Enterprise Governance, Risk, and Compliance
In 2009, Governance, Risk, and Compliance (GRC) spending will increase an estimated 7.4% to $32 Billion. Sarbanes-Oxley Act (SOX) related spending will increase by roughly 2% over last year to $6.2 Billion (AMR Research, 2008). These numbers seem indicative of a shift in mindset for companies. Many of what were before considered SOX initiatives are now probably considered GRC.
Many factors are driving the GRC market. Executives and Directors are being held to high standards of accountability due to regulations on self-assessment and safeguarding of assets. Costs of traditional compliance and risk mitigation tactics are very high. Corporations are pushing to lower costs of safeguarding assets on an ongoing basis. And for efficiency, business processes are maturing towards a risk-oriented approach.
The concept of Identity GRC ultimately encompasses many of the technologies companies have been implementing over the last few years to address SOX. User provisioning, single sign on, directory services/consolidation, and password self-service are all methods that companies are currently employing to address security as well as operational efficiency.
During the course of using these processes and tools, certain limitations have surfaced which have exposed the need for further functionality: certification of access rights; segregation of duties policy monitoring; control framework automation; and role-based account management. All of these features have become part of the GRC umbrella, which is beginning to look much like the following:
These concepts apply across all enterprise systems and any other systems that companies deem financially significant. Most organizations have tens and sometimes even hundreds of systems that fall into this category.