2016 GRC Technology Strategy

An OCEG Benchmark on the Use of GRC Technology within Organizations 2016 GRC Technology Strategy Findings of the 2016 OCEG GRC Technology Strategy Survey 1

About OCEG... OCEG is a global, nonprofit think tank and community. We invented GRC. We inform, empower and help advance more than 50,000 members on governance, risk management, and compliance (GRC). Independent of specific professions, we provide content, best practices, education, and certifications to drive leadership and business strategy through the application of the OCEG GRC Capability Model and Principled Performance. An OCEG differentiator, Principled Performance enables the reliable achievement of objectives while addressing uncertainty and acting with integrity. Our members include c-suite, executive, management, and other professionals from small and midsize businesses, international corporations, nonprofits, and government agencies. We assist them and their organizations in developing and implementing GRC capabilities that enable Principled Performance by providing authoritative resources for integrating the governance, assurance and management of performance, risk and compliance. The OCEG 2016 GRC Technology Strategy Survey was designed and analyzed by GRC 20/20 Research... GRC 20/20 Research, LLC (GRC 20/20) provides clarity of insight into governance, risk management, and compliance (GRC) solutions and strategies through objective market research, benchmarking, training, and analysis. We provide independent and objective insight into leading GRC practices and processes, including market dynamics and intelligence; risk, regulatory and technology trends; competitive landscapes; market sizing; expenditure priorities; and mergers and acquisitions. For more information go to www.grc2020.com or contact GRC 20/20 at info@grc2020.com. For more information visit http://www.oceg.org or contact us at info@oceg. 2

A Word From Our Survey Sponsors... The 2016 OCEG GRC Technology Strategy Survey is made possible through the support of the entire OCEG GRC Solutions Council and the following survey sponsor members: MetricStream GRC solutions strengthen risk management, regulatory compliance, and quality management while driving business performance. OCEG s Survey clearly shows that GRC is past the tipping point with a majority of organizations (73%) firmly on the road to integrated GRC. We too see accelerated adoption of integrated GRC architectures - organizations are seeking agile GRC technology that makes GRC simple, and provides the analytics and agility needed to achieve superior business performance. Yo Delmar, VP GRC SAP GRC solutions enable organizations to navigate risk and manage controls and compliance confidently in the context of business strategy and performance. Once again, OCEG is providing meaningful data that make the business case for improving GRC capabilities. The finding that the top two objectives in acquiring new GRC technology are to increase GRC related analytics and visibility and to improve consistency of GRC information is key. This indicates understanding that a strong information architecture that enables better data integrity and consistency is essential; a view that SAP shares and supports. Bruce McCuaig, Director GRC Workiva Wdesk gives organizations the flexibility to identify and adapt to changing internal control, risk, and compliance management needs The OCEG GRC Technology Survey is the must read guide for GRC practitioners. This survey provides a comprehensive perspective on the diverse use of GRC technology, the continued reliance on spreadsheets, documents and emails, and the importance of ease of use and SaaS for future technology investments. Mike Rost, Vice President 3

Preface If you ve taken the time to read this survey, it s likely you have a certain level of interest in governance, risk management, and compliance (GRC). There s no shortage of information on the subject. An Internet search will throw up all sorts of tips, views and best practices designed to help those responsible for these areas. OCEG is the framework body for GRC. We advocate Principled Performance and the role of GRC to enable organizations to reliably achieve objectives while addressing uncertainty and acting with integrity. This OCEG survey is focused on GRC technology strategy and understanding the use of GRC technology in the current state of organizations and the planned future state of where GRC technology architecture is headed. At OCEG we want to see that GRC becomes part of your organization s DNA through the proper implementation and use of GRC technology. Contents INTRODUCTION GRC Technology Impacts GRC Maturity CURRENT STATE OF GRC TECHNOLOGY How Organizations Currently Use GRC Technology FUTURE STATE OF GRC TECHNOLOGY How Organizations Plan to Use GRC Technology GRC SOLUTION AREA FOCUS Look at Types of GRC Technology Use & Strategy SURVEY DEMOGRAPHICS & RELATED RESOURCES Survey Demographics OCEG Resources OCEG GRC Solution Council Members We hope this survey report provides you with some valuable insights. 4

INTRODUCTION: GRC Technology Strategy Impacts Maturity Governance, risk management, and compliance (GRC) is something every organization does though not all do it well. Every organization has some approach to governing the organization, managing risk, and approaching compliance. It does not matter if an organization uses the label GRC; the simple truth is every organization does GRC in some form. Some organizations have mature and structured processes and reporting on GRC that brings together an integrated and orchestrated view of GRC processes and information. Other organizations have fragmented approaches where some aspects of GRC are more mature than others but fail to have an overall coordinated strategy. The use of technology for GRC depends on organization strategy. Some organizations look to develop an enterprise technology architecture (or platform) for GRC. Other organizations lack a coordinated strategy and have different departments going in different directions. Whether at an enterprise level or a department, GRC maturity depends on how well GRC processes, information, and technology enable the organization to be efficient, effective and agile to reliably achieve objectives [governance] while addressing uncertainty [risk management] and acting with integrity [compliance]. The proper selection and use of GRC technology is a primary factor in measuring GRC maturity within organizations. From one perspective, we all use technology in GRC. GRC technology is commonly understood from the low-end of using documents, spreadsheets, and email to manage GRC information, processes and reporting to the high-end of a federated GRC architecture that integrates information and technology from across the enterprise in an ecosystem of GRC processes and information. There is a wide range of approaches in between. OCEG s 2016 GRC Technology Strategy Survey takes aim at understanding organization s current use, planned future use, strategy, and satisfaction with their use of technology to support GRC within their organizations. Michael Rasmussen OCEG Fellow & Co-Chair of OCEG GRC Solutions Council The GRC Pundit @ GRC 20/20 Research, LLC 5

