On March 9, we launched the update of one of our most read and anticipated reports, “The Forrester Wave™: Governance, Risk, And Compliance Platforms, Q1 2020.” It represents at least six months of work for the lead analysts (Alla Valente and Renee Murphy) and the research director (Amy DeMartine). The 2018 version of this Wave was one of the most widely read reports across all of Forrester research for almost six months; I suspect the 2020 Wave will be no different.
For me, someone who has been active in business continuity (BC) and risk management for 20-plus years, I’m incredibly excited for this report. For everyone, with everything happening in business and tech from AI and automation to the internet of things, edge computing, and smart-enabled everything, why would a Wave on governance, risk, and compliance (GRC) platforms be so popular? Well, it’s for a few reasons:
- Managing risk is good for business. The speed that companies adopt emerging tech and race to radically transform their IT and disrupt their own business models is exactly why you need a GRC platform to help you anticipate and manage risk — all kinds of risk: privacy, regulatory, legal, and ethical. Managing risk doesn’t slow transformation and disruption; it not only helps you avoid the most highly probable, high-impact risks but in many cases helps you take the right calculated risks that competitors might not be willing to make. Or, by building the right kinds of consumer privacy protections into your product or service from inception, it helps you bring it to market much more quickly because you don’t have to do it later at more cost and without any brand-damaging oversights at launch. There’s more information in the “GRC Vision, 2019 To 2024” Forrester report.
- Enterprises are becoming much more risk-savvy. Today’s enterprises are consolidating silos of risk under a single umbrella in order to take a more systematic and objective approach to identifying, analyzing, mitigating, and treating risk. More and more companies now have a chief risk officer (CRO) or equivalent responsible for everything from credit and financial risk to operating risk to legal and compliance risk. For these consolidated risk groups, the GRC platform is essential; it is to them what an enterprise resource planning (ERP) platform is to your CFO. This explains why so many of the vendors have been on shopping sprees in the last few years, buying competitors with advantages in certain capabilities or specialized offerings in areas like BC management. However, like the ERP platforms of the late ’90s and early 2000s, GRC platforms have a reputation for taking years of customization and consulting support to deliver value. In our Wave, we put a premium on vendors’ deployment options, the user experience of their interfaces, and their overall time to value.
- The risks to businesses are increasing. There’s a reason why there are more companies with CROs and consolidated enterprise risk management programs that need a GRC platform: The threats and the risks to businesses are increasing significantly. Climate change is already affecting business. Since 1970, the number of disasters every year has quadrupled. In the US, four of the costliest hurricanes on record have come in just the last few years. The devastating droughts that once affected Europe every 10 years are now every five years. We expect privacy regulations across the globe to intensify, and countries are likely to introduce regulations to manage the ethics of AI. This is on top of today’s financial and geopolitical turmoil.
- Third-party risk is one of the biggest risks facing enterprises today. A typical large enterprise might have as many as 300 third-party relationships, from suppliers to service providers to outsourcers, as well as the dozens of partners in nonlinear supply chains that add value to your own offerings. When one of these partners mismanages your customers’ private data or suffers a cyberattack or undermines your products’ quality or safety, it’s your brand that suffers and it’s your company that owns the legal and regulatory risk — you can’t transfer that, either. I’ve been concerned about third-party risk in BC planning going on a decade now; the statistics are sobering, and few companies do anything to ascertain the readiness of critical partners beyond superficial requests to review their BC plans. Our Wave heavily weighs a platform’s ability to assist in third-party risk management.
- It won’t be 10 years until our next pandemic. The number of new COVID-19 cases is slowing in China, and there are signs that the country is slowly returning to normal after months of extreme measures to curtail the spread. Unfortunately, the rest of the world is just now experiencing the spread, and we are months away from the peak. It might take another six months to recover globally from this pandemic, but businesses should expect regional disease outbreaks, epidemics, and true pandemics to become the norm. GRC platforms are critical to helping businesses understand and document their responses to specific risk scenarios.
When companies are facing a long-term risk (e.g., changing consumer attitudes to or increasing legislation on privacy) or an immediate threat (e.g., COVID-19), the first requirement is having a detailed understanding of the business — its critical operations and all of its resource dependencies, from people to IT to facilities and physical assets. Married with financial information (revenue, costs, etc.), risk managers can use this deep contextual information about the business, together with internal and external risk intelligence, to better identify and quantify risk as well as scenario-plan. This is why, in our updated Wave, we put so much emphasis on integration with other systems of record and information, ingestion of risk intelligence, sophisticated risk quantification, and better dashboards and reporting that help risk managers and the business leaders they support make better, faster decisions.
Even as risk managers take on more responsibility for managing strategic and operational risk to the business, there is still a ton of day-to-day work that must be done to continue to assess and demonstrate the effectiveness of internal controls for financial management and regulatory compliance. In our Wave, we also put a premium on platforms that support workflow and automation to reduce costs and free up valuable time for risk managers and internal auditors.
The analysts took a bold approach to this year’s evaluation; they focused on advanced features enabled by AI, machine learning, and automation, as well as workflow, visualization and dashboarding, integration, and data ingestion. Like other markets and business functions, the enterprise risk management function has been long overdue for its own disruption. For those enterprises looking to digitize risk management, this Wave will help you understand the real differentiation between vendors in this space and help you select the best platform.