let's nix the grc world- oceg survey2014 on grc industry-fixnix

An OCEG Benchmark on Current & Future GRC Technology Decisions

2014 GRC TECHNOLOGY STRATEGY SURVEYHOW ORGANIZATIONS APPROACH AND ADAPT THEIR TECHNOLOGY STRATEGY FOR GRC

About OCEG . . .OCEG is a nonprofit think tank that helps organizations achieve Principled Performance. We provide standards, resources and a hub around which many professionals collaborate including: board members, business executives and operators, risk executives, audit executives, compliance executives, financial executives, IT executives, and HR executives.

Our mission is to help organizations reliably achieve objectives while addressing uncertainty and acting with integrity - this is Principled Performance. We assist organizations in developing and implementing GRC capabilities that enable Principled Performance by providing authoritative resources for integrating the governance, assurance and management of performance, risk and compliance. OCEG’s global community exceeds 40,000 members and through collaborative effort we continue to advance methods and measurements of success on the path to Principled Performance.

For more information go to www.OCEG.org or contact us at [email protected]

The OCEG 2014 GRC Technology Strategy Survey was designed and analyzed by GRC 20/20 Research . . . GRC 20/20 Research, LLC (GRC 20/20) provides clarity of insight into governance, risk management, and compliance (GRC) solutions and strategies through objective market research, benchmarking, training, and analysis. We provide independent and objective insight into leading GRC practices and processes, including market dynamics and intelli-gence; risk, regulatory and technology trends; competitive landscapes; market sizing; expenditure priorities; and mergers and acquisitions.

For more information go to www.GRC2020.com or contact GRC 20/20 at [email protected].

INTRODUCTION IN SUMMARY REFERENCESFUTURE STATESURVEY DEMOGRAPHICS CURRENT STATE

3OCEG SURVEY • 2014 GRC Technology Strategy Survey • www.OCEG.org • ©2014 all rights reserved

Contents INTRODUCTION

GRC Technology Impacts GRC Maturity

SURVEY DEMOGRAPHICS Risk, Audit, Compliance & IT Express Themselves

CURRENT STATE How Organizations Currently Use GRC Technology

FUTURE STATE How Organizations Plan to Use GRC Technology

IN SUMMARY 5 Key Takeaways

REFERENCES OCEG Resources OCEG GRC Solution Category Descriptions OCEG GRC Solution Council Members Ful Survey Charts/Responses

Preface

If you’ve taken the time to read this survey, it’s likely you have a certain level of interest in governance, risk management, and compliance (GRC). There’s no shortage of information on the subject. An Internet search will throw up all sorts of tips, views and best practices designed to help those responsible for these areas.

OCEG is the framework body for GRC. We advocate Principled Performance and the role of GRC to enable organizations to reliably achieve objectives while addressing uncertainty and acting with integrity.

This OCEG survey is focused on GRC technology strategy in understanding the use of GRC technology in the current state of organizations and the planned future state of where the organizations GRC technology architecture is headed. At OCEG we want to see that GRC becomes part of your organisation’s DNA through the proper implementation and use of GRC technology.

We hope this survey report provides you with some valuable insights.



Governance, risk management, and compliance (GRC) is something every organization does — though not all do it well.. Every organization has some approach to governing the organization, managing risk, and approaching compliance with obligations such as regulations. It does not matter if an organization uses the label GRC; the simple truth is every organization does GRC in some form.

Some organizations have mature and structured processes and reporting on GRC that brings together an integrated and orchestrated view of GRC processes and information. Other organizations have fragmented approaches where some aspects of GRC are more mature than others but fail to have an overall coordinated strategy. For some organizations GRC approaches are ad hoc and reactive.

The use of technology for GRC depends on organization strategy. Some organizations look to develop an enterprise technology architecture (or platform) for GRC. Other organizaitons lack an enterprise coordinated strategy and have different departments going in different directions. Whether at an enterpise level or a department, GRC maturity depends on how well GRC processes, information, and technology enable the organization to be efficient, effective and agile to reliably achieve objectives [governance] while addressing uncertainty [risk management] and acting with integrity [compliance].

The proper selection and use of GRC technology is a primary factor in measuring GRC maturity within organizations. From one perspective, we all use technology in GRC. Pens and legal pads can be understood as technology — at one point pens were high tech. Today, GRC technology is commonly understood from the low-end of using documents, spreadsheets, and email to manage GRC information, processes and reporting to the high-end of a federated GRC architecture that integrates information and technology from across the enterprise in an ecosystem of GRC processes and information that works together as cogs in a machine automating GRC processes and reporting while providing accountability. There obviously is a wide range of approaches in between.

OCEG’s 2014 GRC Technology Strategy Survey takes aim at understanding organizations current use, planned future use, strategy, and satisfaction with their use of technology to support GRC within their organizations.

Michael Rasmussen OCEG Fellow & Co-Chair of OCEG GRC Solutions Council Chief GRC Pundit & Analyst @ GRC 20/20 Research, LLC [email protected] / [email protected]

INTRODUCTIONGRC Technology Strategy Impacts Maturity



A Word From Our Survey Sponsors

ACL delivers technology solutions that are transforming audit and risk management.

“The survey shows that strategy for GRC is changing and why it is such an incredibly exciting and opportunistic time to be a GRC professional. Four mega-forces in technology for GRC were screamed out loudly by the survey results: cloud, mobile, design, and data. It’s clear that those affecting major change in their organization’s approach to GRC are making applications powerful and collaborative with the cloud, extending their reach through mobile, driving insight and decisions using objective truth as manifest in the organization’s data, while ensuring software empowers (not frustrates). We are so proud to be a part of ushering in this change in GRC, through technology.” Dan Zitting, VP of Product Mgmt & Design, ACL

Convercent enables an effective compliance program with integrated management, mitigation and monitoring of compliance risk.

“The results of the survey provided a clear indication that the world of GRC technology is primed to leap forward in delivering GRC program effectiveness that’s both measurable and innovative. Too many organizations have a well-designed GRC program but lack the ability to apply it in a scalable way or to easily demonstrate its effectiveness, in large part because the technology, a critical enabler of an effective GRC program, is missing. We believe that the market is not only ready, but clamoring, for easy to-use-technology that is well designed and integrated, complete with native analytics and reporting. This survey validated that belief. We’re excited to be part of the journey.”

Michael Kleef, EVP of Marketing, Convercent

MetricStream delivers solutions for GRC and Quality Management Solutions for global corporations.

