Understanding the terminology and types of GRC products 

‘Governance, Risk, and Compliance’ (GRC) emerged a few years ago as an umbrella term to describe the programs an organization would perform to manage these three areas entity-wide.  Companies do not necessarily integrate these activities and have various departments, policies and management activities to address them. The software market is similarly segmented.  Terminology used from one software company to another is inconsistent. The product markets often overlap. To confuse things further, analysis of specific products published by software research firms such as Gartner and Forrester is generally out-dated by the time it is published.   Since the introduction of the Sarbanes-Oxley Act (SOX), the market of GRC products has experienced rapid change.  New types of products and functionality have been developed for the management of SOX compliance.  Many of the software products originally referred to as “SOX software” developed into what is now “Enterprise GRC”.

Many companies decide they need software, understand one software vendor’s terminology in describing their product and then utilize the same definition in picking a short list of vendors to evaluate.  This can both eliminate viable possibilities, as well as include vendors that don’t meet the basic functional requirements simply due to inconsistent use of terminology. The first step in any software evaluation is to understand your current and potential future needs and their priority.   The primary functionalities should then be the basis of identifying products, not a label for the software products.  This could produce a list of multiple point solutions as well as Enterprise GRC suites.  Only then can you begin to assess the fit of the products themselves.

Below outlines some of the terminology and how the product categories may overlap.

ENTERPRISE GRC SOFTWARE

When publishers refer to GRC software, they are usually referring to what the analysts now call “Enterprise GRC” software.  Enterprise GRC technology supports the oversight and management of all three of the primary activities: a company’s governance functions, enterprise risk management, and compliance processes.  Functionality of this type of software includes the ability to capture data relationships between items such as processes and controls, document controls and policy libraries, perform risk assessment, and monitor control activities and testing. 

POINT SOLUTIONS

A point solution may address one or more of the three (governance, risk management or compliance) or may address a specific departmental focus such as financial, operational or information technology.  Point solutions can also include products to actively provide compliance (for instance security controls) as opposed to manage a compliance process or documentation of compliance.  Whereas Enterprise GRC products are generally designed to manage the overall GRC process, point solutions often address a specific industry, regulation or product-specific need (for example security specific to the company’s ERP system). 

CATEGORIZATION OF SOLUTIONS

The below figure depicts the possible overlap or hierarchy of how products may be categorized.  Enterprise GRC, shown at the top of this hierarchy, can be used to manage all the GRC processes for the second tier. The point solutions under each of the second tier generally operate more specific GRC activities.  Recently, Enterprise GRC “Suites” have started to include activity-specific GRC point solutions. 

Even though this shows common groupings, some products may still fall into various categories.

SUMMARY

• Don’t attempt to create a short list of software for a selection process based on their label. 
• Define your requirements.
• Then identify the software with the primary functionalities to meet requirements.

Financial compliance
The management and control of financial processes and the compliance to specific financial standards and regulations (Sarbanes-Oxley Act, SEC, IRS). 

• SOX - Many of the current Enterprise GRC products began as software for the management of the Sarbanes-Oxley Act compliance process and were originally called “SOX software”.  
• Tax compliance - Software to prepare tax returns for federal, state or local taxes.
• XBRL - XBRL Software provides the tagging of data into the XBRL format for electronic standardized data capture and submission of financial statements to the SEC.

IT GRC Management
Various point solutions exist within this realm, including security and identity management, configuration management, business continuity, IT asset management, IT policy management, and general IT risk management.  Many of the Enterprise GRC products can also be used for general IT governance, risk management, compliance and policy management.   

• Security  - Security products may include infrastructure security management such as intrusion detection, intrusion prevention systems (IDS or IPS) or firewall management or business application security such as segregation of duties and access provisioning.
• Segregation of duties (SOD) and Access provisioning - Software providing analysis of security roles and their assignment or “provisioning” to users where potential conflicts are identified which may be considered a conflicting set of duties which would allow inappropriate access.  Some SOD software is only detective in nature, analyzing existing access, and others are preventive in nature, analyzing a potential access provisioning to prevent granting access against corporate policy.  SOD and access provisioning software may be embedded in continuous controls monitoring software.

Audit
Audit products are designed for the documentation of audits, assessment or monitoring of controls, and analytical auditing. 

• Electronic workpapers -“Electronic workpapers”, as they are generally called, have existed before the advent of Sarbanes-Oxley when many of the GRC software vendors emerged. They include functionality for workflow and document management for the purpose of maintaining internal audit workpapers.   
• Continuous Controls Monitoring (CCM) - CCM allows you to monitor business exceptions to company policies or potential fraud indicators by identifying triggers.  These may report information on dashboards, reports or produce email notifications.  This type of software may be used by auditors or by management as part of its normal operations.  
• Data analysis and auditing - This type of software is used primarily by auditors but may also be used by business analysts. It is used for the programmatic examination of data for the purpose of identifying potential audit anomalies or fraud, sampling, or continuous controls monitoring.   This process is often referred to as “CAATs” or Computer-Assisted Audit Techniques or Computer-Aided Audit Techniques.  These tools provide identification and combination of data files from various sources. Some data analysis software vendors refer to their products as continuous controls monitoring software. 

 Other Point solutions

• Privacy - Privacy products may provide security functionality (overlapping into the IT GRC area) and manage the classification of data to manage privacy or disclosure requirements and regulations. 
• Legal GRC - Legal GRC products deal with litigation management, records retention and records management, contract management and compliance, and other legal risks and compliance issues.
• Human Resources - Management of HR policies, compensation practices, hiring and termination practices, employee satisfaction, and training and employee development systems.
• Health, Safety and Environmental - Software that tracks health programs, track safety programs, incidents and reporting, or maintain environmental controls. 
• Insurance - Insurance software products manage claims as well as policies.
• Quality - Quality management products are often found in operations management for statistical quality control monitoring.
• Vendor management - Vendor management products assist in managing vendor policies, credit checking, or general identity verification.
• Regulatory compliance - Software specific to particular regulations (such as HIPAA, PCI, etc.).  For example, some security monitoring software will claim that you can maintain PCI compliance with its use. 

 Next article: Evaluating Enterprise GRC Software