5 Key Takeaways from the 2016 OCEG GRC Technology Strategy Survey 1 2 3 4 5 GRC strategies involve more departments and are often an enterprise level decision for many organizations. Medium-sized organizations (1,001 to 10,000 employees) are the most likely to adopt new GRC platforms as they have been underserved. Ease of use grows as the #1 factor organizations are looking for in GRC technology as the complexity of legacy solutions has burdened them. GRC & risk analytics together are the GRC technology that is most needed by organizations across the board. GRC budgets are increasing in the majority of organizations, while only 5% of respondents state they are decreasing. 6

Current State of GRC Technology

Current Level of GRC Integration Of the 290 survey respondents from organizations implementing GRC strategies, 14% stated they were well along their way to being substantially or fully integrated, 21% were partially integrated, and 38% were just beginning their GRC journey of being somewhat standardized. Together, this means that 73% of organizations have embarked on the road of GRC with only 27% of respondents indicating they remain largely siloed with no enterprise or crossdepartment collaboration on areas of GRC in their organization. This shows that nearly three-quarters of organizations responding to this survey have some strategy in place to align, integrate, and collaborate on GRC across departments. Siloed Our processes and technologies remain largely siloed 27% 14% Substantially to Fully Integrated We have integrated processes and technology across many or all organizational silos of operation. GRC Integration 21% Partially Integrated We have integrated processes across many organizational silos, but we have not yet completely addressed integrating technology that supports these processes Somewhat Standardized We have standardized some processes and use of technology but not across the entire enterprise 38% 8

Current Level of GRC Integration, Comparison by Organization Size When you look at the level of GRC integration results by the size of organizations it reveals that the medium-sized organizations are the most siloed and in need of integration. Smaller organizations tend to have less to integrate and their needs are simpler. Large organizations have had the most focus on GRC integration and represented the largest segment of integrated to partially integrated. It is the medium-sized organizations that have grown beyond the simpler needs of their smaller counterparts and mirror proportionally the complexity of large organizations that have the most work to do in GRC integration. All Organizations... 14% 21% 38% 27% Small Organizations (1 to 1,000 Employees)... 15% 15% 45% 25% Medium Organizations (1,001 to 10,000 Employees)... 8% 25% 33% 34% Large Organizations (10,001+ Employees)... 20% 22% 38% 20% Integrated Partially Integrated Somewhat Standardized Siloed 9

Current Alignment & Utilization of Technology for GRC While 73% of organizations indicate they have some collaboration and integration on GRC across departments, the current state of GRC technology alignment and utilization is moderate with a lot of room for improvement. Only 28% of organizations describe their alignment of GRC technology in positive terms (excellent or good), with 42% stating fair (or neutral), and 30% indicating it is poor. The same goes for utilization of GRC technology, with 35% indicating positive terms (excellent or good), 38% are fair/ neutral, and 27% state is poor. However, given the fact that the predominant technology used for GRC is documents, spreadsheets and emails in many organization it becomes clear why so many respond with fair or poor technology utilization and alignment. Organization level of alignment of technology with GRC needs? 4% 24% 42% 30% Utilization of existing technology for GRC 14% 21% 38% 27% Excellent Good Fair Poor 10

Use of GRC Technology Organizations approach GRC technology in different ways. Some organizations (16%) try to do everything GRC related with one single GRC platform. This works for some organizations, but others see the need for best of breed solutions (27%) that remain loosely integrated but no one solution being the core. In between the single GRC platform and best of breed approach are organizations that have best of breed solutions but a single core GRC solution that brings everything together (12%). This allows for greater flexibility in focused solutions while still providing a core for overall GRC reporting. Other organizations focus on disconnected department solutions (10%), while many state they have no GRC technology in place or are unsure. These organizations are the ones most likely using a maze of documents, spreadsheets, and emails. No GRC Solution/Unsure We do not have any GRC solutions being used in our organization 35% 16% GRC Software Single GRC Platform We have one GRC solution for the entire organization 12% GRC Architecture We have a core GRC solution that integrates with multiple best of breed solutions for GRC Department Silos We have a GRC solution in my department but I am unaware of what other departments are doing 10% 27% Best of Breed We have multiple best of breed GRC solutions that we use across the organization, but none is a central core for GRC 11

Use of GRC Technology, Comparison by Organization Size The use of GRC technology varies by organization size. Smaller organizations indicate a greater propensity toward best of breed or department siloed solutions. Medium sized organizations have a greater focus on a single GRC platform and best of breed solutions. Large enterprises, have the greatest focus on a GRC architecture where there is a single platform at the core that is supported by best of breed solutions where they make sense. It is in small to medium-sized organizations where there is no GRC technology implemented and the greatest opportunity for implement. All Organizations... 16% 12% 27% 10% 35% Small Organizations (1 to 1,000 Employees)... 7% 6% 29% 16% 42% Medium Organizations (1,001 to 10,000 Employees)... 19% 4% 23% 8% 46% Large Organizations (10,001+ Employees)... 19% 23% 30% 9% 19% Single Platform GRC Architecture Best of Breed Department Silos No/Unsure 12

Future State of GRC Technology

GRC Platform Strategy Going Forward Looking to the future, organizations state they have a greater propensity to focus on a GRC architecture (37%) with a core platform for enterprise GRC reporting and management that is supported by best of breed solutions where they make sense. A strong percentage of organizations (33%) state they will focus on a single centralized GRC platform for the entire organization. What is really interesting, is that only 13% of respondents indicated that they want a best of breed non-integrated approach to GRC. In contrast, 70% of organizations (33% single platform and 37% GRC architecture) state that they have a strategy going forward for GRC integration. A distributed range of "best of breed" solutions in different categories that operate independently of each other Unsure A federated "GRC Platform" for certain categories and "best of breed" solutions in others 13% 17% Does your organization prefer a singe GRC solution or do you prefer to purchase best of breed solutions for specific needs and departments? 37% 33% A centralized "GRC Platform" for the entire enterprise across all relevant categories to your business 14