“MetricStream helps clients adopt a federated GRC architecture that aligns with business functions and adapts as their environment changes. As the survey demonstrates, GRC technology has advanced so much that it can seamlessly connect processes, systems, and departments across the global enterprise. It can capture information from across functions and systems, and aggregate this informa-tion to decision-makers to successfully manage risk and make decisions. As organizations realize these benefits, they are transforming their GRC technology strategies, and we are delighted to be part of this GRC Journey that our customers are on.” – Vinay Bapna, Associate VP of Marketing, MetricStream

The 2014 OCEG GRC Technology Strategy Survey is made possible through the support of the entire OCEG GRC Solutions Council and particularly the following survey sponsor members:

SURVEY DEMOGRAPHICS



Risk, Audit & Corporate Compliance/Ethics Top Responders

The 2014 OCEG GRC Technology Strategy Survey had 273 respondents that fell across a range of industries, geographies, and roles/departments in organizations.1

GRC happens within departments and across the enterprise. From a department perspective, GRC roles look to technology to assist them in managing GRC from a department perspective. An enterprise GRC perspective involves a GRC strategy, process, information and technology architecture that spans across departments.

The three primary roles responding to the survey (68% of responses) are risk management (25%), audit (22%), and corporate compliance/ethics (21%). These roles, combined with IT and Security, make up the most common roles that OCEG and GRC 20/20 see in enterprise technology strategies for GRC.

What is interesting to see is the 5% of respondents who define themselves as a Centralized GRC Group/Architecture role. This role is only about two years old and already seeing strong growth in organizations tasked to build and deploy information and technology architecture for enterprise GRC.1 The OCEG 2014 GRC Technology Strategy Survey also surveyed professional service firms and GRC technology/solution providers. The results in this report are just those

from those that purchase and use GRC solutions within their environment and do not include professional services firms or solution provider responses.

Risk Management Audit Corporate Compliance/Ethics Other GRC Roles

25% 22% 21% 32%

Other Roles Include . . . Information Technology (9%)

Centralized GRC Group/Architecture (5%)

Security (5%)

Business Management/Executive (5%)

Business Operations / Logistics (2%)

Finance / Accounting (2%)

Vendor/Supplier Management, Research, Corporate Social Responsibility, Legal (4%)



Equilibrium of GRC Operational & Decision-Maker Roles

Other

Professional

Manager

Executive

Senior Vice President

Vice President

Director

51% were Manager level and below

49% were Director level and above

3%

20%

28%

6%

7%

12%

24%

The survey results showed a nearly even split between GRC roles that were director level and above (49% of respondents) with those that were manager level down into professional/operational GRC roles (51%). This represents a balanced perspective on GRC technology strategy between decision makers and those using GRC solutions as part of their daily GRC operational roles.

Often the perspectives on GRC technology can vary between the decision-makers (purchasers) of GRC technology and the manager/operational GRC roles that use the technology throughout every day. Having this evenly distributed balance of respondents provides an equilibrium to the survey results.



Distributed Organization Structure, Size & Industries

Organizations responding represented a distributed balance of size and structure. A variety of industries were represented in the responses with financial services having the strongest representation.

Utilities Healthcare Finance, Banking, & Insurance

Manufacturing Business Services

Telecom

40.3% of oranizations responding were from publicly traded organizations

11.6% of organizations responding were from government organizations

9.7% of organizations responding were from non-profit, educational, or state-owned organizations

38% 38.4% of organizations responding were from privately held organizations

40%

10%

12%

13.3% of oranizations responding have between 1 and 500 employees

24.3 of organizations responding have betweem 501 and 2,500 employees

26.6% of organizations responding have between 2,501 and 10,000 employees

36.0% of organizations responding have more than 10,001 employees

36%

13%

24%

27%

Others

CURRENT STATE



Utilization of GRC Technology in the Environment:

46% Utilized

51% Under-Utilized

3% Unsure 3% Unsure

Utilization of GRC Technology in the Environment:

Organizations reported they have mixed success with their current use of technology for GRC. The current stae of affairs shows a near even breakout with 46% of organizations claiming that their GRC technology is well utilized, with slightly more at 51% stating that GRC technology in their environment is underutilized. This indicates that approximately half of the organizations responding feel they could do better in how they use their current technology for GRC within their environments.

Contrasted with how GRC solutions are deployed, this reveals some enlightening perspectives. The majority of GRC solutions being used are department or issue-focused (81%) and are stand alone solutions not integrated with other GRC technology solutions (80%). This aligns with GRC 20/20’s market research that indicates that over 80% of GRC technology spending is on department and issue (e.g., risk, regulation) GRC needs and less than 20% of spend is on enterprise GRC that spans across departments in the organization.

Non-integrated, stand alone GRC solutions

80% GRC solutions are department or issue focused

81%



Misaligned Technology to Meet Current GRC Needs

27% Aligned

70% Unaligned

3% Unsure 3% Unsure

Alignment of Technology with Current GRC Needs:

Building on the mixed utilization of GRC technology used currently within organizations is the surmounting concern that the GRC technology deployed does not meet the current needs of the organization (70%), with a minority (27%) stating that GRC technology is meeting their current needs.

The challenge is that risk and regulation has grown very complex. Many industries have seen regulatory change double in the past five years. Business operates in dynamic risk environments with intersecting risks that are managed in silos that do not talk to each other. The business itself is dynamically changing as employees, processes, strategy, financial position, technology and relationships change. External risks bear down on the organization from market, geo-political, environmental, and more. The complex web of supplier, agent, vendor, and other 3rd party relationships impact the organization. Risk and regulatory reporting requirements have grown in complexity and often involve a complex web of data integration and analytics.

This misalignment is an indicator that organizations are discovering they need a very agile and dynamic GRC information and technology architecture that can integrate with distributed systems and content feeds and provide advanced analytics on the state of GRC and its impact on the organization’s strategy, performance, objectives, and integrity.



BOTTOM LINE: Document/Email Approaches Challenge GRC

30% 30% of organizations have one or more commercial GRC solutions

Spre

adsh

eets

,

Doc

umen

ts, &

Emai

l

Solu

tion

Built

In

-Hou

se b

y IT

Com

mer

cial

G

RC S

olut

ion

2+ C

omm

erci

al

GRC

Sol

utio

ns 53%

53% of organizations state their primary GRC technology is spreadsheets, documents, and email

24%

6%

17%

53%

No wonder organizations see such misalignment in GRC technology to meet their current needs — the bastion of GRC technology in use is in the form of spreadsheets, emails, and documents. This approach is very labor intensive and inconsistent which causes reporting errors and complexity, frustrates the line of business, lacks proper workflow and task management, and is simply not defensible.

Regulators and stakeholders are increasingly holding organizations accountable for audit trails and integrity in processes that documents, spreadsheets, and email approaches simply cannot provide by themselves. They are important tools in the toolbox but organizations are realizing they need something more.

The impact on FTE’s is particularly significant. One financial services organization stated that 80% of their GRC staff resources were nothing more than document reconciles for reporting. Their task was to reconcile and report on thousands of assesments and surveys for GRC in documents and spreadsheets that were distributed by email. A mess they are aggressively trying to correct.

