GRC (Governance, Risk Management, Compliance) is amongst the most important emerging market segments in IT. Kuppinger Cole observes an trend towards tools which integrate analysis, attestation, authorization management, risk management, Segregation of Duties controls, and role management functionalities to provide an overall GRC solution with focus on access controls and authorization which can be applied to all applications and all compliance regulations which are relevant to any organization in a first step.
Beyond that we expect to see more complete GRC solutions which cover other aspects as well like the management of security events and incidents or availability and business continuity, to fully support the requirements on IT Governance.
Beyond that we as well expect advancements in the integration of enterprise-driven approaches, mainly for risk management (Enterprise Risk Management, ERM) and IT-driven approaches, e.g. IT Risk Management (IRM).
Today there are partial solutions with specific strengths in some of these functional areas. Over the course of the last 12 months, since the first release of this report, there have been significant improvements and several acquisitions. Through internal development and acquisitions we expect to see even more complete solutions in the 12 to 24 month timeframe. Given that the GRC market is growing well beyond average there is a good reasons for vendors to invest in that particular market segment.
We recommend to create a strategy for GRC with focus on short-term tactical investments, accepting the risk of choosing tools which will be replaced within 24 to 48 months, because the advantages are usually far beyond the costs imposed by such investments. Starting 18 to 30 months from now we expect the market to be mature enough for long-term strategic decisions.