2014 Oceg Grc Technology Strategy Survey Final 05-27-2014 140812143159 Phpapp01

8/11/2019 2014 Oceg Grc Technology Strategy Survey Final 05-27-2014 140812143159 Phpapp01

http://slidepdf.com/reader/full/2014-oceg-grc-technology-strategy-survey-final-05-27-2014-140812143159-phpapp01 1/83

An OCEG Benchmark on Current & Future GRC Technology Decisions

2014 GRC TECHNOLOGY STRATEGY SURVEYHOW ORGANIZATIONS APPROACH AND ADAPT THEIR TECHNOLOGY STRATEGY FOR GRC



About OCEG . . .

OCEG is a nonprofit think tank that helps organizations achieve

Principled Performance. We provide standards, resources and a hubaround which many professionals collaborate including: board members,

business executives and operators, risk executives, audit executives,

compliance executives, financial executives, IT executives, and HR

executives.

Our mission is to help organizations reliably achieve objectives while

addressing uncertainty and acting with integrity - this is Principled

Performance. We assist organizations in developing and implementing

GRC capabilities that enable Principled Performance by providing

authoritative resources for integrating the governance, assurance and

management of performance, risk and compliance. OCEG’s global

community exceeds 40,000 members and through collaborative effort

we continue to advance methods and measurements of success on the

path to Pr incipled Performance.

For more information go to www.OCEG.org or contact us at info@

OCEG.org

The OCEG 2014 GRC Technology Strategy

Survey was designed and analyzed by GRC

20/20 Research . . .

GRC 20/20 Research, LLC (GRC 20/20) provides clarity of insight into

governance, risk management, and compliance (GRC) solutions and

strategies through objective market research, benchmarking, training,

and analysis. We provide independent and objective insight into leading

GRC practices and processes, including market dynamics and intelli-

gence; risk, regulatory and technology trends; competitive landscapes;

market sizing; expenditure priorities; and mergers and acquisitions.

For more information go to www.GRC2020.com or contact GRC20/20 at [email protected].



INTRODUCTION IN SUMMARY REFERENCESFUTURE STATESURVEY DEMOGRAPHICS CURRENT STATE

3OCEG SURVEY • 2014 GRC Technology Strategy Survey • www.OCEG.org • ©2014 all rights reserved

Contents

INTRODUCTIONGRC Technology Impacts GRC Maturity

SURVEY DEMOGRAPHICSRisk, Audit, Compliance & IT Express Themselves

CURRENT STATEHow Organizations Currently Use GRC Technology

FUTURE STATEHow Organizations Plan to Use GRC Technology

IN SUMMARY

5 Key Takeaways

REFERENCESOCEG ResourcesOCEG GRC Solution Category Descriptions

OCEG GRC Solution Council MembersFul Survey Charts/Responses

Preface

If you’ve taken the time to read this survey, it’s likely you have a certain level of interest

in governance, risk management, and compliance (GRC). There’s no shortage of

information on the subject. An Internet search will throw up all sorts of tips, views and

best practices designed to help those responsible for these areas.

OCEG is the framework body for GRC. We advocate Principled Performance and

the role of GRC to enable organizations to reliably achieve objectives while addressing

uncertainty and acting with integrity.

This OCEG survey is focused on GRC technology strategy in understanding the use

of GRC technology in the current state of organizations and the planned future state

of where the organizations GRC technology architecture is headed. At OCEG we

want to see that GRC becomes part of your organisation’s DNA through the proper

implementation and use of GRC technology.

We hope this survey report provides you with some valuable insights.





Governance, risk management, and compliance (GRC) is something every

organization does — though not all do it well.. Every organization has some

approach to governing the organization, managing risk, and approaching

compliance with obligations such as regulations. It does not matter if an

organization uses the label GRC; the simple truth is every organization does

GRC in some form.

Some organizations have mature and structured processes and repor ting

on GRC that brings together an integrated and orchestrated view of GRCprocesses and information. Other organizations have fragmented approaches

where some aspects of GRC are more mature than others but fail to have an

overall coordinated strategy. For some organizations GRC approaches are ad

hoc and reactive.

The use of technology for GRC depends on organization strategy. Some

organizations look to develop an enterprise technology architecture (or

platform) for GRC. Other organizaitons lack an enterprise coordinated

strategy and have different depar tments going in different directions. Whether

at an enterpise level or a depar tment, GRC maturity depends on how well

GRC processes, information, and technology enable the organization to be

efficient, effective and agile to reliably achieve objectives [governance]

while addressing uncertainty [risk management] and acting with

integrity [compliance].

The proper selection and use of GRC technology is a primary factor in

measuring GRC maturity within organizations. From one perspective, we all

use technology in GRC. Pens and legal pads can be understood as technology

— at one point pens were high tech. Today, GRC technology is commonly

understood from the low-end of using documents, spreadsheets, and email

to manage GRC information, processes and reporting to the high-end of a

federated GRC architecture that integrates information and technology from

across the enterprise in an ecosystem of GRC processes and information

that works together as cogs in a machine automating GRC processes andreporting while providing accountability. There obviously is a wide range of

approaches in between.

OCEG’s 2014 GRC Technology Strategy Sur vey takes aim at understanding

organizations current use, planned future use, strategy, and satisfaction with

their use of technology to support GRC within their organizations.

Michael Rasmussen

OCEG Fellow & Co-Chair of OCEG GRC Solutions CouncilChief GRC Pundit & Analyst @ GRC 20/20 Research, LLC

[email protected] / [email protected]

INTRODUCTION

GRC Technology Strategy Impacts Maturity





A Word From Our Survey Sponsors

ACL delivers technology solutions that aretransforming audit and risk management.

“The survey shows that strategy for GRC is

changing and why it is such an incredibly exciting

and opportunistic time to be a GRC professional.

Four mega-forces in technology for GRC were

screamed out loudly by the survey results: cloud,

mobile, design, and data. It’s clear that those

affecting major change in their organization’s

approach to GRC are making applications

powerful and collaborative with the cloud,

extending their reach through mobile, driving insightand decisions using objective truth as manifest in

the organization’s data, while ensuring software

empowers (not frustrates). We are so proud to be

a part of ushering in this change in GRC, through

technology.”

Dan Zitting, VP of Product Mgmt & Design, ACL

Convercent enables an effective complianceprogram with integrated management,

mitigation and monitoring of compliance risk.

“The results of the survey provided a clear

indication that the world of GRC technology is

primed to leap forward in delivering GRC program

effectiveness that’s both measurable and innovative.

Too many organizations have a well-designed GRC

program but lack the ability to apply it in a scalable

way or to easily demonstrate its effectiveness, in

large part because the technology, a critical enabler

of an effective GRC program, is missing. We believethat the market is not only ready, but clamoring,

for easy to-use-technology that is well designed

and integrated, complete with native analytics and

reporting. This sur vey validated that belief. We’re

excited to be part of the journey.”

Michael Kleef, EVP of Marketing, Convercent

MetricStream delivers solutions for GRCand Quality Management Solutions for global

corporations.

“MetricStream helps clients adopt a federated GRC

architecture that aligns with business functions and

adapts as their environment changes. As the survey

demonstrates, GRC technology has advanced so

much that it can seamlessly connect processes,

systems, and departments across the global

enterprise. It can capture information from across

functions and systems, and aggregate this informa-

tion to decision-makers to successfully manage riskand make decisions. As organizations realize these

benefits, they are transforming their GRC technology

strategies, and we are delighted to be part of this

GRC Journey that our customers are on.”