Preference of SaaS or Traditional Software for GRC The acceptance of SaaS (Cloud) GRC implementations has grown strongly over the past several years. Of the 290 respondents, 31% prefer SaaS while 39% prefer a traditional onpremise implementation. However, when you filter the respondents by those that indicate they are leading their organizations GRC strategy the preference for SaaS grows to 45%. This means that the GRC technology decision maker has a strong GRC SaaS implementation preference. 15

GRC Technology Expansion Strategy In context of expanding GRC technology, a majority of organizations indicate that they are first looking to expand on their existing GRC solutions (52%) followed by those purchasing new GRC solutions (24%). This is often the case when organizations already have a strong investment in a GRC platform and are looking to build out its capabilities further with the expansion into new areas of GRC in the organization that need attention. This is the case for those that rely on old technology or are encumbered by manual processes and a maze of documents, spreadsheets, and emails. Purchasing New GRC Solutions Unsure 12% In-House 24% Development 12% How would you characterize your organization's strategy for procuring technology solutions for GRC? 52% Expanding Use of Existing GRC Solutions 16

Top 8 Objectives in Acquiring New GRC Technology The top two objectives of organizations in acquiring new GRC technology are to increase GRC related analytics and visibility and to improve consistency of GRC information. These two objectives rank significantly higher than the other factors organizations scored. Interestingly, these two are related. To have good analytics requires a solid information architecture with strong data integrity and consistency. Organizations have been plagued by data integrity and consistency problems for GRC, particularly when done in spreadsheets, documents, and emails. Some organizations have reported to GRC 20/20 as much as 80% of FTE staff time doing nothing more than manual reconciliation and report building from documents, spreadsheets, and emails. 57 % Increase GRC Analytics & Visibility 36 % Reduce Risk in the Organization 51 % Improve Consistency of GRC Information 33 % Improve Performance In the Organization 38 % Reduce GRC Complexity 27 % Lower or Avoid GRC Costs 37 % Regulatory Compliance Requirements 15 % Increase Reliability of GRC 17

Top 8 Criteria in New GRC Purchases When it comes to top criteria for new GRC purchases, organizations are looking for ease of use (53%). Many legacy GRC implementations have been plagued with complexity, bespoke build outs, broken upgrades, and poor user experience. It is logical to see that ease of use has become the number one concern and criteria when evaluating new GRC solutions. This has grown over the past four years. This same survey in 2012 has ease of use (45%) listed second after price (53%). The 2014 survey had ease of use (49%) displace price (46%) for the number one criterion. Now in 2016 this gap grows further with ease of use being 53% and price dropping to 41%. 53 % Ease of Use 26 % Industry Focus 41 % Price 23 % Customer Service 40 % Functionality 21 % Integration Capabilities 39 % Configurability 16 % Company Stability/Viability 18

Organization Alignment on GRC Technology Initiatives Going Forward Organization alignment on GRC technology initiatives going forward is improving dramatically. A total of 54% of organizations report that they agree (somewhat to strongly agree) that they have sufficient organizational alignment to produce action on new GRC technology initiatives. This is interesting when you compare the responses discussed earlier on current GRC technology alignment was only 28%. This shows significant change from current technology alignment to future technology alignment going forward. A shift from 28% in the current environment to 54% for future decisions and collaboration on GRC technology across the organization, Strongly Disagree 14% Unsure Strongly Agree 2% 11% Somewhat Disagree 30% We have sufficient organizational alignment to produce action on GRC technology initiatives 43% Somewhat Agree 19

Who is Making Future GRC Technology Decisions With the increased organizational alignment on future GRC technology spending is also shared responsibility in making purchase decisions on GRC technology. For 47% of respondents, purchasing new GRC technology is an enterprise-wide decision across GRC related roles and departments. When considered that another 35% of respondents state this is a multi-department decision, but not quite full enterprise, this brings this figure up to 82% indicating that GRC technology spending involves multiple parts of the organization. Group/Issue Level Single Department Multiple Departments Unsure 9% 2% 7% Is the decision to purchase made at an enterprise level, multiple departments working together, single department, or group/issue level? 35% Enterprise 47% 20

Where Does Enterprise GRC Budget Come From The budget for GRC technology purchases varies by organizations responding to the survey. The largest segment (24%) indicates it is a shared budget split between IT, GRC groups, and the business. Next (18%), respondents indicated it was from purely the IT budget. A smaller segment indicated that they have a specific GRC budget (12%) that new technology purchases come from which is also the same about (12%) that indicated that it is business budgets. My organization has not budgeted resources for any GRC enabling technology for 2016 Unsure 21% In business budgets (e.g., HR, finance) 12% 13% 12% 24% Does your organization prefer a singe GRC solution or do you prefer to purchase best of breed solutions for specific needs and departments? In a GRC budget 18% Split between the IT, GRC and/or business budgets In the official IT budget 21

GRC Budgets Increasing in 2016 GRC Budgets Increasing in 2016 What is particularly interesting is the strong growth in GRC budgets for 2016. A total of 55% of respondents indicate that GRC budgets are increasing, while only 5% indicate that GRC budgets are decreasing. This shows that organizations continue to make a strong and expanding investment of GRC related technology now and into the future. Unsure 21% 19% 25%+ GRC Spending Increase 25%+ GRC Spending Decrease 10% to 25% GRC Spending Decrease Up to 10% GRC Spending Decrease Spending Staying Same as Last Year 3% 1% 1% 19% Do you see overall GRC spending (on all aspects, not just technology) in 2016 increasing or decreasing in your organization? 19% 17% 10% to 25% GRC Spending Increase Up to 10% GRC Spending Increase 22

