The universe of risk is growing and becoming increasingly complex for organizations to manage. Threats from within the organization are being combined with new risk areas such as environmental, social and governance (ESG) as well as third-party risk. Complicating this growing risk landscape is a rapidly changing regulatory environment, the need for continuous data ingestion, and requirements to verify organizational performance. Today, a modern approach to risk management includes not only the effective management of risk from a defensive perspective, but also the ability to use risk as a competitive advantage based on the increased likelihood of success of strategic initiatives. However, organizational ability to achieve this level of risk management varies greatly. A key differentiator in organizations’ ability to address risk is the adoption of Governance Risk and Compliance (GRC) Platforms that offer advanced features. IDC classifies companies according to their progress toward GRC implementation, from those in the early stages of GRC adoption to those that are leaders or have deeply integrated GRC throughout the organization. Investigating how mature GRC companies address risk and adapt the tools and capabilities that enable successful risk management, and establishing this as the gold standard, provides guidance to these companies early in the journey.
What is the hallmark of a mature GRC company? GRC maturity is a function of how companies fundamentally approach risk management. Are risks addressed in an ad hoc manner driven by crisis response, or is risk management proactively designed to support larger organizational strategies? Mature GRC organizations have the following characteristics:
GRC maturity in an organization is determined by both how the organization prioritizes risk conceptually and how it manages risk tactically. Conceptualization basically defines implementation. Organizations with high levels of C-level management involvement have closely aligned risk with organizational strategy and a prescriptive approach to risk management, and are much more likely to have GRC-specific tools to support these initiatives.
While GRC laggards often rely on Excel or data visualization software to monitor risk and compliance, leaders have invested in the specific GRC management platforms necessary to effectively manage and respond to risk and compliance issues as they arise. IDC research shows that GRC leaders are characterized by an expanding GRC program driven by higher investment levels and accelerating spending growth. Just as risk is not static, mature GRC organizations do not take a static approach to risk management. These organizations view risk management as an ever-expanding effort and therefore will not only invest more in existing capabilities than delays, but will also continue to invest in advanced GRC management technologies (see Figure 1).
FIGURE 1: Comparison of Leaders and Laggards in GRC Spending
One component of leaders’ investment in GRC is in implementing advanced capabilities. True to the nature of these institutions, leaders are much more likely to support the use of these tools (see Figure 2). In an IDC survey, participants were asked about their perceived need for GRC capabilities and their implementation status. According to the survey, GRC leaders are well ahead of laggards in rating automation and intelligence features as important.
Mature organizations that perceive value in risk management and invest in GRC platforms also perceive the value of maximizing these tools through the implementation of advanced features. Like many other technologies, by leveraging GRC and tools that integrate data and automate processes, organizations can take their risk and compliance programs to the next level. GRC leaders understand the importance of maximizing the capabilities of GRC platforms.
FIGURE 2: Advanced GRC Talent Priorities
The distinction between leaders and laggards is the use of purpose-built GRC platforms that include advanced GRC capabilities. What are the specific capabilities in which mature GRC organizations invest? Above all, organizations are looking for talent that frees up labor-intensive processes:
TABLE 1: Evolution of Risk Measurement Maturity (% of respondents) Question: How does your organization primarily measure risk today? Next year? In the next three years?
According to a recent IDC survey, 34% of US organizations continue to use non-GRC-specific software, such as spreadsheets or project management software (source: IDC’s Governance, Risk and Compliance (GRC) Maturity Score Survey, November 2021, n = 206). Growth in the GRC market is challenged by both funding constraints and misperceptions surrounding risk and compliance management. Investment in the transformation of content workflows may be competing with other business priorities within these organizations, but risk and compliance management solutions will certainly contribute to an organization’s perception of trust. However, understanding the importance of maintaining trust as an organization and the role of GRC software solutions in ensuring that trust is a challenge. Many organizations with very rudimentary applications see themselves as innovators in risk management, highlighting the need to better inform the market about what GRC maturity actually looks like.
Organizations that implement advanced GRC capabilities benefit from their investments through reduced risk and improved competitive capabilities across multiple metrics.
Organizations that implement advanced GRC capabilities benefit from their investments through reduced risk and improved competitive capabilities across multiple metrics. IDC believes the market will increasingly require robust GRC platforms that include advanced automation and intelligence features. Given the ability to deliver these modern capabilities when appropriate solutions are selected, companies have a significant opportunity for success.