FUTURE STATE



Organizational Alignment to Take Action on Future GRC

GRC change is afoot! Where organizations earlier indicated that they had lacked alignment (70% of responders stating they were unaligned on current GRC technology implementation), organizations report that they are deepening collaboration and communication across the enterprise for future GRC technology strategy and alignment (62% state they are aligned).

This is further evidenced by the fact that 44% of respondents state they have an enterpise GRC strategy going forward that spans departments. This is strenthened by another 35% of organizations indicating that they may not quite be set on an enterprise decision but have multiple departments involved in GRC technology decisions.

Enterprise decision across departments

Multiple department decision, but not quite enterprise

Single department decision

Group decision focused on specific issue

Unsure or Other

44%

35%

8% 3%

10%

Organizational Strategy to Select GRC Solutions Going Forward:

62% Aligned

34% Unaligned

3% Unsure 3% Unsure

Organizational Alignment to Take Action on Future GRC Solution Initiatives:



GRC Technology Spending Increasing Steadily

Keeping pace with a dynamic risk and regulatory environment is demonstrating broad growth in GRC technology spending in 2014 (64%, of which 18% state that spending is increasing over 25% from 2013.

Contrast that with only 14% of respondents indicating that GRC technology spend is decreasing. This is a very positive outlook for GRC technology with such a small percentage cutting budgets in a tight and demanding economic environment.

25% Increase from 1% to 10% 21% Increase from

11% to 25% 18% Increase over 25% 64% Increased

Spending

14% Decreased Spending

3% Unsure 22% No Change in Spending

5% Decrease from 1% to 10% 5% Decrease from

11% to 25% 4% Decrease over 25%



Organization Plans to Purchase GRC Technology

In context of the broad increase in GRC technology spending in 2014, 41% of the spending is going toward new GRC technology (the assumption is the rest is on increased spending and implementation of existing GRC technology).

Beyone 2014, 27% of organizations indicate they will be acquiring new technology in one to two years (2015), and 31% plan on acquiring new GRC technology in two to three years (2016).

Imm

edia

te

Purc

hase

1 to

6

Mon

ths

7 to

12

Mon

ths

1 to

2 Y

ears

Mor

e th

an 2

Ye

ars

41% Organizations that indicate they plan to purchase new GRC technology in 2014

12% 13% 16% 31% 27%



Crossroads In GRC Architecture Perspectives

Prefer a centralized GRC Platform for the entire enterprise

Prefer a federated GRC Architecture that allows best of breed integration

Decentralized and non-integrated GRC solution strategy

Undecided 17%

36%

27%

21%

Strategic Direction for GRC Architecture:

When it comes to future directions for GRC architecture organizations are at a three way intersection of roads leading to different destinations, with some (17%) undecided in which direction to head.

One road leads to a centralized GRC platform that over one-third (36%) state is their GRC technology destination. This is where the organization standardizes one primary GRC platform for the organization.

The second road is a destination of a federated GRC architecture in which organizations on this journey (27%) acquire best of breed GRC solutions that offer the greatest value to the organization and integrate these systems where and when it makes sense to do so. Often federated GRC architectures will have a centralized GRC platform as a hub that other GRC technology feeds into for enterprise reporting and coordination of GRC activities and processes.

The third road is a centralized and non-integrated GRC strategy in which these organizations (21%) purchase best of breed solutions to meet their specific department or issue-focused (e.g., risk, regulation) needs and do not see a need to integrate technology for enterprise reporting and coordination.



Top 10 GRC Technology Spending Priorities

The OCEG GRC Technology Solutions Guide details twenty-seven categories of GRC technology. When survey respondents were presented with these twenty-seven categories to list their top GRC technology priorities to acquire, they listed the following top ten as their most critical needs:



49%

46%

44%

34%

27%

FUTURE: Top criteria for acquiring new solutions for GRC:

Ease of Use

Price

Functionality

Configurability

Industry Expertise

53%

45%

34%

33%

19%

PAST: Top criteria that influenced choice of current GRC solutions:

Price

Ease of Use

Functionality

Configurability

Customer Service, Financial Stability,

Local Office, Integration

Ease of Use Top Critera on Future GRC Technology

For the most part, the top criteria for evaluating GRC technology have remained the same between criteria used in the past with the criteria for future GRC purchases. However, the one element that has moved to be the highes priority is ‘ease of use.’ Organizations show that they want GRC solutions that are practical and engaging to use. This is particularly important for GRC as it continues to move communications to the front-lines of the organization.

It is also an indicator that organizations have frustration with complex GRC technology that is non-intuitive and difficult to use.



Factors That Influence Changing GRC Technology

What drives organizations to change the GRC technology they currently use?

The primary driver of change is lack of functionality in their current GRC technology (40% of respondents indicated). Business is dynamic and the GRC challenges today requires advanced intelligence, integration, analytics, and holistic situational awareness of dynamic business, risk, and regulatory environments. GRC technology that was satisfactory a few years ago may be inadequate to meet the needs of GRC today and into the future.

Other factors driving change in GRC technology, but not as prominent as lack of functionality include::

A centralized GRC strategy to bring the organization to a single GRC platform (17%).

Poor customer service in support and quality of current GRC solutions (16%).

Migration to GRC solutions that are lower cost to aquire, implement, and maintain in the environment (6%).

Reduction in budget forcing change driving organizations to implement technology to reduce overhead (5%).

What is the single most important factor when changing GRC solutions?

Lack of Functionality

40%

17% Internal Move to One Platform

16% Poor Customer Service

Lower Cost Competitor

6%

Reduction in Budget

5%



Primary Goals in New GRC Technology Adoption

Business changes, regulations change, risks change — in that context GRC technology changes to meet the needs of dyanmic, distributed, and disrupted business. When looking for new GRC technology, organizations indicate that the primary goals they aim to achieve are:

Complex risk and regulatory environments demand advanced capabilities of risk data integration and analytics to provide full situational awareness of risk (53%).

Organizations are realizing that good GRC requires good information, there is increasing focus on the integrity and consistency of GRC information (43%).

Regulatory change has more than doubled in several industries over the past five years (e.g., banking, insurance, healthcare) and drives the organization to GRC technologies that enable regulatory intelligence and agility (41%).

When deploying new GRC technologies the organization is driven to reduce costs while increasing the peformance of business operations (both 39%).

53%

43%

41%

39%

39%

Increase analytics & rapid visibility of risk

Improve consistency of information

Meet new regulatory requirements

Reduce costs

Improve performance



GRC Deployment: to SaaS or not to SaaS

In today’s software world there are two primary deployment models to decide on when purchasing GRC solutions. One is the traditional software model in which the organization purchases a perpetual license to the software and yearly maintenance. In this model the software is installed in the organization’s data center. The other model is a Software as a Service (SaaS) model that is showing the strongest growth in adoption in the software world. In this model the organization pays an annual subscription fee and the software is hosted for them in the Cloud and not in the organization’s own data center. There are hybrids to these approaches, as well as different types of SaaS models.

