In the last weeks, I had a number of interviews and product / vendor briefings about GRC related products. And as you may have noticed, the marketplace is yet pretty unstructured. Since there is still no generally accepted common definition or reference architecture for GRC (altough I have developed one, see my reports), anyone touching functionality related to GRC assumes it is in the core. And so you can find extended document management solutions there (for policy managemnet) as well as controls and IT controls management tools, besides access governance and financial risk management applications.

I believe though that it makes only sense to actually implement a holistic GRC management framework in an enterprise, if there is a common, integrated and standardized way of managing policies, controls, risks, improvement projects. There is no value in buying a multitude of isolated, on certain aspects extremely well performing solutions, because then the integration know-how still relies with the people - and isn't GRC actually exactly about reducing the risk that the enterprise is exposed to by people involvement, for personal, political or financial motivation?

The real value of implementing GRC projects only comes - very similar to ERP, history repeating - with an integrated framework. There are two ways of achieving this: first, by standardization (such as SOA), and second, by market dominance (such as R/3) . And to be true, none of the vendors I have been able to listen to is in my view in a position to advance the standardization path in that market.

With the recently announced partnership between SAP and CA, SAP pursues - similarly to Oracle - a pretty intelligent move: they will be able to integrate real-time information from SIEM and other solutions from CA, one of the established players in the IT infrastructure environment. The simple annoucement will shake up the space: until now, GRC was about prevention, mitigating activies, but the reaction part was left to the IT respectively other reaction facilities (fraud management, corporate security, e.g.). But with that partnership, GRC actively covers a "real-time" view on the threat / risk situation.

Another aspect is with the partnership of two giants, there will automatically be a de-facto-standardization happening. If, say, RSA now wants to provision SAP GRC too, they will need to adopt the interface definitions that the two have defined...

So: good move, SAP and CA.