There are plenty of GRC solutions out there. Products for one specific regulations, industry-specific solutions, and more and more solutions which claim to address the entire GRC problem. The level ranges from paper-based methodologies to more or less complex Excel sheets and complex frameworks.

I'm mainly interested in the generic solutions which try to address the entire problem. Many solutions address some part of the problem, but you will need dozens of different products to solve your GRC requirements. That leads to a complex, expensive infrastructure. Thus, a strategy for a generic approach for GRC which can cover all regulations is inevitable. That's about compliance automation or governance automation, a topic I have published on our website some time ago.

Currently there are at least three interesting strategies in this field (four, but one of them - Identity Risk Management - will be covered at a later point of time). One is SAP's GRC Access Control, one of several products in the GRC suite. Another important product in that suite is GRC Process Control. Besides there are several other components, some of them industry-specific. GRC Access Control currently is focused on the core business systems (with SAP as the best supported one - not that surprising) but has open web services since some time to integrate with IAM products and other systems. Oracle's strategy might lead to a comparable solution, may be somewhat broader, but with less depth in the support of specific business applications.

The second approach is one you'll find at CA and HP. They build upon their experience in systems management and try to implement GRC solutions on top of this. The strength is that they can access and control a lot of systems, from software distribution to IAM.

Another strategy is more focused, like Novell's approach with Sentinel. They try to collect and analyze data out of many systems. These data can be used by the tool itself or as input for higher level GRC tools.

There will be room - and need - for all three approaches. The depth of integration with business systems delivered by SAP is as necessary as the ability to integrate with the entire IT infrastructure management like CA does. Vendors like Novell can provide additional information. Thus, you will probably need more than one tool for your GRC solution - but you should try to reduce the number and focus on a very small number of core systems which support your GRC requirements across as many regulations an as many elements of your IT infrastructure as possible.

And there will be more approaches like solutions for Identity Risk Management, the offerings of the big 4 or 5 consulting companies and so on.

I expect that the GRC market of tomorrow will look a little like the IAM market today. There will be the business-driven and the BSM-driven vendors, there will be GRC specialists with a pretty complete and the IAM risk management specialists like Sailpoint and Aveksa (something I'll blog on soon) offering and there will be other vendors which add to the portfolio. Unlike the IAM market, there will be room for everyone.