– Vinay Bapna, Associate VP of Marketing,

MetricStream

The 2014 OCEG GRC Technology Strategy Survey is made possible through the support of the entire

OCEG GRC Solutions Council and particularly the following survey sponsor members:



SURVEY DEMOGRAPHICS





Risk, Audit & Corporate Compliance/Ethics Top Responders

The 2014 OCEG GRC Technology Strategy Survey had 273 respondents that fell across

a range of industries, geographies, and roles/departments in organizations.1

GRC happens within departments and across the enterprise. From a departmentperspective, GRC roles look to technology to assist them in managing GRC from adepartment perspective. An enterprise GRC perspective involves a GRC strategy,process, information and technology architecture that spans across departments.

The three primary roles responding to the survey (68% of responses) are riskmanagement (25%), audit (22%), and corporate compliance/ethics (21%). These roles,combined with IT and Security, make up the most common roles that OCEG and GRC

20/20 see in enterprise technology strategies for GRC.

What is interesting to see is the 5% of respondents who define themselves as aCentralized GRC Group/Architecture role. This role is only about two years old andalready seeing strong growth in organizations tasked to build and deploy informationand technology architecture for enterprise GRC.

1 Te OCEG 2014 GRC echnology Strategy Survey also surveyed professional service firms and GRC technology/solution providers. Te results in this report are just thosefrom those that purchase and use GRC solutions within their environment and do not include professional services firms or solution provider responses.

Risk Management Audit Corporate Compliance/Ethics Other GRC Roles

25% 22% 21% 32%

Other Roles Include . . .Information Technology (9%)

Centralized GRC Group/Architecture (5%)

Security (5%)

Business Management/Executive (5%)

Business Operations / Logistics (2%)

Finance / Accounting (2%)

Vendor/Supplier Management, Research,

Corporate Social Responsibility, Legal (4%)





Equilibrium of GRC Operational & Decision-Maker Roles

Other

Professional

Manager

Executive

Senior Vice President

Vice President

Director

51% were

Managerlevel andbelow

49% wereDirectorlevel andabove

3%

20%

28%

6%

7%

12%

24%

The survey results showed a nearly even split between GRC roles that were director

level and above (49% of respondents) with those that were manager level down intoprofessional/operational GRC roles (51%). This represents a balanced perspective onGRC technology strategy between decision makers and those using GRC solutions aspart of their daily GRC operational roles.

Often the perspectives on GRC technology can vary between the decision-makers(purchasers) of GRC technology and the manager/operational GRC roles that use thetechnology throughout every day. Having this evenly distributed balance of respondentsprovides an equilibrium to the survey results.





Distributed Organization Structure, Size & Industries

Organizations responding represented a distributed balance of size and structure. A

variety of industries were represented in the responses with financial services havingthe strongest representation.

40.3% oforanizationsresponding werefrom publiclytradedorganizations

11.6% oforganizationsresponding werefrom governmentorganizations

9.7% of organizationsresponding were fromnon-profit, educational, orstate-owned organizations

38%38.4% oforganizationsresponding werefrom privatelyheld organizations

40%

10%

12%

13.3% of oranizationsresponding havebetween 1 and 500employees

24.3 oforganizationsrespondinghave betweem501 and 2,500employees

26.6% of organizationsresponding have between2,501 and 10,000employees

36.0% oforganizationsresponding havemore than10,001employees

36%

13%

24%

27%

Others



CURRENT STATE





Utilization of GRC Technology in the Environment:

46% Utilized

51% Under-Utilized

3% Unsure3% Unsure

Utilization of GRC Technology in theEnvironment:

Organizations reported they have mixed success with their current use of

technology for GRC. The current stae of affairs shows a near even breakoutwith 46% of organizations claiming that their GRC technology is well utilized,with slightly more at 51% stating that GRC technology in their environment

is underutilized. This indicates that approximately half of the organizationsresponding feel they could do better in how they use their current technologyfor GRC within their environments.

Contrasted with how GRC solutions are deployed, this reveals some enlighteningperspectives. The majority of GRC solutions being used are department orissue-focused (81%) and are stand alone solutions not integrated with other

GRC technology solutions (80%). This aligns with GRC 20/20’s market researchthat indicates that over 80% of GRC technology spending is on department

and issue (e.g., risk, regulation) GRC needs and less than 20% of spend is onenterprise GRC that spans across departments in the organization.

Non-integrated,

stand alone GRC

solutions

80%GRC solutions aredepartment orissue focused

81%





Misaligned Technology to Meet Current GRC Needs

27% Aligned

70% Unaligned

3% Unsure3% Unsure

Alignment of Technology withCurrent GRC Needs:

Building on the mixed utilization of GRC technology used currently

within organizations is the surmounting concern that the GRCtechnology deployed does not meet the current needs of theorganization (70%), with a minority (27%) stating that GRC technology is

meeting their current needs.

The challenge is that risk and regulation has grown very complex. Manyindustries have seen regulatory change double in the past five years.Business operates in dynamic risk environments with intersecting risksthat are managed in silos that do not talk to each other. The businessitself is dynamically changing as employees, processes, strategy, financial

position, technology and relationships change. External risks bear downon the organization from market, geo-political, environmental, and

more. The complex web of suppl ier, agent, vendor, and other 3rd partyrelationships impact the organization. Risk and regulatory reportingrequirements have grown in complexity and often involve a complex webof data integration and analytics.

This misalignment is an indicator that organizations are discoveringthey need a very agile and dynamic GRC information and technologyarchitecture that can integrate with distributed systems and content feeds

and provide advanced analytics on the state of GRC and its impact on theorganization’s strategy, performance, objectives, and integrity.





BOTTOM LINE: Document/Email Approaches Challenge GRC

30%30% of organizations haveone or more commercialGRC solutions

S p r e a d s h e e t s

,

D o c u m

e n t s

, &

E m a i l

S o l u t i o

n B u i l t

I n - H o u s e

b y

I T C

o m m

e r c i a l

G R C

S o l u t i o

n

2 +

C o m m

e r c i a l

G R C

S o l u t i o

n s 53%

53% of organizations statetheir primary GRCtechnology isspreadsheets, documents,and email

24%

6%

17%

53%

No wonder organizations see such misalignment in GRC technology to meet their current needs — the

bastion of GRC technology in use is in the form of spreadsheets, emails, and documents. This approach isvery labor intensive and inconsistent which causes reporting errors and complexity, frustrates the line ofbusiness, lacks proper workflow and task management, and is simply not defensible.

Regulators and stakeholders are increasingly holding organizations accountable for audit trails and integrity

in processes that documents, spreadsheets, and email approaches simply cannot provide by themselves.They are important tools in the toolbox but organizations are realizing they need something more.

The impact on FTE’s is particularly significant. One financial services organization stated that 80% oftheir GRC staff resources were nothing more than document reconciles for reporting. Their task was to

reconcile and report on thousands of assesments and surveys for GRC in documents and spreadsheets thatwere distributed by email. A mess they are aggressively trying to correct.



FUTURE STATE





Organizational Alignment to Take Action on Future GRC

GRC change is afoot! Where organizations earlier indicated that they had lacked alignment (70% of responders stating they were unaligned on

current GRC technology implementation), organizations report that they are deepening collaboration and communication across the enterprise forfuture GRC technology strategy and alignment (62% state they are aligned).

