These days I received an invitation from an IT vendors to visit an ECM (Enterprise Content Management) event. The keywords were Governance and Compliance. And the title of the keynote presentation suggested that ECM will solve every threat in these areas companies are facing today. Interestingly but not surprisingly, I have received invitations like that from other vendors – claiming to solve all these issues with other solutions in the fields of IAM (Identity and Access Management), BSM (Business Service Management), or with solutions focused on specific types of business applications like SAP or Oracle Applications.

Interestingly there are very few covering the area of SOA, another of these three letter abbreviations, which might be the fourth field of fulfilling everything a company might require in GRC- or not.

Every one of these companies is providing to GRC – but none of it will ever be able to fulfill all requirements, at least as long as it doesn’t provide offerings for BSM, ECM, IAM, and SOA, for business applications, and for the consulting on methodologies on the Business as well as the IT level. Maybe IBM might at some point of time be the one to deliver – but in the areas of integration as well as solutions specific to the leading business applications there will be gaps at least for a very long time.

With other words: Everyone is promising great things, no one is really delivering.

When you have a look on this issue from a customer perspective, it becomes obvious that there is a strong need to first define a corporate GRC strategy, derive an IT GRC strategy and then to implement it, combining solutions from different vendors for different parts of the problem. Non-strategic GRC investments have to be avoided – they are costly. If there is no overall strategy you will end up with many small, not integrated pieces instead of a GRC solution which really can support your business requirements.

By the way: To support your initiatives in the field of GRC we are now offering “GRC ratings” for vendors, clearly showing in which areas of the big picture of GRC they can deliver today, in which areas they might deliver in the future – and how mature we rate their offerings.

A short note at the end: Someone asked me about the relationship of GRC and ECM. ECM is, besides other functions, about archiving information. And there are many legal requirements for archiving business-relevant information. Thus, ECM is a part of the overall GRC theme.