What Areas of GRC Technology are Organizations Buying For 2016, organizations (across all sizes) indicate that their greatest focus on GRC technology investment is in risk management and analytics. Respondents were given seventeen categories to choose from and the top eight are represented in the chart on this page. Risk management is growing within organizations and many are moving beyond simple heat maps and stop light diagrams of risk to provide deeper analytics and risk management capabilities that align to business objectives and performance. 42 % Risk Management & Analytics 30 % IT GRC Management 37 % Compliance Management 25 % Policy Management 36 % Audit Management & Analytics 24 % Business Continuity Management 35 % Enterprise GRC Platforms 22 % Internal Control Management 23

Top 8 Spending Increases in Large Organizations For large organizations (those over 10,000 employees), the top area of GRC technology spending is in compliance management. This is indicative of the complex array of global regulations and compliance mandates that large organizations have to deal with. These organizations also show a higher propensity to purchase IT GRC management, followed by risk management/analytics, and control automation and enforcement. 64 % Compliance Management 58 % Quality Management 59 % IT GRC Management 56 % Enterprise GRC Platforms 58 % Risk Management & Analytics 53 % Business Continuity Management 58 % Automated Control Monitoring & Enforcement 52 % Policy & Training Management 24

Top 8 Spending Increases in Medium Organizations Mid-sized organizations (1,000 to 10,000 employees) show the greatest interest in purchasing enterprise GRC platforms going forward. The mid-market for enterprise GRC solutions is opening up as they follow the large organizations that have focused on enterprise GRC over the last decade. A strong second to enterprise GRC is the focus on risk management and analytic solutions within mid-sized organizations. 71 % Enterprise GRC Platforms 51 % Compliance Management 68 % Risk Management & Analytics 51 % Strategy & Performance Management 57 % IT GRC Management 49 % Policy & Training Management 52 % Audit Management & Analytics 44 % Automated Control Monitoring & Enforcement 25

Top 8 Spending Increases in Small Organizations Small organizations (those under 1,000 employees) show the greatest focus in spending on risk management and analytics as well as strategy and performance management solutions. These two areas show a natural relationship in many small organizations where risk management and strategy/ performance management are run out of the finance department. It is only logical that they look at risk and performance closely together and shows the strong relationship each has on the other. 62 % Risk Management & Analytics 50 % IT GRC Management 56 % Strategy & Performance Management 48 % Issue Reporting & Management 54 % Compliance Management 45 % Policy & Training Management 53 % Enterprise GRC Platforms 44 % Quality Management 26

GRC Solution Area Focus

Enterprise GRC Platforms Enterprise GRC delivers a range of cross-department functionality across GRC functional areas into an integrated technology ecosystem. For some this is a single GRC platform for the entire organization. For others it is an integrated architecture in which there can be a core platform that often extends and integrates into a range of other solutions and data sources. To be an Enterprise GRC Platform requires a single platform architecture that has multi-department (e.g., enterprise wide) use across the following areas, at a minimum: Enterprise/Operational Risk Management Compliance Management Internal Control Management Issue Management (e.g., incident, case, investigations) NOTE: most Enterprise GRC Platforms offer a range of additional module beyond these. 45 % 11 % 25 % 9 % Spreadsheets, Documents & Emails 53% in Small Organizations 51% in Medium Organizations 35% in Large Organizations Solution Built & Supported by IT 15% in Small Organizations 9% in Medium Organizations 12% in Large Organizations 1 Commercial Solution in this Area 11% in Small Organizations 26% in Medium Organizations 33% in Large Organizations 2+ Commercial Solutions in this Area 6% in Small Organizations 4% in Medium Organizations 17% in Large Organizations 28

Enterprise GRC Platforms Do you plan to spend more/same/less on GRC solutions in the following categories over the next 3 years? Across All Organizations S 61 % Spending More 53 % Small Organizations 53% Spending More 44% Same 3% Spending Less 3% Unsure 32 % Same 7 % Spending Less Don t Knows Filtered Out 71 % 56 % Medium Organizations 71% Spending More 27% Same 2% Spending Less Large Organizations 56% Spending More 28% Same 16% Spending Less 29

Audit Management & Analytics Audit Management & Analytic technologies are used by auditors to manage and perform audits. Audit management solutions are used to manage audit cycles this includes audit planning, resource scheduling/ calendaring, work paper management, audit execution, audit process management, and audit reporting. They also support a risk-based approach to audit planning to prioritize audits based on the risk to the business. Audit analytic solutions utilize data analytics and continuous auditing (automated control enforcement & monitoring) to extract insights from operational and financial data to assist in audits and provide assurance. 41 % 14 % 38 % Spreadsheets, Documents & Emails 55% in Small Organizations 46% in Medium Organizations 28% in Large Organizations Solution Built & Supported by IT 13% in Small Organizations 17% in Medium Organizations 11% in Large Organizations 1 Commercial Solution in this Area 13% in Small Organizations 43% in Medium Organizations 52% in Large Organizations 10 % 2+ Commercial Solutions in this Area 6% in Small Organizations 8% in Medium Organizations 17% in Large Organizations 30

Audit Management & Analytics Do you plan to spend more/same/less on GRC solutions in the following categories over the next 3 years? Across All Organizations S 46 % Spending More 39 % Small Organizations 39% Spending More 57% Same 4% Spending Less 3% Unsure 48 % Same 6 % Spending Less Don t Knows Filtered Out 52 % 45 % Medium Organizations 52% Spending More 44% Same 4% Spending Less Large Organizations 45% Spending More 48% Same 7% Spending Less 31