This is further evidenced by the fact that 44% of respondents state they have an enterpise GRC strategy going forward that spans departments. Thisis strenthened by another 35% of organizations indicating that they may not quite be set on an enterprise decision but have multiple departments

involved in GRC technology decisions.

Enterprisedecision acrossdepartments

Multipledepartmentdecision, butnot quiteenterprise

Singledepartment

decision

Groupdecisionfocused onspecificissue

Unsure orOther

44%

35%

8%3%

10%

Organizational Strategy to SelectGRC Solutions Going Forward:

62% Aligned

34%Unaligned

3% Unsure3% Unsure

Organizational Alignment to Take Actionon Future GRC Solution Initiatives:





GRC Technology Spending Increasing Steadily

Keeping pace with a dynamic risk and regulatoryenvironment is demonstrating broad growth in GRCtechnology spending in 2014 (64%, of which 18% state thatspending is increasing over 25% from 2013.

Contrast that with only 14% of respondents indicating that

GRC technology spend is decreasing. This is a very positiveoutlook for GRC technology with such a small percentagecutting budgets in a tight and demanding economicenvironment.

25%Increase from1% to 10% 21%

Increase from11% to 25% 18%

Increase over25%64% Increased

Spending

14% DecreasedSpending

3% Unsure22% No Changein Spending

5%Decrease from1% to 10% 5%

Decrease from11% to 25% 4%

Decrease over25%





Organization Plans to Purchase GRC Technology

In context of the broad increase in GRC technology spending in 2014, 41% of the spending is going

toward new GRC technology (the assumption is the rest is on increased spending and implementationof existing GRC technology).

Beyone 2014, 27% of organizations indicate they will be acquiring new technology in one to two years(2015), and 31% plan on acquiring new GRC technology in two to three years (2016).

I m m

e d i a t e

P u r c h a s e

1 t o

6

M o n t h

s

7 t o

1 2

M o n t h

s

1 t o

2 Y e a r s

M o r e

t h a n

2

Y e a r s

41%Organizations thatindicate they plan topurchase new GRCtechnology in 2014

12% 13% 16% 31%27%





Crossroads In GRC Architecture Perspectives

Prefer a centralizedGRC Platform for theentire enterprise

Prefer a federated GRC Architecture

that allows best of breed integration

Decentralized andnon-integrated GRCsolution strategy

Undecided

17%

36%

27%

21%

Strategic Direction for GRC Architecture:

When it comes to future directions for GRC architecture

organizations are at a three way intersection of roads leadingto different destinations, with some (17%) undecided in whichdirection to head.

One road leads to a centralized GRC platform that over one-

third (36%) state is their GRC technology destination. This iswhere the organization standardizes one primary GRC platformfor the organization.

The second road is a destination of a federated GRC

architecture in which organizations on this journey (27%) acquirebest of breed GRC solutions that offer the greatest value tothe organization and integrate these systems where and when

it makes sense to do so. Often federated GRC architectureswill have a centralized GRC platform as a hub that other GRCtechnology feeds into for enterprise reporting and coordinationof GRC activities and processes.

The third road is a centralized and non-integrated GRC strategyin which these organizations (21%) purchase best of breedsolutions to meet their specific department or issue-focused

(e.g., risk, regulation) needs and do not see a need to integratetechnology for enterprise reporting and coordination.





Top 10 GRC Technology Spending Priorities

The OCEG GRC Technology Solutions Guide details twenty-seven categories of GRC technology. When survey respondents were

presented with these twenty-seven categories to list their top GRC technology priorities to acquire, they listed the following top ten astheir most critical needs:






49%

46%

44%

34%

27%

FUTURE: Top criteria for acquiring newsolutions for GRC:

Ease of Use

Price

Functionality

Configurability

Industry Expertise

53%

45%

34%

33%

19%

PAST: Top criteria that influenced choiceof current GRC solutions:

Price

Ease of Use

Functionality

Configurability

Customer Service,Financial Stability,

Local Office,Integration

Ease of Use Top Critera on Future GRC Technology

For the most part, the top criteria for evaluating GRC technology have remained the same between criteria used in the past with the

criteria for future GRC purchases. However, the one element that has moved to be the highes priority is ‘ease of use.’ Organizationsshow that they want GRC solutions that are practical and engaging to use. This is particularly important for GRC as it continues tomove communications to the front-lines of the organization.

It is also an indicator that organizations have frustration with complex GRC technology that is non-intuitive and difficult to use.






Factors That Influence Changing GRC Technology

What drives organizations to change the GRC technology they

currently use?

The primary driver of change is lack of functionality in theircurrent GRC technology (40% of respondents indicated). Businessis dynamic and the GRC challenges today requires advanced

intelligence, integration, analytics, and holistic situational awarenessof dynamic business, risk, and regulatory environments. GRCtechnology that was satisfactory a few years ago may be inadequateto meet the needs of GRC today and into the future.

Other factors driving change in GRC technology, but not asprominent as lack of functionality include::

A centralized GRC strategy to bring the organization to asingle GRC platform (17%).

Poor customer service in support and quality of currentGRC solutions (16%).

Migration to GRC solutions that are lower cost to aquire,implement, and maintain in the environment (6%).

Reduction in budget forcing change driving organizations toimplement technology to reduce overhead (5%).

What is thesingle mostimportantfactor whenchanging GRC

solutions?

Lack ofFunctionality

40%

17%Internal Moveto OnePlatform

16% PoorCustomerService

Lower CostCompetitor

6%

Reduction inBudget

5%






Primary Goals in New GRC Technology Adoption

Business changes, regulations change, risks change — in that

context GRC technology changes to meet the needs of dyanmic,distributed, and disrupted business. When looking for new GRCtechnology, organizations indicate that the primary goals they

aim to achieve are:

Complex risk and regulatory environments demandadvanced capabilities of risk data integration and analyticsto provide full situational awareness of risk (53%).

Organizations are realizing that good GRC requires goodinformation, there is increasing focus on the integrity andconsistency of GRC information (43%).

Regulatory change has more than doubled in severalindustries over the past five years (e.g., banking, insurance,

healthcare) and drives the organization to GRCtechnologies that enable regulatory intelligence and agility(41%).

When deploying new GRC technologies the organizationis driven to reduce costs while increasing the peformance

of business operations (both 39%).

53%

43%

41%

39%

39%

Increase analytics & rapid

visibility of risk

Improve consistency ofinformation

Meet new regulatoryrequirements

Reduce costs

Improve performance






GRC Deployment: to SaaS or not to SaaS

In today’s software world there are two primary deployment models to decide on when purchasing GRC solutions. One is the traditional software

model in which the organization purchases a perpetual license to the software and yearly maintenance. In this model the software is installed in theorganization’s data center. The other model is a Software as a Service (SaaS) model that is showing the strongest growth in adoption in the software

world. In this model the organization pays an annual subscription fee and the software is hosted for them in the Cloud and not in the organization’sown data center. There are hybrids to these approaches, as well as different types of SaaS models.

When it comes to buying behavior of those acquiring GRC solutions, there is roughly one-third (32%) that have a strong SaaS preference, while a littlelarger group (41%) prefer the older traditional software model. When combined with those who have no preference (about1/3rd), roughly 2/3rds ofbuyers are open to SaaS and 2/3rds of buyers are open to traditional software.