When it comes to buying behavior of those acquiring GRC solutions, there is roughly one-third (32%) that have a strong SaaS preference, while a little larger group (41%) prefer the older traditional software model. When combined with those who have no preference (about1/3rd), roughly 2/3rds of buyers are open to SaaS and 2/3rds of buyers are open to traditional software.

The acceptance, and particularly preference, of SaaS as the deployment model for GRC solutions is growing fast and most likely will over take traditional software preference in the next one to two years.

32% Prefer SaaS

59% SaaS & No Preference

41% Traditional On Premise

68% Traditional & No Preference

VS

2 3

Nearly 2/3rd of the market are open to SaaS GRC Solutions 1/3rd of the market strongly prefer SaaS GRC Solutions

2 3

Just over2/3rd of the market are open to traditional software GRC Solutions Over 1/3rd of the market strongly prefer traditional software GRC Solutions

IN SUMMARY



Tone down and control spreadsheets, documents & email for GRC Spreadsheets, documents, and email for GRC are not going to be entirely eliminated but certainly need to be better controlled. These are tools on every desktop and they have a purpose. However, better technology needs to be used to overcome the pervasive use of spreadsheets, documents, and emails to do assessments, send surveys, communicate tasks, and do reporting — otherwise they are a nightmare that leads to the inevitability of failure as it drains FTE time, things get missed, and reporting takes a long time.

Understand that GRC is more than one technology As defined in the OCEG GRC Solutions Guide and integrated into this survey — GRC technology is diverse. There is no such thing as a one stop shop for GRC. An organization may standardize on a core backbone for GRC integration, analytics, management, and reporting but to truly do GRC requires a range of technology investments and integration.

Define your GRC architecture strategy We reviewed the three architecture models for GRC: decentralized, centralized, and federated. A decentralized strategy typically points to departments doing their own things and no enterprise coordination of GRC. A centralzied strategy often leads to one platform that tries to do all things and forces much of the organization to the lowest common denominator. A federated strategy strikes a good balance between centralized and decentralized by allowing for best of breed solutions where they make sense but integration between these systems or to a common backbone to enable enterprise GRC management and reporting.

Keep up with change The greatest challenge for GRC is a dynamic business environment in which the business, risk, and regulatory environments are in a constant state of change. Agility is critical to align GRC with the business and technology should enable the organization to keep current with changing environments.

Delivering GRC engagement through intuitive and easy to use technology The number one criteria organizations are looking for in GRC today and into the future is ease of use. GRC is complex as it is and technology should not add to that complexity but simplify it and make it easy for every level of the organization to enage in GRC.

1

2

3

4

5 Key Takeaways

5

REFERENCES: ABOUT OCEG



OCEG GRC Solutions Category Definitions

Audit and Assurance Management systems are used to manage audit cycles – this includes audit planning, resource scheduling/calendaring, work paper management, and audit process management. They also support a risk-based approach to audit planning to prioritize audits based on the risk to the business.

Board and Entity Management technology enables corporate governance processes, frameworks, policies, structure, and activities in support of the overall coordination of an organization’s board and management responsibilities in accordance with legal, fiduciary, legal structure, and operational requirements. This includes the ability to provide for board collaboration, communications, reporting, board paper management, and voting.

Brand and Reputation Management systems track, report and manage responses to an organization’s activities and customer, employee, partner and shareholder opinions about those activities. This area of technology is rapidly expanding to encompass solutions to monitor risk to brand and reputation across social media applications.

Business Continuity Management systems model, record and direct the responsibilities, plans, actions and execution of continuity and disaster plans, testing of operating procedures, alternatives, information back-ups, data recovery and restoration processes during expected and unexpected disruptions to all areas of operation.

Compliance Management systems support the overall coordination of legal, regulatory, contractual, and corporate policy obligations and responsibilities with associated compliance tasks and records. This includes the ability to monitor, document, and manage changes to the regulatory environment and other obligations; to document all obligations of the organization; to perform compliance assessments against obligations; and report on the state of compliance.

Contract Management tools provide the ability to create, manage, store, change, deliver and append all business-related contracts (with suppliers and clients) and apply organizational policies and procedures, as well as specific legal and local regulatory criteria, to their administration.

The following categories are from the OCEG GRC Solutions Guide 2.1. This guide is collaboratively developed and maintained by the members of the OCEG GRC Solutions Council.



OCEG GRC Solutions Category Definitions, continued

Control Activity, Monitoring, and Assurance systems provide the ability to define, document, map, monitor, test, assess, and report on controls within the organization, including process and systems documentation; manual and automated controls; the limitations or conditions applied to amounts and parties in a transaction; user access, rights, and responsibilities; and accounts, workflows, and process initiation. This category of software is also often referred to as Continuous Control Monitoring (CCM) or Automated Controls. This includes the capability to test, on a continuing or periodic basis, data and activity against defined rules to identify and report potential errors, the failure of controls, or inappropriate actions – including tests of business transactions, network activity, intrusion attempts, the sharing of confidential information or intellectual property, systems access, etc. Also included in this area is the ability to do GRC data analytics, monitoring, and mining.

Corporate Social Responsibility tools help document the objectives, measure performance, assign responsibilities, recommend and monitor actions, organize contextual news feeds, support internal and external reporting, and communicate relative to an organization’s perceived relationship with the local and broader community, focused on the impact to its reputation, brand, and market growth.

Discovery/eDiscovery Management tools assist in managing and communicating discovery holds and uncovering, segmenting, organizing and storing electronic forms of evidence that can be used in an investigation, both before and after the occurrence of the related events, including tools that separate potential discovery documents from their original locations and repositories. This category of technology also includes systems for retention management that integrate with content/document systems to manage the storage, disposition, and retention of information.

Environmental Monitoring and Reporting systems and related applications help monitor, analyze, record, and report organizational activity focused on compliance with environmental laws and regulations, related corporate policy related to managing environmental controls and conditions, and assessing the environmental impact of the corporation’s operations, strategies, and plans.

Environmental, Health, and Safety applications help manage the regulatory and policy-based guidelines and processes for protecting and reporting on the workforce, workplace, resources-under-management and external environment impacted by an organization’s activities.





Finance/Treasury Risk Management solutions provide an array of applications and systems used to identify and manage the risk factors, causes and response procedures in an organization’s financial and treasury management. These include risk technology focused on specific areas such as liquidity, credit, market, and commodity risk management that help identify risk and execute historical review, simulation, interpretation and projection of impacts on an organization’s financial assets given the potential consequences of events and the likelihood of events occurring sequentially or simultaneously.

Fraud & Corruption Detection, Prevention & Management systems assist in the identification, response to, control, and reduction of incidents involving investigation, misuse, theft or misapplication of an organization’s resources and assets by employees and/or third parties. Technology includes tools for data collection, monitoring, mining, and analysis as well as emerging technologies, such as social network analysis, social media sourcing, third party due diligence and statistical modeling. This category of solutions includes software that addresses such issues as anti-corruption/bribery compliance, fraud, and Anti-Money Laundering (AML).