Automated Control Enforcement & Monitoring Automated Control Enforcement & Monitoring technologies provide the capability to automatically and continuously monitor, enforce, test, assess, and report on controls within the organization. This category of software is also often referred to as Continuous Control Monitoring (CCM) or Automated Controls. This includes the capability to test, on a continuing or periodic basis, data and activity against defined rules to identify and report potential errors, the failure of controls, or inappropriate actions including tests of business transactions, network activity, intrusion attempts, the sharing of confidential information or intellectual property, systems access, etc. Also included in this area is the ability to do GRC data analytics, monitoring, and mining. Automated control solutions include: transaction, configuration, fraud, AML, segregation of duties, master data, identity & access, process, end-user computing application, and social media control solutions 29 % 18 % 17 % 8 % Spreadsheets, Documents & Emails 33% in Small Organizations 33% in Medium Organizations 23% in Large Organizations Solution Built & Supported by IT 18% in Small Organizations 22% in Medium Organizations 15% in Large Organizations 1 Commercial Solution in this Area 7% in Small Organizations 17% in Medium Organizations 23% in Large Organizations 2+ Commercial Solutions in this Area 6% in Small Organizations 5% in Medium Organizations 12% in Large Organizations 32

Automated Control Enforcement & Monitoring Do you plan to spend more/same/less on GRC solutions in the following categories over the next 3 years? Across All Organizations S 48 % Spending More 39 % Small Organizations 39% Spending More 57% Same 4% Spending Less 3% Unsure 46 % Same 6 % Spending Less Don t Knows Filtered Out 44 % 58 % Medium Organizations 44% Spending More 53% Same 3% Spending Less Large Organizations 58% Spending More 33% Same 9% Spending Less 33

Business Continuity Management Business Continuity Management technologies model, record and direct the responsibilities, plans, actions and execution of continuity and disaster plans, testing of operating procedures, alternatives, information back-ups, data recovery and restoration processes during expected and unexpected disruptions to all areas of operation. 54 % 17 % Spreadsheets, Documents & Emails 55% in Small Organizations 57% in Medium Organizations 49% in Large Organizations Solution Built & Supported by IT 16% in Small Organizations 18% in Medium Organizations 16% in Large Organizations 16 % 1 Commercial Solution in this Area 7% in Small Organizations 19% in Medium Organizations 21% in Large Organizations 4 % 2+ Commercial Solutions in this Area 2% in Small Organizations 4% in Medium Organizations 5% in Large Organizations 34

Business Continuity Management Do you plan to spend more/same/less on GRC solutions in the following categories over the next 3 years? Across All Organizations S 45 % Spending More 42 % Small Organizations 42% Spending More 52% Same 6% Spending Less 3% Unsure 48 % Same 7 % Spending Less Don t Knows Filtered Out 41 % 53 % Medium Organizations 41% Spending More 56% Same 3% Spending Less Large Organizations 53% Spending More 35% Same 12% Spending Less 35

Compliance Management Compliance Management technologies support the overall coordination of legal, regulatory, contractual, values, ethics, and corporate obligations and responsibilities with associated compliance documentation, assessments, tasks, and records. This includes the ability to monitor, document, and manage changes to the regulatory environment and other obligations; to document all obligations of the organization; to perform compliance assessments against obligations; manage regulator and stakeholder interactions on compliance; and report on the state of compliance to regulators and stakeholders. 52 % 20 % 28 % Spreadsheets, Documents & Emails 58% in Small Organizations 53% in Medium Organizations 42% in Large Organizations Solution Built & Supported by IT 20% in Small Organizations 21% in Medium Organizations 18% in Large Organizations 1 Commercial Solution in this Area 22% in Small Organizations 25% in Medium Organizations 35% in Large Organizations 8 % 2+ Commercial Solutions in this Area 6% in Small Organizations 1% in Medium Organizations 17% in Large Organizations 36

Compliance Management Do you plan to spend more/same/less on GRC solutions in the following categories over the next 3 years? Across All Organizations S 56 % Spending More 54 % Small Organizations 54% Spending More 41% Same 5% Spending Less 3% Unsure 36 % Same 7 % Spending Less Don t Knows Filtered Out 51 % 64 % Medium Organizations 51% Spending More 44% Same 5% Spending Less Large Organizations 64% Spending More 25% Same 11% Spending Less 37

Environmental Management Environmental Management technologies help monitor, analyze, record, and report organizational activity focused on compliance with environmental laws and regulations, related corporate policy related to managing environmental controls and conditions, and assessing the environmental impact of the corporation s operations, strategies, and plans. 31 % 11 % Spreadsheets, Documents & Emails 24% in Small Organizations 33% in Medium Organizations 34% in Large Organizations Solution Built & Supported by IT 4% in Small Organizations 15% in Medium Organizations 12% in Large Organizations 11 % 1 Commercial Solution in this Area 6% in Small Organizations 11% in Medium Organizations 16% in Large Organizations 2 % 2+ Commercial Solutions in this Area 2% in Small Organizations 1% in Medium Organizations 4% in Large Organizations 38

Environmental Management Do you plan to spend more/same/less on GRC solutions in the following categories over the next 3 years? Across All Organizations S 31 % Spending More 23 % Small Organizations 23% Spending More 73% Same 4% Spending Less 3% Unsure 62 % Same 7 % Spending Less Don t Knows Filtered Out 30 % 43 % Medium Organizations 30% Spending More 67% Same 3% Spending Less Large Organizations 43% Spending More 43% Same 14% Spending Less 39

Health & Safety Management Health & Safety Management technologies manage the regulatory and policy-based guidelines and processes for protecting and reporting on the workforce, workplace, resources-under-management and external environment impacted by an organization s activities. 32 % 15 % 16 % Spreadsheets, Documents & Emails 31% in Small Organizations 38% in Medium Organizations 28% in Large Organizations Solution Built & Supported by IT 7% in Small Organizations 15% in Medium Organizations 20% in Large Organizations 1 Commercial Solution in this Area 13% in Small Organizations 15% in Medium Organizations 18% in Large Organizations 4 % 2+ Commercial Solutions in this Area 2% in Small Organizations 1% in Medium Organizations 8% in Large Organizations 40