The acceptance, and particularly preference, of SaaS as the deployment model for GRC solutions is growing fast and most likely will over taketraditional software preference in the next one to two years.

32%Prefer SaaS

59%SaaS & No Preference

41%Traditional OnPremise

68%Traditional & NoPreference

VS

2

3

Nearly 2/3rd of the market areopen to SaaS GRC Solutions

1/3rd of the market stronglyprefer SaaS GRC Solutions

2

3

Just over2/3rd of the market areopen to traditional softwareGRC Solutions

Over 1/3rd of the marketstrongly prefer traditionalsoftware GRC Solutions



IN SUMMARY






Tone down and control spreadsheets, documents & email for GRC

Spreadsheets, documents, and email for GRC are not going to be entirely eliminated but certainly need to be better controlled. These

are tools on every desktop and they have a purpose. However, better technology needs to be used to overcome the pervasive use ofspreadsheets, documents, and emails to do assessments, send surveys, communicate tasks, and do reporting — otherwise they are a nightmare

that leads to the inevitability of failure as it drains FTE time, things get missed, and reporting takes a long time.

Understand that GRC is more than one technology

As defined in the OCEG GRC Solutions Guide and integrated into this survey — GRC technology is diverse. There is no such thing as a one

stop shop for GRC. An organization may standardize on a core backbone for GRC integration, analytics, management, and reporting but to

truly do GRC requires a range of technology investments and integration.

Define your GRC architecture strategy We reviewed the three architecture models for GRC: decentralized, centralized, and federated. A decentralized strategy typically points to

departments doing their own things and no enterprise coordination of GRC. A centralzied strategy often leads to one platform that tries to

do all things and forces much of the organization to the lowest common denominator. A federated strategy strikes a good balance between

centralized and decentralized by allowing for best of breed solutions where they make sense but integration between these systems or to a

common backbone to enable enterprise GRC management and reporting.

Keep up with change

The greatest challenge for GRC is a dynamic business environment in which the business, risk, and regulatory environments are in a constant

state of change. Agility is critical to align GRC with the business and technology should enable the organization to keep current with changingenvironments.

Delivering GRC engagement through intuitive and easy to use technology

The number one criteria organizations are looking for in GRC today and into the future is ease of use. GRC is complex as it is and

technology should not add to that complexity but simplify it and make it easy for every level of the organization to enage in GRC.

1

2

3

4

5 Key Takeaways

5



REFERENCES: ABOUT OCEG






OCEG GRC Solutions Category Definitions

Audit and Assurance Management

systems are used to manage audit cycles – this includes audit planning, resourcescheduling/calendaring, work papermanagement, and audit process management.They also support a risk-based approach to

audit planning to prioritize audits based on therisk to the business.

Board and Entity Management technology enables corporate governanceprocesses, frameworks, policies, structure,and activities in support of the overall

coordination of an organization’s board andmanagement responsibilities in accordancewith legal, fiduciary, legal structure, andoperational requirements. This includes theability to provide for board collaboration,

communications, reporting, board papermanagement, and voting.

Brand and Reputation Management systems track, report and manage responsesto an organization’s activities and customer,employee, partner and shareholder opinionsabout those activities. This area of technologyis rapidly expanding to encompass solutions to

monitor risk to brand and reputation acrosssocial media applications.

Business Continuity Management systems model, record and direct theresponsibilities, plans, actions and executionof continuity and disaster plans, testing of

operating procedures, alternatives, informationback-ups, data recovery and restorationprocesses during expected and unexpecteddisruptions to all areas of operation.

Compliance Management systemssupport the overall coordination of legal,regulatory, contractual, and corporate policyobligations and responsibilities with associatedcompliance tasks and records. This includesthe ability to monitor, document, and manage

changes to the regulatory environment andother obligations; to document all obligationsof the organization; to perform complianceassessments against obligations; and report onthe state of compliance.

Contract Management tools provide the

ability to create, manage, store, change, deliverand append all business-related contracts(with suppliers and clients) and applyorganizational policies and procedures, as wellas specific legal and local regulatory criteria, to

their administration.

The following categories are from the OCEG GRC Solutions Guide 2.1. This guide is collaboratively

developed and maintained by the members of the OCEG GRC Solutions Council.






OCEG GRC Solutions Category Definitions, continued

Control Activity, Monitoring, and

Assurance systems provide the abilityto define, document, map, monitor, test,assess, and report on controls within theorganization, including process and systemsdocumentation; manual and automated

controls; the limitations or conditions appliedto amounts and parties in a transaction;user access, rights, and responsibilities; andaccounts, workflows, and process initiation.This category of software is also oftenreferred to as Continuous Control Monitoring(CCM) or Automated Controls. This includes

the capability to test, on a continuing orperiodic basis, data and activity against definedrules to identify and report potential errors,the failure of controls, or inappropriate actions

– including tests of business transactions,

network activity, intrusion attempts, thesharing of confidential information or

intellectual property, systems access, etc. Alsoincluded in this area is the ability to do GRCdata analytics, monitoring, and mining.

Corporate Social Responsibility toolshelp document the objectives, measureperformance, assign responsibilities,recommend and monitor actions, organizecontextual news feeds, support internal andexternal reporting, and communicate relative

to an organization’s perceived relationshipwith the local and broader community,focused on the impact to its reputation, brand,and market growth.

Discovery/eDiscovery Management

tools assist in managing and communicating

discovery holds and uncovering, segmenting,organizing and storing electronic forms ofevidence that can be used in an investigation,both before and after the occurrence of therelated events, including tools that separate

potential discovery documents from theiroriginal locations and repositories. This

category of technology also includes systemsfor retention management that integratewith content/document systems to managethe storage, disposition, and retention ofinformation.

Environmental Monitoring and

Reporting systems and related applicationshelp monitor, analyze, record, and reportorganizational activity focused on compliancewith environmental laws and regulations,related corporate policy related to managing

environmental controls and conditions, andassessing the environmental impact of thecorporation’s operations, strategies, and plans.

Environmental, Health, and Safety

applications help manage the regulatory andpolicy-based guidelines and processes for

protecting and reporting on the workforce,workplace, resources-under-managementand external environment impacted by anorganization’s activities.









Finance/Treasury Risk Management solutions provide an array of applicationsand systems used to identify and managethe risk factors, causes and responseprocedures in an organization’s financial andtreasury management. These include risk

technology focused on specific areas suchas liquidity, credit, market, and commodityrisk management that help identify riskand execute historical review, simulation,interpretation and projection of impacts onan organization’s financial assets given thepotential consequences of events and the

likelihood of events occurring sequentially orsimultaneously.

Fraud & Corruption Detection,

Prevention & Management systemsassist in the identification, response to,control, and reduction of incidents involvinginvestigation, misuse, theft or misapplicationof an organization’s resources and assets by

employees and/or third parties. Technologyincludes tools for data collection, monitoring,mining, and analysis as well as emergingtechnologies, such as social network analysis,social media sourcing, third party due diligenceand statistical modeling. This category ofsolutions includes software that addresses

such issues as anti-corruption/briberycompliance, fraud, and Anti-Money Laundering(AML).

Global Trade Compliance/International

Dealings systems document, manage, andprovide required reporting on relevant

regulations for the exchange of capital, goodsand services across international boundaries.

