses on two specific areas:

• Operational Risk
• Financial Risk 

 The difficult portion of this (especially for a small-cap company) is measuring operational risk consistently.

Depending on the type of vertical the company operates in, GRC implementation may require first measuring human resource efficiency and allocation across billed projects (information workers), measuring logistic channel efficiency and the impact of decisions from warehousing to checkout (retail), or production quality (manufacturing) and more.

A company thus first requires automated process management and quality control for their core operations from IT system support, and then the GRC compliance can be added on top of this to tie in the ERP / transactional systems with the planning / project management systems, and also linking board control and assignments through one interface.

This is the first issue for small-cap companies, who may wish to invest first in automation of their multiple business units individually, and then integrated together, before they would want to invest in GRC systems.

The second issue is the operating costs of the GRC system - as has been discussed often in the context of Sarbanes Oxley, the cost of implementation is fixed, which means that the % of annual revenues small-cap companies have to spend on GRC is greater than larger enterprises.

These market challenges will define how the market for GRC solutions will evolve in the next 3-5 years. If I were to make a bet on them, here is how I think this market will evolve:

First of all, we will begin to see GRC modules intergrated within existing solutions for small businesses. We will see them pre-installed for ERP and other transactional systems, and we will also see modules for GRC built into portal software. Note that this will be done at a minimal increase in price for these solutions, as the market would not see this as a premium feature but as a default.

This will help the small business hit multiple objectives with one purchase, and also allows the vendor to boost sales to small-cap companies.

The second shift in solutions you will see (which is distinct from the first) is that you may see many smaller players focus on a very specific niche and offer a solution at price-points that are very reasonable for small-cap companies -- even those who already have transactional systems in place.

An example of such a company is Alchemy Technologies, who have created a BASEL-II Risk Management solution for the banking industry at a price point that is 1/5th of competitors -- their bigger advantage is that they are so niche focused that they can be the first product-to-market in a specific region of the world.

You may see similar plays by other small solution vendors around the world as a means to compete with companies such as SAP making their push.

Finally, you may also see more IT Professional Services companies enter in this area - their value proposition would be that they might be able to create a fully-tailor-made IT solution for companies that only addresses the integration they are interested in, and that too at prices comparable to COOTS solutions from vendors such as SAP. You can already see companies such as Techlogix operating here.

Finally, I see that there will be a play by companies to provide "mini" GRC solutions -- these would be no more than a packaging of Time-sheets management, project assignment, project profitability and other such functions merged with portals for boards. While these solutions may not strictly follow compliance requirements, these solutions (which I assume will be much cheaper than others) will still provide small-cap companies a degree of operational risk management.

First, consider separating two important aspects of the GRC issue: The coming potential compliance crisis for small cap companies and the *market* for software and other GRC related solutions for those companies.   Given the complexities of GRC and the tendencies of new and small companies to address business first, it seems unlikely that small cap companies will make GRC a priority. Thus as regulations change and become less forgiving we'll see a growing need for solutions, probably in the form of software that does *not* require integration with all other corporate functions.

In terms of the growing market for GRC solutions Forrester research notes that the market has exploded from it's 2002 level of $85m to approximately $600 million this year and they project the market at $1.3 billion by 2011. Forrester also notes 64 vendors of GRC solutions.    It seems likely that this number of solutions providers will increase even as the big players like SAP will continue with big efforts and will attempt to become the dominant players in the growing market.   

Will big players like SAP scale *down* to meet the needs of smaller companies, or will simpler and smaller scale solutions emerge in the way new players came in to the accounting software market and in some ways ate the lunch of larger companies?   This is hard to say but I'd somewhat wildly predict that because GRC issues require expertise far beyond the normal type we'll see consolidation and big players dominate as vendors struggle to maintain a high quality product in the face of rapidly changing rules and business models.   Big players will seek to provide "turn key" solutions to both large and small companies that will involve software and specialized support staff to help answer questions and address strategy surrounding the complex legal and tax issues surrounding GRC.

However, there may be room for tightly focused smaller players in the market who can provide highly specialized solutions to business sectors (such as high tech) where growth can be explosive and the need will increase dramatically over the next 3-5 years.   For any player in this market it would be worthwhile to survey of a number of small caps who expect to deploy GRC software or solutions over the next few years to determine how receptive they would be to various types of solutions.   e.g. would they want "one stop" solutions for GRC in the form of software, support, and specialized help vs integrated software such as SAPs that will tackle GRC as part of other software driven business functions.