Health & Safety Management Do you plan to spend more/same/less on GRC solutions in the following categories over the next 3 years? Across All Organizations S 37 % Spending More 33 % Small Organizations 33% Spending More 50% Same 17% Spending Less 3% Unsure 51 % Same 12 % Spending Less Don t Knows Filtered Out 32 % 45 % Medium Organizations 32% Spending More 57% Same 11% Spending Less Large Organizations 45% Spending More 45% Same 10% Spending Less 41

Internal Control Management Internal Control Management technologies provide the ability to define, document, map, monitor, test, assess, and report on controls within the organization, including process and systems documentation. These solutions document internal controls, provide control assessments/self-assessments, and manage this through workflow, tasks, and reporting. 49 % 17 % 27 % 7 % Spreadsheets, Documents & Emails 56% in Small Organizations 56% in Medium Organizations 36% in Large Organizations Solution Built & Supported by IT 16% in Small Organizations 19% in Medium Organizations 17% in Large Organizations 1 Commercial Solution in this Area 20% in Small Organizations 28% in Medium Organizations 30% in Large Organizations 2+ Commercial Solutions in this Area 7% in Small Organizations 4% in Medium Organizations 10% in Large Organizations 42

Internal Control Management Do you plan to spend more/same/less on GRC solutions in the following categories over the next 3 years? Across All Organizations S 45 % Spending More 40 % Small Organizations 40% Spending More 53% Same 7% Spending Less 3% Unsure 49 % Same 6 % Spending Less Don t Knows Filtered Out 44 % 51 % Medium Organizations 44% Spending More 51% Same 5% Spending Less Large Organizations 51% Spending More 41% Same 8% Spending Less 43

Issue Reporting & Management Issue Reporting & Management technologies provide issue intake and investigations management. Issue reporting solutions (e.g. hotline, whistleblower) provide a confidential, independent resource for individuals to report observations related to issues as well as potential acts of fraud, theft, inappropriate or illegal behavior, negligence or other impropriety. Investigations management solutions are used to manage investigations, issues, incidents, events, or cases: they specifically provide consistent documentation and processes for the management of events from reporting, to managing and documenting the investigation, to recording the loss and business impact. 46 % 20 % 34 % Spreadsheets, Documents & Emails 48% in Small Organizations 51% in Medium Organizations 39% in Large Organizations Solution Built & Supported by IT 13% in Small Organizations 18% in Medium Organizations 27% in Large Organizations 1 Commercial Solution in this Area 30% in Small Organizations 35% in Medium Organizations 35% in Large Organizations 9 % 2+ Commercial Solutions in this Area 4% in Small Organizations 8% in Medium Organizations 15% in Large Organizations 44

Issue Reporting & Management Do you plan to spend more/same/less on GRC solutions in the following categories over the next 3 years? Across All Organizations S 47 % Spending More 48 % Small Organizations 48% Spending More 45% Same 7% Spending Less 3% Unsure 47 % Same 6 % Spending Less Don t Knows Filtered Out 44 % 48 % Medium Organizations 44% Spending More 49% Same 6% Spending Less Large Organizations 48% Spending More 45% Same 7% Spending Less 45

IT GRC Management IT GRC Management technologies are used to govern and direct information and technology (IT) strategies in the context of business. The governance function of IT is the alignment, strategy, and direction of IT to support the business. A core component of IT GRC Solutions is the ability to manage and monitor security, risk, and compliance across IT systems throughout the organization and across significant business relationships. 37 % 17 % 31 % Spreadsheets, Documents & Emails 43% in Small Organizations 40% in Medium Organizations 32% in Large Organizations Solution Built & Supported by IT 16% in Small Organizations 17% in Medium Organizations 18% in Large Organizations 1 Commercial Solution in this Area 22% in Small Organizations 34% in Medium Organizations 36% in Large Organizations 5 % 2+ Commercial Solutions in this Area 4% in Small Organizations 1% in Medium Organizations 9% in Large Organizations 46

IT GRC Management Do you plan to spend more/same/less on GRC solutions in the following categories over the next 3 years? Across All Organizations S 56 % Spending More 50 % Small Organizations 50% Spending More 43% Same 7% Spending Less 3% Unsure 39 % Same 5 % Spending Less Don t Knows Filtered Out 57 % 59 % Medium Organizations 57% Spending More 38% Same 5% Spending Less Large Organizations 59% Spending More 36% Same 5% Spending Less 47

Legal Management Legal Management technologies administer the collection of facts related to events and legal cases under investigation, for use in verifying their circumstances, in order to provide valid information for testing by independent parties with the confidence that the information provided is related to these events. Discovery tools assist in managing and communicating discovery holds and uncovering, segmenting, organizing and storing electronic forms of evidence that can be used in an investigation, both before and after the occurrence of the related events, including tools that separate potential discovery documents from their original locations and repositories. This category of technology also includes systems for retention management that integrate with content/document systems to manage the storage, disposition, and retention of information. 44 % 14 % 15 % 6 % Spreadsheets, Documents & Emails 54% in Small Organizations 51% in Medium Organizations 29% in Large Organizations Solution Built & Supported by IT 7% in Small Organizations 16% in Medium Organizations 16% in Large Organizations 1 Commercial Solution in this Area 9% in Small Organizations 13% in Medium Organizations 20% in Large Organizations 2+ Commercial Solutions in this Area 6% in Small Organizations 5% in Medium Organizations 7% in Large Organizations 48