Global Trade Compliance/International Dealings systems document, manage, and provide required reporting on relevant regulations for the exchange of capital, goods and services across international boundaries.

Hotline/Helpline systems provide information intake and response systems to provide a confidential, independent resource for all employees and others to report observations related to issues as well as potential acts of fraud, theft, inappropriate or illegal behavior, negligence or other impropriety committed by employees, partners or contractors as well as seek clarification/guidance on conduct, policies, and procedures.

Information/IT Risk & Security Management systems implement the frameworks and principles that govern risk, security, controls and compliance-guided elements in the planning, development, acquisition, delivery, use, integration, evaluation and retirement of information and technology resources.





Insurance and Claims Management platforms record and administer an organization’s corporate Insurance, liability and warranty coverage levels and documents (including property and casualty, product liability, directors’ and officers’, and related areas of core coverage) and help execute the related claims, process the forms and monitor claims administration procedures across jurisdictions.

Intellectual Property Management systems help identify, capture, organize and protect the organization’s portfolio of intellectual property (copyrights, trademarks, patents, trade secrets and all related intangible assets with inherent value) and enable the legal reuse and sharing of intellectual property created by third parties.

Issue and Investigations Management is used to manage investigations, issues, incidents, events, or cases: they specifically provide consistent documentation and processes for the management of events — from reporting, to managing and documenting the investigation, to recording the loss and business impact.

Matter Management systems administer the collection of facts related to events and legal cases under investigation, for use in verifying their circumstances, in order to provide valid information for testing by independent parties with the confidence that the information provided is related to these events.

Physical Security & Loss Management systems enhance physical asset and individual protection, and the authorization and monitoring of access to an organization’s facilities and property. This category of technology also includes systems to manage physical loss and theft.

Policy Management, Communication, & Training systems that mange the development, record, organization, modification, maintenance, communication, training, and administration of policies, procedures, standards, and guidelines in response to new or changing requirements or principles, and correlate them to one another. This also includes systems used to train individual learning and understanding of policy and risk areas to employees and extended business relationships.

Privacy Management systems and tools help to identify, capture, segment, and secure access to and use of personally identifying information across information sources, applications and users in compliance with applicable laws and regulations. Privacy technology is broader than security technology as it encompasses the accuracy and use of private information and not just the protection of it.





Quality Management and Monitoring systems record, benchmark, track and manage activity related to product and service quality assessments and certifications, production failures, product recalls, design and delivery improvements and their related regulatory guidelines.

Reporting and Disclosure applications include solutions for assembling and distributing financial, operational, regulatory information to management, the board, regulators and shareholders. These solutions provide visibility and transparency related to business outcomes. Some solutions may support formats and templates required by regulators and agencies for required reporting.

Risk Management systems support the identification, assessment, evaluation and response, and monitoring of risks and opportunities of risk across the organization. This includes the ability to monitor changes in the external and internal contexts to alert an organization to changing risk conditions (e.g., geo-political, economic, competitor, technology, and natural disaster) that can impact business. These systems help identify specific causes and execute historical review, simulation, interpretation and projection of impacts on an organization’s operations or assets given the potential consequences of events and the likelihood of events occurring sequentially or simultaneously. This category includes enterprise risk management systems, operational risk management systems, as well as specialized risk applications.

Strategy, Performance, and Business Intelligence include solutions for identifying and managing corporate strategies, goals, and objectives and cascading them through the organization; optimizing operational and financial performance against those objectives; and providing valuable information for decision-making and reporting purposes.

Third Party/Vendor Risk & Compliance solutions govern, record, and maintain the communication, attestation, and assessment of code of conduct, contractual compliance, risk and compliance self-assessments, and audits across extended business relationships (e.g., supply-chain/value-chain, contractors, outsourcers, service providers, consultants, staffing agencies).




OCEG’s GRC Standards Library

OCEG’s GRC Standards Library helps to jump-start and improve your approach to achieving Principled Performance.



OCEG’s GRC Certification, Surveys & Illustrations

OCEG has a range of resources that help organizations understand, apply, and communicate Principled Performance and GRC.

Certifications

Surveys OCEG One-Minute Polls on Focused Subjects

GRC Maturity

GRC Metrics & Measurement

GRC Technology Strategy

GRC Illustrated OCEG has developed over 60 GRC illustrations that are infographics to help organizations

understand and communicate Principled Performance and GRC.

GGovernance

AAudit

PmPerformance

RmRisk

CmCompliance

Management

$$

$$

OPPORTUNITY

TECHNOLOGY

PERFORMANCERISK

COMPLIANCE

THREAT

I need to keep moving towards my objectives. I’ll take a shortcut.

STOP

Don’t cross either of these boundaries. They represent promises we’ve made!

OBJECTIVESI can help provide assurance to management and the board that important things are getting done -- the way we think they are!

What does our performance scorecard look like relative to risk and compliance?

VOLUNTARY BOUNDARIES are defined by management and include values, contractual obligations and other promises.

MANDATORY BOUNDARIES are defined by external forces including government laws and regulation.

What business model is required to reliably achieve objectives while addressing uncertainty and acting with integrity?

What are our mission, vision and values?

Here is our business model and operating plan to achieve these objectives.

• Objectives• Business Model• Budget & Resources• Risk Appetite• Performance Metrics

RIS

K

RE

WA

RD

As we drive toward objectives, we must stay within boundaries.

Sometimes uncertainty presents opportunities that we can seize.

Sometimes uncertainty threatens our objectives and we must take action

...and address uncertainty.

©2014 OCEG®

[email protected] for reprints or licensing requests

1 CapabilitiesThink of capabilities as “tools” to use for many different purposes. Develop capabilities that can be leveraged by all of your governance, management and audit systems. This way, when you improve the capability, allsystems benefit.

ALIGN PROACT DETECT RESPOND MEASURE

LEVERAGECOMMON CAPABILITIES

INTERACT



Set mission/vision/values; define objectives in light of opportunities, risks and requirements; align strategies with resources and processes.

Proactively identify changes in risks and requirements, incentivize positive conduct, and prevent unproductive or improper conduct.

Detect when desirable andundesirable events occurusing a mix of techniques,both push-pull andmanual-automated.

Reward desirable conduct and outcomes and remediate anything undesirable. Adjust capabilities when necessary in response to findings.

Assess critical aspects of capabiltiies; measure performance relative to risk and compliance.

Establish technology and information systems to communicate up, down andacross the organization and with external stakeholders.

I can provide better assurance now that we have a uniform way to measure and report.

Now that we are using our resources more effectively, we're more competitive and our outcomes are better than ever.

PathwayBy orchestrating integrated governance, audit and management systems, an organization can reliably achieve objectives, while addressing uncertainty and acting with integrity.