Hotline/Helpline systems provideinformation intake and response systems toprovide a confidential, independent resourcefor all employees and others to reportobservations related to issues as well aspotential acts of fraud, theft, inappropriate

or illegal behavior, negligence or otherimpropriety committed by employees,partners or contractors as well as seekclarification/guidance on conduct, policies, andprocedures.

Information/IT Risk & Security

Management systems implement theframeworks and principles that govern risk,security, controls and compliance-guidedelements in the planning, development,acquisition, delivery, use, integration, evaluation

and retirement of information and technologyresources.









Insurance and Claims Management

platforms record and administer anorganization’s corporate Insurance, liabilityand warranty coverage levels and documents(including property and casualty, productliability, directors’ and officers’, and related

areas of core coverage) and help execute therelated claims, process the forms and monitorclaims administration procedures across

jurisdictions.

Intellectual Property Management

systems help identify, capture, organize

and protect the organization’s portfolio ofintellectual property (copyrights, trademarks,patents, trade secrets and all related intangibleassets with inherent value) and enable thelegal reuse and sharing of intellectual property

created by third parties.

Issue and Investigations Management

is used to manage investigations, issues,incidents, events, or cases: they specificallyprovide consistent documentation andprocesses for the management of events —from reporting, to managing and documenting

the investigation, to recording the loss andbusiness impact.

Matter Management systems administerthe collection of facts related to eventsand legal cases under investigation, for usein verifying their circumstances, in order

to provide valid information for testing byindependent parties with the confidence thatthe information provided is related to theseevents.

Physical Security & Loss Management systems enhance physical asset and individual

protection, and the authorization andmonitoring of access to an organization’sfacilities and property. This category oftechnology also includes systems to managephysical loss and theft.

Policy Management, Communication,

& Training systems that mange thedevelopment, record, organization,modification, maintenance, communication,training, and administration of policies,procedures, standards, and guidelines in

response to new or changing requirements orprinciples, and correlate them to one another.This also includes systems used to trainindividual learning and understanding of policyand risk areas to employees and extendedbusiness relationships.

Privacy Management systems and toolshelp to identify, capture, segment, and secureaccess to and use of personally identifyinginformation across information sources,applications and users in compliance with

applicable laws and regulations. Privacytechnology is broader than security

technology as it encompasses the accuracyand use of private information and not just theprotection of it.








Quality Management and Monitoring

systems record, benchmark, track and manageactivity related to product and service qualityassessments and cert ifications, productionfailures, product recalls, design and deliveryimprovements and their related regulatory

guidelines.

Reporting and Disclosure applicationsinclude solutions for assembling anddistributing financial, operational, regulatoryinformation to management, the board,regulators and shareholders. These solutions

provide visibility and transparency relatedto business outcomes. Some solutions maysupport formats and templates required byregulators and agencies for required reporting.

Risk Management systems support theidentification, assessment, evaluation andresponse, and monitoring of risks andopportunities of risk across the organization.This includes the ability to monitor changesin the external and internal contexts to alert

an organization to changing risk conditions(e.g., geo-political, economic, competitor,technology, and natural disaster) that canimpact business. These systems help identifyspecific causes and execute historical review,simulation, interpretation and projection ofimpacts on an organization’s operations or

assets given the potential consequences ofevents and the likelihood of events occurringsequentially or simultaneously. This categoryincludes enterprise risk management systems,operational risk management systems, as well

as specialized risk applications.

Strategy, Performance, and Business

Intelligence include solutions for identifyingand managing corporate strategies, goals,and objectives and cascading them throughthe organization; optimizing operational andfinancial performance against those objectives;

and providing valuable information fordecision-making and reporting purposes.

Third Party/Vendor Risk & Compliance

solutions govern, record, and maintain thecommunication, attestation, and assessmentof code of conduct, contractual compliance,

risk and compliance self-assessments, andaudits across extended business relationships(e.g., supply-chain/value-chain, contractors,outsourcers, service providers, consultants,staffing agencies).







OCEG’s GRC Standards Library

OCEG’s GRC Standards Library helps to jump-start and improve your approach to achieving

Principled Performance.





OCEG’s GRC Certification, Surveys & Illustrations

OCEG has a range of resources that help organizations understand, apply, and communicate

Principled Performance and GRC.

Certifications

Surveys

OCEG One-Minute Polls on Focused Subjects

GRC Maturity

GRC Metrics & Measurement

GRC Technology Strategy

GRC Illustrated

OCEG has developed over 60 GRC illustrations that are infographics to help organizationsunderstand and communicate Principled Performance and GRC.

GGovernance

AAudit

PmPerformance

RmRisk

CmCompliance

Management

$$

$$

OPPORTUNITY

TECHNOLOGY

P ERF ORMANCE

RISK

COMPLIA

NCE

THREAT

Ineed tokeepmovingtowards my objectives.I’ll takea shortcut.

STOP

Don’tcross either oftheseboundaries.They representpromises we’vemade!

O B J E C T I V

E S Ican helpprovideassurance to

managementandthe boardthatimportantthings aregetting done-- theway wethinkthey are!

Whatdoes our performancescorecardlooklikerelativetoriskand compliance?

VOLUNTARY BOUNDARIESaredefinedby managementandincludevalues,contractual

obligations andother promises.

MANDATORY BOUNDARIESaredefined by externalforces including governmentlaws andregulation.

Whatbusiness model is requiredtoreliably achieveobjectiveswhileaddressing uncertainty andacting with integrity?

Whatare our mission,

vision andvalues?

Hereis our business modelandoperating plan toachievetheseobjectives.

• Objectives• Business Model• Budget & Resources• Risk Appetite• Performance Metrics

R I S K

R E W A R D

As wedrivetowardobjectives,wemuststay within boundaries.

Sometimes uncertaintypresents opportunitiesthatwe can seize.

Sometimes uncertaintythreatens our objectivesandwemusttakeaction

...andaddress uncertainty.

©2014 OCEG®

[email protected] forreprints orlicensing requests

1 CapabilitiesThink of capabilities as “tools” touse for many different purposes.Develop capabilities that can beleveraged by all of yourgovernance, management andaudit systems. This way, when youimprove the capability, allsystems benefit.

ALIGN PROACT DETECT RESPOND MEASURE

LEVERAGE

COMMONCAPABILITIES

INTERACT

LEVERAGE

COMMONCAPABILITIES

LEVERAGE

COMMONCAPABILITIES

Set mission/vision/values;define objectives in light ofopportunities, risks andrequirements; align strategieswith resources and processes.

Proactively identify changesin risks and requirements,incentivize positive conduct,and prevent unproductive orimproper conduct.

Detect when desirable andundesirable events occurusing a mix of techniques,both push-pull andmanual-automated.

Reward desirable conductand outcomes and remediateanything undesirable. Adjustcapabilities when necessary inresponse to findings.

Assess critical aspects ofcapabiltiies; measureperformance relative to riskand compliance.

Establish technology andinformation systems tocommunicate up, down andacross the organization andwith external stakeholders.

Ican providebetterassurancenow thatwe havea uniformway tomeasureandreport.

Now that weareusing ourresources moreeffectively,we'remorecompetitiveandour outcomes arebetterthan ever.

PathwayBy orchestrating integratedgovernance, audit andmanagement systems, anorganization can reliably achieveobjectives, while addressinguncertainty and acting withintegrity.