Legal Management Do you plan to spend more/same/less on GRC solutions in the following categories over the next 3 years? Across All Organizations S 31 % Spending More 16 % Small Organizations 16% Spending More 76% Same 8% Spending Less 3% Unsure 62 % Same 7 % Spending Less Don t Knows Filtered Out 30 % 48 % Medium Organizations 30% Spending More 67% Same 3% Spending Less Large Organizations 48% Spending More 39% Same 13% Spending Less 49

Physical Security Management Physical Security Management technologies enhance physical asset and individual protection, and the authorization and monitoring of access to an organization s facilities and property. This category of technology also includes systems to manage physical loss and theft. 37 % 16 % 16 % Spreadsheets, Documents & Emails 43% in Small Organizations 43% in Medium Organizations 27% in Large Organizations Solution Built & Supported by IT 13% in Small Organizations 12% in Medium Organizations 21% in Large Organizations 1 Commercial Solution in this Area 13% in Small Organizations 20% in Medium Organizations 13% in Large Organizations 7 % 2+ Commercial Solutions in this Area 6% in Small Organizations 7% in Medium Organizations 8% in Large Organizations 50

Physical Security Management Do you plan to spend more/same/less on GRC solutions in the following categories over the next 3 years? Across All Organizations S 34 % Spending More 25 % Small Organizations 25% Spending More 68% Same 7% Spending Less 3% Unsure 58 % Same 8 % Spending Less Don t Knows Filtered Out 39 % 40 % Medium Organizations 39% Spending More 58% Same 3% Spending Less Large Organizations 40% Spending More 45% Same 15% Spending Less 51

Policy & Training Management Policy & Training Management technologies mange the development, approval, distribution, communication, forms, maintenance, and records of organization policies, standards, procedures, guidelines and related training and communication awareness activities. This includes solutions used to train individuals on policy and risk areas to employees and extended business relationships. Elements of gamification, elearning, learning management, document/content management are part of this segment from a GRC perspective. Forms and disclosure management solutions (e.g., conflict of interest, gifts & entertainment/hospitality) are included in this segment as they relate and support organization policies. 41 % 24 % 26 % Spreadsheets, Documents & Emails 48% in Small Organizations 45% in Medium Organizations 31% in Large Organizations Solution Built & Supported by IT 15% in Small Organizations 26% in Medium Organizations 28% in Large Organizations 1 Commercial Solution in this Area 17% in Small Organizations 32% in Medium Organizations 28% in Large Organizations 8 % 2+ Commercial Solutions in this Area 9% in Small Organizations 5% in Medium Organizations 9% in Large Organizations 52

Policy & Training Management Do you plan to spend more/same/less on GRC solutions in the following categories over the next 3 years? Across All Organizations S 49 % Spending More 45 % Small Organizations 45% Spending More 45% Same 10% Spending Less 3% Unsure 45 % Same 6 % Spending Less Don t Knows Filtered Out 49 % 52 % Medium Organizations 49% Spending More 49% Same 2% Spending Less Large Organizations 52% Spending More 39% Same 9% Spending Less 53

Quality Management Quality Management technologies record, benchmark, track and manage activity related to product and service quality assessments and certifications, production failures, product recalls, design and delivery improvements and their related regulatory guidelines. 42 % 16 % 12 % Spreadsheets, Documents & Emails 44% in Small Organizations 53% in Medium Organizations 28% in Large Organizations Solution Built & Supported by IT 19% in Small Organizations 15% in Medium Organizations 15% in Large Organizations 1 Commercial Solution in this Area 9% in Small Organizations 8% in Medium Organizations 17% in Large Organizations 7 % 2+ Commercial Solutions in this Area 2% in Small Organizations 4% in Medium Organizations 13% in Large Organizations 54

Quality Management Do you plan to spend more/same/less on GRC solutions in the following categories over the next 3 years? Across All Organizations S 44 % Spending More 44 % Small Organizations 44% Spending More 50% Same 6% Spending Less 3% Unsure 52 % Same 4 % Spending Less Don t Knows Filtered Out 31 % 58 % Medium Organizations 31% Spending More 66% Same 3% Spending Less Large Organizations 58% Spending More 38% Same 4% Spending Less 55

Risk Management & Analytics Risk Management technologies support the identification, assessment, evaluation and response, and monitoring of risks and opportunities of risk across the organization. This includes the ability to monitor changes in the external and internal contexts to alert an organization to changing risk conditions (e.g., geopolitical, economic, competitor, technology, and natural disaster) that can impact business. These systems help identify specific causes and execute historical review, simulation, interpretation and projection of impacts on an organization s operations or assets given the potential consequences of events and the likelihood of events occurring sequentially or simultaneously. This category includes enterprise risk management systems, operational risk management systems, as well as specialized risk applications. 56 % 17 % 31 % 7 % Spreadsheets, Documents & Emails 65% in Small Organizations 60% in Medium Organizations 45% in Large Organizations Solution Built & Supported by IT 13% in Small Organizations 18% in Medium Organizations 17% in Large Organizations 1 Commercial Solution in this Area 26% in Small Organizations 29% in Medium Organizations 36% in Large Organizations 2+ Commercial Solutions in this Area 4% in Small Organizations 3% in Medium Organizations 13% in Large Organizations 56

Risk Management & Analytics Do you plan to spend more/same/less on GRC solutions in the following categories over the next 3 years? Across All Organizations S 63 % Spending More 62 % Small Organizations 62% Spending More 32% Same 6% Spending Less 3% Unsure 31 % Same 6 % Spending Less Don t Knows Filtered Out 68 % 58 % Medium Organizations 68% Spending More 30% Same 2% Spending Less Large Organizations 58% Spending More 33% Same 9% Spending Less 57