3

SystemsCore governance, audit and management systems are the backbone of an organization. They leverage common capabilities for multiple purposes.

2

Pathway to Principled PerformanceGRC Illustrated



OCEG’s GRC Solutions Council

Members of OCEG’s GRC Solutions Council collaborate to develop educational materials onthe benefits of advancing GRC processes and technologies, as well as key resources to assist companies in maturing GRC strategy.

Affiliate Member:

REFERENCES: SURVEY RESPONSES



GRC Technology Survey 2013 Report

1Value Count Percent

Publicly Traded 104 40%

Privately Held 99 38%

Government Agency/Organization 30 12%

Non-profit organization 17 7%

Educational Organization 5 2%

State Owned Enterprises/Crown Corporations 3 1%

StatisticsTotal Responses 258





Risk Management 65 25%

Audit 58 22%

Corporate Compliance/Ethics 53 21%

Information Technology 23 9%

Centralized GRC Group/Architecture 14 5%

Security 12 5%

Management (Executive / Corporate) 12 5%

Other 6 2%

Business Operations / Logistics 6 2%

Finance / Accounting 5 2%

Vendor/Supplier Management 1 0%




3

Research 1 0%

Corporate Social Responsibility 1 0%

Legal 1 0%






Top Level Executive 15 6%

Senior Vice President 17 7%

Vice President 32 12%

Director 61 24%

Manager 72 28%

Professional 51 20%

Administrative 4 2%

Other 6 2%





5Value Count Percent1 - 500 34 13%

501 - 1,000 25 10%

1,001 - 2,500 37 14%

2,501 - 5,000 33 13%

5,001 - 10,000 35 14%

10,001 - 25,000 36 14%

25,000+ 56 22%





6Value Count PercentExcellent 11 6%

Good 36 20%

Fair 74 42%

Poor 50 28%

Don't Know 5 3%





7Value Count PercentStrongly Agree 19 11%

Somewhat Agree 61 35%

Somewhat Disagree 58 33%

Strongly Disagree 32 18%

Don't Know 6 3%






Strongly Agree 75 43%




Don't Know 3 2%





9Value Count PercentStrongly Agree 71 40%




Don't Know 3 2%






Yes, we have one GRC solution for the entire organization 41 23%

Yes, we have multiple GRC solutions that we use across the organization 60 34%

Yes, we have a GRC solution in my department but I am unaware of what other departments are doing 17 10%

No, we do not have any GRC solutions being used in our organization 56 32%

Don't Know 2 1%





11

In each of the following categories, how has your organization approached GRC technology solutions?

NOTE: Definitions for each of these categories can be found at http://www.oceg.org/resources/grc-technology-solutions/ (select all that apply):

Spreadsheets, Documents, and

Emails

Solution Built and Supported In-House by IT

Commercial GRC Software for this

Category

Two or More Commercial GRC

Software Solutions for this Category

Don't Know Responses

Audit and Assurance Management

57%99

12%20

37%64

6%11

8%14 173

Board and Entity Management 46%79

12%20

13%23

2%4

32%55 172

Brand and Reputation Management

44%75

5%9

6%10

2%4

47%81 172

Business Continuity Management

50%86

15%25

23%39

3%5

20%35 172

Compliance Management 59%102

12%21

28%48

8%14

10%18 173

Contract Management 47%80

20%34

22%37

6%10

18%31 172

Control Activity, Monitoring, and Assurance

52%89

14%24

27%47

8%13

16%28 171

Corporate Social Responsibility 41%70

5%8

9%16

2%3

46%79 171

Discovery/eDiscovery Management

34%58

9%16

13%22

6%10

45%77 172

Environmental Monitoring and Reporting

42%72

8%13

13%23

4%6

40%69 171

Environmental, Health, and 44% 9% 14% 3% 38% 171




12

Safety 76 16 24 5 65

Finance/Treasury Risk Management

39%67

20%34

25%44

8%14

24%42 173

Fraud & Corruption Detection, Prevention & Management

48%83

12%21

20%34

9%15

26%45 173

Global Trade Compliance/International

Dealings32%54

8%14

12%20

4%6

51%88 171

Hotline/Helpline 27%46

21%36

31%54

3%6

26%44 172

Information/IT Risk & Security 38%65

27%46

34%58

8%13

17%30 173

Insurance and Claims Management

36%62

15%25

14%24

5%8

41%71 172

Intellectual Property Management

38%66

11%19

7%12

1%1

49%85 172

Issue and Investigations Management

45%77

12%21

25%42

5%9

24%41 171

Matter Management 29%49

4%7

13%22

3%5

54%93 171

Physical Security & Loss Management

43%74

17%29

17%29

3%6

34%58 172

Policy Management, Communication, & Training

47%80

24%42

25%43

6%11

15%26 172

Privacy Management 41%70

13%22

15%25

3%6

40%68 172

Quality Management and Monitoring

40%70

18%31

17%29

6%11

34%59 173




13

Reporting and Disclosure 50%85

15%26

23%40

3%5

26%45 171

Risk Management 54%94

20%35

31%53

6%10

14%25 173

Strategy, Performance, and Business Intelligence

42%73

12%20

17%29

7%12

35%61 172

Third Party/Vendor Risk & Compliance

49%85

12%20

24%42

6%11

23%40 172

Other 21%34

3%5

3%5

1%1

74%121 164




14

What has been your company’s average annual spend on GRC solutions in the following categories over the past three years (include license fees, maintenance fees, subscription fees and consulting fees)?