3

SystemsCore governance, audit andmanagement systems are thebackbone of an organization.They leverage commoncapabilities for multiplepurposes.

2

Pathway to Principled PerformanceGRC Illustrated





OCEG’s GRC Solutions Council

Members of OCEG’s GRC Solutions Council collaborate to develop educational materials on

the benefits of advancing GRC processes and technologies, as well as key resources to assistcompanies in maturing GRC strategy.

Affiliate Member:



REFERENCES: SURVEY RESPONSES





GRC Technology Survey 2013 Report

1

Value Count Percent

Publicly Traded 104 40%

Privately Held 99 38%

Government Agency/Organization 30 12%

Non-profit organization 17 7%

Educational Organization 5 2%

State Owned Enterprises/Crown Corporations 3 1%

Statistics

Total Responses 258






2

Value Count Percent

Risk Management 65 25%

Audit 58 22%

Corporate Compliance/Ethics 53 21%

Information Technology 23 9%

Centralized GRC Group/Architecture 14 5%Security 12 5%

Management (Executive / Corporate) 12 5%

Other 6 2%

Business Operations / Logistics 6 2%

Finance / Accounting 5 2%

Vendor/Supplier Management 1 0%






3

Research 1 0%

Corporate Social Responsibility 1 0%

Legal 1 0%

Statistics

Total Responses 258






4

Value Count Percent

Top Level Executive 15 6%

Senior Vice President 17 7%

Vice President 32 12%

Director 61 24%

Manager 72 28%

Professional 51 20%

Administrative 4 2%

Other 6 2%

Statistics

Total Responses 258








6Value Count Percent

Excellent 11 6%

Good 36 20%

Fair 74 42%

Poor 50 28%

Don't Know 5 3%

Statistics

Total Responses 176







Strongly Agree 19 11%

Somewhat Agree 61 35%

Somewhat Disagree 58 33%

Strongly Disagree 32 18%

Don't Know 6 3%

Statistics

Total Responses 176






8

Value Count Percent





Don't Know 3 2%

StatisticsTotal Responses 176











Don't Know 3 2%

Statistics

Total Responses 176






10

Value Count Percent

Yes, we have one GRC solution for the entire organization 41 23%

Yes, we have multiple GRC solutions that we use across the organization 60 34%

Yes, we have a GRC solution in my department but I am unaware of what other departments are doing 17 10%

No, we do not have any GRC solutions being used in our organization 56 32%

Don't Know 2 1%







11

In each of the following categories, how has your organization approached GRC technology solutions?

NOTE: Definitions for each of these categories can be found at http://www.oceg.org/resources/grc-technology-solutions/ (select all that apply):

Spreadsheets,Documents, and

Emails

Solution Builtand SupportedIn-House by IT

Commercial GRCSoftware for this

Category

Two or MoreCommercial GRC

Software Solutions forthis Category

Don'tKnow

Responses

Audit and AssuranceManagement

57%99

12%20

37%64

6%11

8%14

173

Board and Entity Management46%79

12%20

13%23

2%4

32%55

172

Brand and ReputationManagement

44%75

5%9

6%10

2%4

47%81

172

Business ContinuityManagement

50%86

15%25

23%39

3%5

20%35

172

Compliance Management59%102

12%21

28%48

8%14

10%18

173

Contract Management47%80

20%34

22%37

6%10

18%31

172

Control Activity, Monitoring,and Assurance

52%89

14%24

27%47

8%13

16%28

171

Corporate Social Responsibility41%70

5%8

9%16

2%3

46%79

171

Discovery/eDiscoveryManagement

34%58

9%16

13%22

6%10

45%77

172

Environmental Monitoring andReporting

42%72

8%13

13%23

4%6

40%69

171

Environmental, Health, and 44% 9% 14% 3% 38% 171






12

Safety 76 16 24 5 65

Finance/Treasury RiskManagement

39%67

20%34

25%44

8%14

24%42 173

Fraud & Corruption Detection,Prevention & Management

48%83

12%21

20%34

9%15

26%45

173

Global TradeCompliance/International

Dealings

32%54

8%14

12%20

4%6

51%88

171

Hotline/Helpline27%46

21%36

31%54

3%6

26%44

172

Information/IT Risk & Security38%

65

27%

46

34%

58

8%

13

17%

30

173

Insurance and ClaimsManagement

36%62

15%25

14%24

5%8

41%71

172

Intellectual PropertyManagement

38%66

11%19

7%12

1%1

49%85

172

Issue and InvestigationsManagement

45%77

12%21

25%42

5%9

24%41

171

Matter Management29%49

4%7

13%22

3%5

54%93

171

Physical Security & LossManagement 43%74 17%29 17%29 3%6 34%58 172

Policy Management,Communication, & Training

47%80

24%42

25%43

6%11

15%26

172

Privacy Management41%70

13%22

15%25

3%6

40%68

172

Quality Management andMonitoring

40%70

18%31

17%29

6%11

34%59

173








14

What has been your company’s average annual spend on GRC solutions in the following categories over the past

three years (include license fees, maintenance fees, subscription fees and consulting fees)?

NoSpend

$1 to$25,000

$25,001 to$100,000

$100,001 to$500,000

$500,001 to$999,999

>$1,000,000

Don'tKnow

Responses

Audit and Assurance Management19%32

17%30

15%25

7%12

2%4

0%0

40%69

172


11%19

5%8

3%5

0%0

1%1

59%99

169

Brand and Reputation Management23%

39

10%

17

3%

5

2%

4

2%

3

1%

1

59%

100169

Business Continuity Management21%35

13%21

7%12

6%10

1%2

0%0

52%88

168


14%24

14%23

8%14

1%2

3%5

44%75

169


15%25

6%10

4%7

1%1

1%2

54%91

168

Control Activity, Monitoring, andAssurance

19%32

13%22

7%12

7%12

1%1

1%2

52%87

168


10%17

4%6

0%0

1%2

1%1

60%101 168

Discovery/eDiscovery Management23%38

9%15

4%6

2%3

1%2

0%0

62%104

168


26%43

8%13

3%5

2%3

1%1

1%1

61%102

168

Environmental, Health, and Safety22%37

11%18

4%7

2%3

2%3

1%1

59%99

168






15

Finance/Treasury Risk Management17%28

10%17

6%10

4%7

2%3

2%3

60%100

168


18%31

15%25

4%7

5%8

1%1

2%3

55%93

168

Global Trade Compliance/InternationalDealings

24%40

9%15

4%7

1%1

0%0

1%2

61%103

168


15%26

9%15

4%6

2%3

0%0

53%89

169

Information/IT Risk & Security12%21

12%20

9%15

12%21

2%4

3%5

49%83

169

Insurance and Claims Management23%

39

9%

15

3%

5

3%

5

0%

0

3%

5

59%

99

168

Intellectual Property Management25%41

10%17

1%1

1%2

1%2

1%1

62%103

167

Issue and Investigations Management22%37

11%19

5%8

4%7

1%1

2%4

55%92

168


8%13

2%4

1%1

1%1

1%1

61%103

168

Physical Security & Loss Management17%28

11%19

8%14

3%5

1%1

2%3

58%96

166

Policy Management, Communication,& Training

15%26

18%31

8%13

6%10

1%2

0%0

51%86 168


11%19

5%8

1%2

1%2

0%0

57%96

168

Quality Management and Monitoring21%35

11%19

4%6

4%7

4%6

1%1

56%94

168

Reporting and Disclosure20%34

11%19

9%15

1%2

1%1

1%2

57%95

168






16

Risk Management16%27

17%28

11%18

9%15

0%0

2%4

46%77

169

Strategy, Performance, and BusinessIntelligence

20%33

10%16

6%10

5%8

1%1

1%2

58%98

168

Third Party/Vendor Risk & Compliance19%32

17%28

9%15

3%5

1%1

1%1

51%85

167






17

Value Count Percent

A centralized "GRC Platform" for the entire enterprise across all relevant categories to your business 62 36%