Strategy, Performance, & Process Management Strategy, Performance & Process Management technologies include solutions for identifying and managing corporate strategies, goals, and objectives and cascading them through the organization; optimizing operational and financial performance against those objectives; and providing valuable information for decision-making and reporting purposes. 57 % 14 % Spreadsheets, Documents & Emails 65% in Small Organizations 57% in Medium Organizations 51% in Large Organizations Solution Built & Supported by IT 9% in Small Organizations 16% in Medium Organizations 16% in Large Organizations 10 % 1 Commercial Solution in this Area 15% in Small Organizations 5% in Medium Organizations 11% in Large Organizations 8 % 2+ Commercial Solutions in this Area 4% in Small Organizations 8% in Medium Organizations 11% in Large Organizations 58

Strategy, Performance, & Process Management Do you plan to spend more/same/less on GRC solutions in the following categories over the next 3 years? Across All Organizations S 47 % Spending More 56 % Small Organizations 56% Spending More 33% Same 11% Spending Less 3% Unsure 44 % Same 9 % Spending Less Don t Knows Filtered Out 51 % 29 % Medium Organizations 51% Spending More 42% Same 7% Spending Less Large Organizations 29% Spending More 58% Same 13% Spending Less 59

Third Party Management Third Party Management technologies provide organizations the ability to govern third party relationships (e.g., vendor, supplier, contractor, consultant, service provider, outsourcers, agent) and the lifecycle of onboarding, contracts, due diligence screening, performance monitoring, risk management, compliance management, quality and service level management, and off-boarding. The third party GRC specific solutions record, and maintain the communication, attestation, and assessment of policies, contractual compliance, risk and compliance assessments, and audits across extended business relationships. Third party screening solutions are used to vet third parties and validate them against databases such as politically exposed persons, watch lists, social accountability, and more. 46 % 12 % 17 % 7 % Spreadsheets, Documents & Emails 48% in Small Organizations 51% in Medium Organizations 39% in Large Organizations Solution Built & Supported by IT 7% in Small Organizations 9% in Medium Organizations 17% in Large Organizations 1 Commercial Solution in this Area 15% in Small Organizations 18% in Medium Organizations 17% in Large Organizations 2+ Commercial Solutions in this Area 2% in Small Organizations 4% in Medium Organizations 15% in Large Organizations 60

Third Party Management Do you plan to spend more/same/less on GRC solutions in the following categories over the next 3 years? Across All Organizations S 41 % Spending More 44 % Small Organizations 44% Spending More 41% Same 15% Spending Less 3% Unsure 48 % Same 11 % Spending Less Don t Knows Filtered Out 31 % 50 % Medium Organizations 31% Spending More 63% Same 6% Spending Less Large Organizations 50% Spending More 36% Same 14% Spending Less 61

Survey Demographics & OCEG Resources

Survey Respondents by Breakout of GRC Buyers vs. Providers Other 60 respondents marked Other. GRC Solutions Providers 63 respondents were from GRC Solutions/Technology Providers offering GRC related technology solutions. 12% 19% Professional Services Firms 96 respondents were from Professional Service Firm providing GRC services and solutions (96 respondents). 12% 509 Respondents Organizations Using/Considering GRC Solutions 290 respondents were from organization using or 57% considering GRC solutions/technology. This survey report focuses only on the 290 respondents from organizations using or considering GRC solutions. 63

Survey Respondents by Type of Organization 41% Publicly Traded 31% Privately Held 11% Government 5% Education 9% Non-Profit 3% State-Owned/Crown 290 respondents from organization using or considering GRC solutions/technology 64

Survey Respondents by GRC Role in Organization 25% Risk Management 17% Compliance 34% Other 17% IT/Security 13% Audit 290 respondents from organization using or considering GRC solutions/technology 65

Survey Respondents by Seniority in Organization Administrative Other Executive/C-Suite 1% 4% 12% Professional Senior Vice President 15% 4% 12% Vice President Manager 28% 24% Director 290 respondents from organization using or considering GRC solutions/technology 66

Survey Respondents by Role in GRC Strategy Lead the Enterprise GRC Strategy to integrate GRC across the organization 36% Participate in the Enterprise GRC Strategy in my organization 51% Exposure is only within department and not aware of broader context of GRC Unsure 1% 12% 290 respondents from organization using or considering GRC solutions/technology 67

Survey Respondents by Geographic Presence EUROPE NORTH AMERICA 25 % 49 % 5 % ASIA CENTRAL/SOUTH AMERICA 6 % 4 % MIDDLE EAST OCEANIA 5 % AFRICA 6 % 290 respondents from organization using or considering GRC solutions/technology 68

Survey Respondents by Size of Organization 37% 37% 26% Large Enterprise 10,001+ Employees Medium Enterprise 1,001 to 10,000 Employees Small Enterprise 1 to 1,000 Employees 290 respondents from organization using or considering GRC solutions/technology 69

OCEG s GRC Standards Library OCEG s GRC Standards Library helps to jump-start and improve your approach to achieving Principled Performance. 70

OCEG s GRC Certification, Surveys & Illustrations OCEG has a range of resources that help organizations understand, apply, and communicate Principled Performance and GRC. Certifications GRC Illustrated OCEG has developed over 60 GRC illustrations that are info-graphics to help organizations understand and communicate Principled Performance and GRC. Surveys OCEG One-Minute Polls GRC Maturity GRC Metrics & Measurement GRC Technology Strategy 71

OCEG s GRC Solutions Council and Executive Council Members Members of OCEG s GRC Solutions and Executive Council collaborate to develop educational materials on the benefits of advancing GRC processes and technologies, as well as key resources to assist companies in maturing GRC strategy. 72

Contact us www.oceg.org 4835 E. Cactus Road, Suite 225 Scottsdale, Arizona 85254 United States of America info@oceg.org @OCEG +1 (602) 234-9278 73