No Spend

$1 to $25,000

$25,001 to $100,000

$100,001 to $500,000

$500,001 to $999,999

>$1,000,000


Audit and Assurance Management 19%32

17%30

15%25

7%12

2%4

0%0

40%69 172


11%19

5%8

3%5

0%0

1%1

59%99 169

Brand and Reputation Management 23%39

10%17

3%5

2%4

2%3

1%1

59%100 169

Business Continuity Management 21%35

13%21

7%12

6%10

1%2

0%0

52%88 168


14%24

14%23

8%14

1%2

3%5

44%75 169


15%25

6%10

4%7

1%1

1%2

54%91 168


19%32

13%22

7%12

7%12

1%1

1%2

52%87 168


10%17

4%6

0%0

1%2

1%1

60%101 168

Discovery/eDiscovery Management 23%38

9%15

4%6

2%3

1%2

0%0

62%104 168


26%43

8%13

3%5

2%3

1%1

1%1

61%102 168

Environmental, Health, and Safety 22%37

11%18

4%7

2%3

2%3

1%1

59%99 168




15

Finance/Treasury Risk Management 17%28

10%17

6%10

4%7

2%3

2%3

60%100 168


18%31

15%25

4%7

5%8

1%1

2%3

55%93 168

Global Trade Compliance/International Dealings

24%40

9%15

4%7

1%1

0%0

1%2

61%103 168


15%26

9%15

4%6

2%3

0%0

53%89 169


12%20

9%15

12%21

2%4

3%5

49%83 169

Insurance and Claims Management 23%39

9%15

3%5

3%5

0%0

3%5

59%99 168

Intellectual Property Management 25%41

10%17

1%1

1%2

1%2

1%1

62%103 167

Issue and Investigations Management 22%37

11%19

5%8

4%7

1%1

2%4

55%92 168


8%13

2%4

1%1

1%1

1%1

61%103 168

Physical Security & Loss Management 17%28

11%19

8%14

3%5

1%1

2%3

58%96 166


15%26

18%31

8%13

6%10

1%2

0%0

51%86 168


11%19

5%8

1%2

1%2

0%0

57%96 168

Quality Management and Monitoring 21%35

11%19

4%6

4%7

4%6

1%1

56%94 168


11%19

9%15

1%2

1%1

1%2

57%95 168




16


17%28

11%18

9%15

0%0

2%4

46%77 169


20%33

10%16

6%10

5%8

1%1

1%2

58%98 168

Third Party/Vendor Risk & Compliance 19%32

17%28

9%15

3%5

1%1

1%1

51%85 167





A centralized "GRC Platform" for the entire enterprise across all relevant categories to your business 62 36%

A federated "GRC Platform" for certain categories and "best of breed" solutions in others 46 27%

A distributed range of "best of breed" solutions in different categories that operate independently of each other 36 21%

Other 7 4%

Don't Know 22 13%





18

Value Count PercentBrand name 25 15%

Price 91 53%

Customer service 33 19%

They have a local office 17 10%

They are a large, financially stable company 33 19%

They specialize in my industry 33 19%

Best functionality in the area I oversee 58 34%

Ability to configure the software without vendor support & charges 57 33%

Ease of use 77 45%

Ability to integrate with existing ERP system 33 19%

Mobile functionality 6 4%

I can buy all the functionality/modules I need from the same provider 22 13%

Total Responses 171




19Value Count PercentInternet search 101 59%

GRC software report 94 55%

Intermediary (eg: accounting firm, insurance co, law firm etc) 50 29%

GRC software advisor 64 38%

Referral from a friend / colleague 64 38%

Industry exhibition, web forum 66 39%

Response to an advertisement 14 8%






No new technology solutions are needed 36 24%

We are waiting until the market matures before taking action or looking at new technology solutions for GRC needs 27 18%

We will primarily make use of boutique vendors and point solutions to meet GRC needs 34 23%

We will look primarily to our ERP provider(s) to help meet GRC needs 12 8%

Don't know 18 12%

Other 21 14%






We are buying new point solutions to resolve specific GRC issues 44 30%

We are looking first to our existing environment for solutions can be used or repurposed 63 43%

We are extending our existing enterprise architectures with add-on solutions offered by our current enterprise software vendors 28 19%

We are extending our existing enterprise architectures by developing customized solutions 23 16%

Don't know 21 14%





22Value Count PercentLower or avoid costs 51 34%

Increase reliability 19 13%

Improve performance 58 39%

Improve consistency of information 64 43%

Increase analytics and rapid visibility to risk 79 53%

Reduce complexity 49 33%

Reduce risks 58 39%

Regulatory compliance 60 41%






Audit and Assurance Management 34 23%

Board and Entity Management 5 3%

Brand and Reputation Management 4 3%

Business Continuity Management 18 12%

Compliance Management 44 30%

Contract Management 13 9%

Control Activity, Monitoring, and Assurance 31 21%

Corporate Social Responsibility 1 1%

Discovery/eDiscovery Management 3 2%

Environmental Monitoring and Reporting 2 1%

Environmental, Health, and Safety 3 2%

Finance/Treasury Risk Management 12 8%

Fraud & Corruption Detection, Prevention & Management 15 10%




24

Hotline/Helpline 9 6%

Information/IT Risk & Security 31 21%

Insurance and Claims Management 3 2%

Intellectual Property Management 3 2%

Issue and Investigations Management 14 10%

Matter Management 2 1%

Physical Security & Loss Management 2 1%

Policy Management, Communication, & Training 28 19%

Privacy Management 4 3%

Quality Management and Monitoring 5 3%

Reporting and Disclosure 17 12%


Strategy, Performance, and Business Intelligence 13 9%

Third Party/Vendor Risk & Compliance 15 10%

Other 7 5%

Don't Know 42 29%






Strongly Agree 17 14%




Don't Know 4 3%





26Value Count PercentSaaS 40 32%

Internally hosted 51 41%

No preference 25 20%

Don't Know 9 7%






Annual subscription contract with no upfront license fee 24 19%

License with an annual maintenance contract 53 42%

No preference 37 30%

Don't Know 11 9%






Lower cost competitor 7 6%

Internal requirement for One-Stop-Shop 21 17%

Poor customer service (e.g. support line, product upgrades) 20 16%

Lack of functionality 50 40%

Reduction in compliance budget 6 5%

Other 11 9%

Don't Know 10 8%





29

What is the timeframe that you expect for your organization to implement new or additional GRC solutions?

Immediately 1 to 6 months

7 to 12 months

1 to 2 years

More than 2 years



7%9

7%9

17%21

17%21

46%57 125


2%2

5%6

6%8

14%17

71%89 125


1%1

4%5

5%6

12%15

77%96 125


9%11

7%9

18%22

11%14

52%65 125


11%14

11%14

17%21

11%14

44%55 125


8%10

6%7

9%11

11%14

63%79 125

Control Activity, Monitoring, and Assurance 3%4

10%13

6%7

15%19

12%15

54%67 125


2%2

0%0

9%11

8%10

80%100 125


3%4

3%4

4%5

11%14

76%95 125

Environmental Monitoring and Reporting 2%2

2%3

2%2

8%10

6%8

80%100 125


2%2

2%3

10%12

8%10

75%94 125




30

Finance/Treasury Risk Management 3%4

6%8

4%5

10%12

10%12

67%84 125


2%3

2%2

7%9

13%16

11%14

65%81 125

Global Trade Compliance/International Dealings

2%2

2%3

2%3

4%5

10%13

79%99 125


2%3

3%4

4%5

12%15

72%90 125


6%7

11%14

15%19

12%15

51%64 125


1%1

2%2

4%5

13%16

79%99 125


3%4

2%2

6%8

9%11

78%98 125


4%5

6%8

8%10

10%13

68%85 125


4%5

2%3

2%2

10%12

80%100 125


2%2

2%3

5%6

10%13

76%95 125


4%5

6%8

10%12

13%16

10%13

57%71 125


3%4

7%9

6%8

9%11

72%90 125


3%4

6%7

10%12

10%12

70%87 125


5%6

7%9

5%6

8%10

72%90 125




31


10%13

8%10

17%21

9%11

48%60 125

Strategy, Performance, and BusinessIntelligence

6%8

3%4

7%9

4%5

9%11

70%88 125


2%3

10%12

10%13

6%7

67%84 125




32

What do you estimate your company’s budget on GRC solutions per year will be (once your company decides to implement such software) in the following areas?