A federated "GRC Platform" for certain categories and "best of breed" solutions in others 46 27%

A distributed range of "best of breed" solutions in different categories that operate independently of each other 36 21%

Other 7 4%

Don't Know 22 13%







18

Value Count Percent

Brand name 25 15%

Price 91 53%

Customer service 33 19%

They have a local office 17 10%

They are a large, financially stable company 33 19%

They specialize in my industry 33 19%

Best functionality in the area I oversee 58 34%

Ability to configure the software without vendor support & charges 57 33%

Ease of use 77 45%

Ability to integrate with existing ERP system 33 19%

Mobile functionality 6 4%

I can buy all the functionality/modules I need from the same provider 22 13%

Total Responses 171







Internet search 101 59%

GRC software report 94 55%

Intermediary (eg: accounting firm, insurance co, law firm etc) 50 29%

GRC software advisor 64 38%

Referral from a friend / colleague 64 38%

Industry exhibition, web forum 66 39%Response to an advertisement 14 8%

Statistics

Total Responses 170






20

Value Count Percent

No new technology solutions are needed 36 24%

We are wait ing until the market matures before taking action or looking at new technology solutions for GRC needs 27 18%

We will primarily make use of boutique vendors and point solutions to meet GRC needs 34 23%

We will look primarily to our ERP provider(s) to help meet GRC needs 12 8%

Don't know 18 12%

Other 21 14%

Statistics

Total Responses 148






21

Value Count Percent

We are buying new point solutions to resolve specific GRC issues 44 30%

We are looking first to our existing environment for solutions can be used or repurposed 63 43%

We are extending our existing enterprise architectures with add-on solutions offered by our current enterprise software vendors 28 19%

We are extending our existing enterprise architectures by developing customized solutions 23 16%

Don't know 21 14%








Lower or avoid costs 51 34%

Increase reliability 19 13%

Improve performance 58 39%

Improve consistency of information 64 43%

Increase analytics and rapid visibility to risk 79 53%

Reduce complexity 49 33%

Reduce risks 58 39%

Regulatory compliance 60 41%

Statistics

Total Responses 148






23

Value Count Percent

Audit and Assurance Management 34 23%

Board and Entity Management 5 3%

Brand and Reputation Management 4 3%

Business Continuity Management 18 12%

Compliance Management 44 30%

Contract Management 13 9%

Control Activity, Monitoring, and Assurance 31 21%Corporate Social Responsibility 1 1%

Discovery/eDiscovery Management 3 2%

Environmental Monitoring and Reporting 2 1%

Environmental, Health, and Safety 3 2%

Finance/Treasury Risk Management 12 8%

Fraud & Corruption Detection, Prevention & Management 15 10%






24

Hotline/Helpline 9 6%

Information/IT Risk & Security 31 21%

Insurance and Claims Management 3 2%

Intellectual Property Management 3 2%

Issue and Investigations Management 14 10%

Matter Management 2 1%

Physical Security & Loss Management 2 1%

Policy Management, Communication, & Training 28 19%

Privacy Management 4 3%

Quality Management and Monitoring 5 3%

Reporting and Disclosure 17 12%


Strategy, Performance, and Business Intelligence 13 9%

Third Party/Vendor Risk & Compliance 15 10%

Other 7 5%

Don't Know 42 29%

Statistics

Total Responses 147






25

Value Count Percent





Don't Know 4 3%







26

Value Count Percent

SaaS 40 32%

Internally hosted 51 41%

No preference 25 20%

Don't Know 9 7%

Statistics

Total Responses 125






27

Value Count Percent

Annual subscription contract with no upfront license fee 24 19%

License with an annual maintenance contract 53 42%

No preference 37 30%

Don't Know 11 9%

Statistics

Total Responses 125






28

Value Count Percent

Lower cost competitor 7 6%

Internal requirement for One-Stop-Shop 21 17%

Poor customer service (e.g. support line, product upgrades) 20 16%

Lack of functionality 50 40%

Reduction in compliance budget 6 5%

Other 11 9%

Don't Know 10 8%

Statistics

Total Responses 125






29

What is the timeframe that you expect for your organization to implement new or additional GRC solutions?

Immediately1 to 6

months7 to 12months

1 to 2years

More than 2years

Don'tKnow

Responses


7%9

7%9

17%21

17%21

46%57

125


2%2

5%6

6%8

14%17

71%89

125

Brand and Reputation Management2%2

1%1

4%5

5%6

12%15

77%96

125


9%11

7%9

18%22

11%14

52%65

125


11%14

11%14

17%21

11%14

44%55

125


8%10

6%7

9%11

11%14

63%79

125

Control Activity, Monitoring, and Assurance3%4

10%13

6%7

15%19

12%15

54%67

125

Corporate Social Responsibility

2%

2

2%

2

0%

0

9%

11

8%

10

80%

100 125

Discovery/eDiscovery Management2%3

3%4

3%4

4%5

11%14

76%95

125

Environmental Monitoring and Reporting2%2

2%3

2%2

8%10

6%8

80%100

125


2%2

2%3

10%12

8%10

75%94

125






30

Finance/Treasury Risk Management3%4

6%8

4%5

10%12

10%12

67%84

125

Fraud & Corruption Detection, Prevention &Management

2%3

2%2

7%9

13%16

11%14

65%81

125

Global Trade Compliance/InternationalDealings

2%2

2%3

2%3

4%5

10%13

79%99

125

Hotline/Helpline6%8

2%3

3%4

4%5

12%15

72%90

125


6%7

11%14

15%19

12%15

51%64

125

Insurance and Claims Management2%2

1%1

2%2

4%5

13%16

79%99

125


3%4

2%2

6%8

9%11

78%98

125


4%5

6%8

8%10

10%13

68%85

125


4%5

2%3

2%2

10%12

80%100

125


2%2

2%3

5%6

10%13

76%95

125

Policy Management, Communication, &Training

4%5

6%8

10%12

13%16

10%13

57%71 125


3%4

7%9

6%8

9%11

72%90

125


3%4

6%7

10%12

10%12

70%87

125


5%6

7%9

5%6

8%10

72%90

125






31

Risk Management8%10

10%13

8%10

17%21

9%11

48%60

125

Strategy, Performance, and BusinessIntelligence

6%8

3%4

7%9

4%5

9%11

70%88

125


2%3

10%12

10%13

6%7

67%84

125






32

What do you estimate your company’s budget on GRC solutions per year will be (once your company decides to

implement such software) in the following areas?

NoSpend

$1 to$25,000

$25,001 to$100,000

$100,001 to$500,000

$500,001 to$999,999

>USD$1,000,000

Don'tKnow

We do nothave abudget

Responses

Audit and AssuranceManagement

7%9

21%26

10%12

9%11

1%1

0%0

30%38

22%28

125


11%14

6%7

0%0

0%0

0%0

40%50

33%41

125

Brand and ReputationManagement

13%16

10%13

2%2

1%1

0%0

1%1

39%49

34%43

125


8%10

10%13

6%7

1%1

0%0

39%49

29%36

125


14%17

12%15

10%12

0%0

1%1

34%42

25%31

125


7%9

9%11

6%7

0%0

1%1

40%50

26%33

125

Control Activity, Monitoring, andAssurance

10%12

14%18

6%7

5%6

1%1

0%0

34%43

30%38

125


10%12

2%2

1%1

0%0

0%0

41%51

33%41

125

Discovery/eDiscoveryManagement

15%19

8%10

4%5

1%1

0%0

0%0

38%47

34%43

125


14%17

9%11

2%2

2%2

0%0

0%0

40%50

34%43

125

Environmental, Health, and Safety 13% 10% 3% 3% 0% 0% 37% 34% 124






33

16 12 4 4 0 0 46 42

Finance/Treasury Risk

Management

10%

12

6%

8

9%

11

2%

3

3%

4

0%

0

41%

51

29%

36 125


11%14

10%12

8%10

2%2

0%0

1%1

38%47

31%39

125

Global TradeCompliance/International

Dealings

14%18

7%9

2%3

1%1

0%0

0%0

42%52

34%42

125


12%15

6%8

2%2

0%0

0%0

38%47

30%38

125


10%13

9%11

9%11

2%2

0%0

36%45

26%33

125

Insurance and ClaimsManagement

11%14

6%8

2%3

1%1

2%2

1%1

41%51

36%45

125


8%10

2%2

0%0

2%2

0%0

40%50

35%44

125

Issue and InvestigationsManagement

12%15

8%10

8%10

2%3

1%1

0%0

38%47

31%39

125


5%6

2%3

2%2

0%0

0%0

39%49

38%47

125

Physical Security & Loss

Management

11%

14

8%

10

5%

6

2%

2

0%

0

0%

0

38%

48

36%

45 125

Policy Management,Communication, & Training

10%12

10%13

9%11

2%2

0%0

2%2

37%46

31%39

125


10%12

5%6

1%1

0%0

0%0

41%51

34%42

125

Quality Management andMonitoring

14%18

5%6

6%8

3%4

0%0

0%0

38%47

34%42

125






34


4%5

9%11

2%3

2%2

1%1

38%47

32%40

125

Risk Management 9%11

10%12

10%13

8%10

2%3

0%0

32%40

29%36

125

Strategy, Performance, andBusiness Intelligence

12%15

6%7

6%8

2%2

1%1

1%1

40%49

33%41

124

Third Party/Vendor Risk &Compliance

11%14

10%12

3%4

5%6

1%1

0%0

38%48

32%40

125

Value Count Percent

Internet search 58 46%

GRC software report 83 66%

Intermediary (eg: accounting firm, insurance co, law firm etc) 36 29%

GRC software advisor 49 39%






35

Referral from a friend / colleague 52 42%

Industry exhibition, web forum 52 42%

Response to an advertisement 9 7%

Other 11 9%

Statistics

Total Responses 125






36

Value Count Percent

Brand name 10 8%

Price 57 46%

Customer service 32 26%

They have a local office 8 6%

They are a large, financially stable company 21 17%

They specialize in my industry 34 27%

Best functionality in the area I oversee 55 44%

Ability to configure the software 43 34%

Ease of use 61 49%

Ability to integrate with existing ERP system 27 22%

Mobile functionality 3 2%

I can buy all the functionality/modules I need from the same provider 15 12%

Statistics

Total Responses 125







Peer feedback and recommendations 77 62%

Whitepapers 61 49%

Datasheets (short, 2 page overview) 25 20%

Webinars 28 22%

Product Demos 84 67%

Product Trials 50 40%

2 minute overview videos 7 6%

Blogs and other forms of social media 4 3%

Community forums and websites 23 18%

Statistics

Total Responses 125







Audit 12 10%

Compliance 8 7%

Finance 25 22%


Legal 3 3%


Other 22 19%

Statistics

Total Responses 116






39

Value Count Percent

Audit 11 9%

Compliance 10 9%

Finance 15 13%


Legal 7 6%


Other 19 16%

Statistics

Total Responses 116






40

Do you plan to spend more / same / less on GRC solutions in the following categories over the next 3 years?

More Same Less Don't Know Responses


24%28

4%5

44%51

116


20%23

6%7

60%70

116

Brand and Reputation Management10%12

18%21

5%6

66%77

116


16%18

7%8

54%63 116


13%15

7%8

43%50

116


18%21

6%7

56%65

116

Control Activity, Monitoring, and Assurance31%36

11%13

5%6

53%61

116


19%22

6%7

65%75

116

Discovery/eDiscovery Management 10%12

17%20

5%6

67%78

116

Environmental Monitoring and Reporting12%14

16%18

5%6

67%78

116


18%21

5%6

66%76

116

Finance/Treasury Risk Management 16% 22% 7% 55% 116






41

18 26 8 64

Fraud & Corruption Detection, Prevention & Management28%

32

17%

20

5%

6

50%

58116

Global Trade Compliance/International Dealings9%11

16%19

7%8

67%78

116


22%25

6%7

62%72

116


15%17

5%6

47%54

116

Insurance and Claims Management9%11

22%25

7%8

62%72

116

Intellectual Property Management 8%9 19%22 9%10 65%75 116


19%22

7%8

56%65

116


17%20

7%8

66%77

116


22%25

5%6

63%73

116

Policy Management, Communication, & Training32%37

15%17

6%7

47%55

116

Privacy Management 16%18

21%24

5%6

59%68

116


17%20

6%7

59%69

116


21%24

6%7

56%65

116

Risk Management 35% 17% 7% 41% 116






42

41 20 8 47

Strategy, Performance, and Business Intelligence22%

26

20%

23

5%

6

53%

61116


15%17

5%6

53%61

116






43

Value Count Percent

Same as last year 21 18%

Increase of up to 10% 24 21%

Increase of 10% to 25% 20 17%

Increase of greater than 25% 17 15%

Decrease of up to 10% 5 4%

Decrease of 10% to 25% 5 4%

Decrease of greater than 25% 4 3%

Don't Know 20 17%

Statistics

Total Responses 116






44

Value Count Percent

Strongly Agree 9 8%




Don't Know 7 6%

Statistics

Total Responses 116






45

Value Count Percent

In the official IT budget 23 20%

In the GRC budgets 19 16%

In the business functions (sales & marketing, HR, product development, finance, etc.) 16 14%

Split between the IT, GRC and/or business budgets 27 23%

My organization has not budgeted resources for any GRC enabling technology for 2014 17 15%

Don't Know 14 12%

Statistics

Total Responses 116






46

Value Count Percent

Strongly Agree 8 7%




Don't Know 8 7%

Statistics

Total Responses 116






47

Value Count Percent

Enterprise 51 44%

Multiple departments 41 35%

Single Department 12 10%

Group/Issue 3 3%

Don't Know 9 8%

Statistics

Total Responses 116



www.OCEG.org

4835 E. Cactus Road, Suite 225

Scottsdale, Arizona 85254

United States of America

[email protected]

@OCEG

+1 (602) 234-9278

Contact us

Date post:	03-Jun-2018
Category:	Documents
Upload:	shanmugavelsankaran
View:	217 times
Download:	0 times