No Spend

$1 to $25,000

$25,001 to $100,000

$100,001 to $500,000

$500,001 to $999,999

>USD $1,000,000

Don't Know

We do not have a budget

Responses

Audit and Assurance Management

7%9

21%26

10%12

9%11

1%1

0%0

30%38

22%28 125


11%14

6%7

0%0

0%0

0%0

40%50

33%41 125

Brand and Reputation Management

13%16

10%13

2%2

1%1

0%0

1%1

39%49

34%43 125


8%10

10%13

6%7

1%1

0%0

39%49

29%36 125


14%17

12%15

10%12

0%0

1%1

34%42

25%31 125


7%9

9%11

6%7

0%0

1%1

40%50

26%33 125


10%12

14%18

6%7

5%6

1%1

0%0

34%43

30%38 125


10%12

2%2

1%1

0%0

0%0

41%51

33%41 125

Discovery/eDiscovery Management

15%19

8%10

4%5

1%1

0%0

0%0

38%47

34%43 125


14%17

9%11

2%2

2%2

0%0

0%0

40%50

34%43 125

Environmental, Health, and Safety 13% 10% 3% 3% 0% 0% 37% 34% 124




33

16 12 4 4 0 0 46 42

Finance/Treasury Risk Management

10%12

6%8

9%11

2%3

3%4

0%0

41%51

29%36 125


11%14

10%12

8%10

2%2

0%0

1%1

38%47

31%39 125

Global Trade Compliance/International

Dealings14%18

7%9

2%3

1%1

0%0

0%0

42%52

34%42 125


12%15

6%8

2%2

0%0

0%0

38%47

30%38 125


10%13

9%11

9%11

2%2

0%0

36%45

26%33 125

Insurance and Claims Management

11%14

6%8

2%3

1%1

2%2

1%1

41%51

36%45 125


8%10

2%2

0%0

2%2

0%0

40%50

35%44 125

Issue and Investigations Management

12%15

8%10

8%10

2%3

1%1

0%0

38%47

31%39 125


5%6

2%3

2%2

0%0

0%0

39%49

38%47 125

Physical Security & Loss Management

11%14

8%10

5%6

2%2

0%0

0%0

38%48

36%45 125


10%12

10%13

9%11

2%2

0%0

2%2

37%46

31%39 125


10%12

5%6

1%1

0%0

0%0

41%51

34%42 125

Quality Management and Monitoring

14%18

5%6

6%8

3%4

0%0

0%0

38%47

34%42 125




34


4%5

9%11

2%3

2%2

1%1

38%47

32%40 125


10%12

10%13

8%10

2%3

0%0

32%40

29%36 125


12%15

6%7

6%8

2%2

1%1

1%1

40%49

33%41 124

Third Party/Vendor Risk & Compliance

11%14

10%12

3%4

5%6

1%1

0%0

38%48

32%40 125

Value Count PercentInternet search 58 46%

GRC software report 83 66%

Intermediary (eg: accounting firm, insurance co, law firm etc) 36 29%

GRC software advisor 49 39%




35

Referral from a friend / colleague 52 42%

Industry exhibition, web forum 52 42%

Response to an advertisement 9 7%

Other 11 9%





36

Value Count PercentBrand name 10 8%

Price 57 46%

Customer service 32 26%

They have a local office 8 6%

They are a large, financially stable company 21 17%

They specialize in my industry 34 27%

Best functionality in the area I oversee 55 44%

Ability to configure the software 43 34%

Ease of use 61 49%

Ability to integrate with existing ERP system 27 22%

Mobile functionality 3 2%

I can buy all the functionality/modules I need from the same provider 15 12%






Peer feedback and recommendations 77 62%

Whitepapers 61 49%

Datasheets (short, 2 page overview) 25 20%

Webinars 28 22%

Product Demos 84 67%

Product Trials 50 40%

2 minute overview videos 7 6%

Blogs and other forms of social media 4 3%

Community forums and websites 23 18%





38Value Count PercentAudit 12 10%

Compliance 8 7%

Finance 25 22%


Legal 3 3%


Other 22 19%





39Value Count PercentAudit 11 9%

Compliance 10 9%

Finance 15 13%


Legal 7 6%


Other 19 16%





40

Do you plan to spend more / same / less on GRC solutions in the following categories over the next 3 years?

More Same Less Don't Know Responses


24%28

4%5

44%51 116


20%23

6%7

60%70 116


18%21

5%6

66%77 116


16%18

7%8

54%63 116


13%15

7%8

43%50 116


18%21

6%7

56%65 116

Control Activity, Monitoring, and Assurance 31%36

11%13

5%6

53%61 116


19%22

6%7

65%75 116


17%20

5%6

67%78 116

Environmental Monitoring and Reporting 12%14

16%18

5%6

67%78 116


18%21

5%6

66%76 116

Finance/Treasury Risk Management 16% 22% 7% 55% 116




41

18 26 8 64

Fraud & Corruption Detection, Prevention & Management 28%32

17%20

5%6

50%58 116

Global Trade Compliance/International Dealings 9%11

16%19

7%8

67%78 116


22%25

6%7

62%72 116


15%17

5%6

47%54 116


22%25

7%8

62%72 116


19%22

9%10

65%75 116


19%22

7%8

56%65 116


17%20

7%8

66%77 116


22%25

5%6

63%73 116

Policy Management, Communication, & Training 32%37

15%17

6%7

47%55 116


21%24

5%6

59%68 116


17%20

6%7

59%69 116


21%24

6%7

56%65 116

Risk Management 35% 17% 7% 41% 116




42

41 20 8 47

Strategy, Performance, and Business Intelligence 22%26

20%23

5%6

53%61 116


15%17

5%6

53%61 116





Same as last year 21 18%

Increase of up to 10% 24 21%

Increase of 10% to 25% 20 17%

Increase of greater than 25% 17 15%

Decrease of up to 10% 5 4%

Decrease of 10% to 25% 5 4%

Decrease of greater than 25% 4 3%

Don't Know 20 17%






Strongly Agree 9 8%




Don't Know 7 6%






In the official IT budget 23 20%

In the GRC budgets 19 16%

In the business functions (sales & marketing, HR, product development, finance, etc.) 16 14%

Split between the IT, GRC and/or business budgets 27 23%

My organization has not budgeted resources for any GRC enabling technology for 2014 17 15%

Don't Know 14 12%






Strongly Agree 8 7%




Don't Know 8 7%






Enterprise 51 44%

Multiple departments 41 35%

Single Department 12 10%

Group/Issue 3 3%

Don't Know 9 8%


www.OCEG.org

4835 E. Cactus Road, Suite 225

Scottsdale, Arizona 85254

United States of America

[email protected]

@OCEG

+1 (602) 234-9278

Contact us