GRC platforms were a 27.8 billion dollar industry in 2020, according to Expert Market Research, who predict the market will reach 52.6 billion dollars in 2026, which represents an average yearly growth rate of 11.2% over the forecasting period.
The area of governance, risk and compliance refers to a structured approach used by businesses to address issues pertaining to corporate governance, enterprise risk management (ERM) and full compliance with regulatory requirements.
GRC platforms tend to cover a relatively broad scope, offering integrated risk management to teams handling security, governance, auditing, risk management and compliance.
“The main risks businesses face are IT and security risks, provider risks and corporate and operational risks. Businesses must be able to identify, assess, mitigate and monitor risks tied to their business as a whole”, declared Alain Ter Markossian, Senior Manager for Solutions Engineering France & SEMEA at OneTrust.
IT and provider risks
IT and computer security risks are included in all IT value chains. Provider risks pertain to the company’s partners, and fall under the Third Party Risk Management / TPRM category.
“A company setting up a coffeemaker in their cafeteria, which staff must connect to, or for which they use touch ID, is considered a third party risk. And in the present instance, this third party risk also includes the risk of sensitive data use,” points out Alain Ter Markossian.
In order to face these challenges, GRC platforms enable companies of all sizes to sync up their tools and digital infrastructure, to assess risk for all their operations and to automatically categorize them. Businesses can thus establish and implement their risk rating methods within a set framework, or use a custom approach.
As for provider risk management, GRC platforms make it easy to set up an exhaustive inventory of service providers and their associated framework, all the while streamlining contract management, with technology and services that automate assessments and manage the completion of pending supplier forms.
Operational and corporate risk management
However, one of the main issues GRC platforms face, in addition to IT, security and provider risk management, lies in including operational and corporate risks. “These risks pertain to the daily tactical tasks of businesses. If a company lets something slip through the cracks in terms of IT or provider risks, it is possible to quantify and characterize the market impact tied to these risks,” explains Alain Ter Markossian.
In terms of operational and corporate risk, GRC platforms make it possible to quantify the risk based on concrete statistics to assess the potential consequences to business operations, to communicate information on strategic business areas and to identify and index this information in order to make it easier to draft reports for management.
A scope that extends to fault management
How far do governance, risk and compliance solutions go? In answering this question, it is surprising to find that a GRC platform can also cover fault management and react to any kind of breach, whether IT or otherwise.
“This is where we are a force to be reckoned with. For example, in regard to fault management, you have to know how to react in case of a data breach and how to mitigate losses. If the staff’s personal data is stolen, we must be able to interact on the fact that it was an IT risk, and strengthen the protection of personal data,” remarks Alain Ter Markossian.
In order to ensure efficient fault management, GRC solutions allow businesses to contain faults and respond to data breaches to prevent and mitigate losses. They also enable them to extend incident reporting through a self-service portal available to people inside and outside the company, and to process and sort issues according to a set workflow, while collaborating with interested parties.
“When onboarding a new provider to set up a new app in airports, one of our clients, who specializes in solutions for the distribution and sale of travel services, will first deal with provider risk management. Once the provider is “integrated”, they look at the IT risk he represents. Finally, if the tool this provider is offering uses personal data, management of said data and faults must be monitored in case this app one day ‘breaks’,” explains Alain Ter Markossian.
As we can see, governance, risk and compliance platforms cover a very wide range of features. “Within companies, CISOs are responsible for managing all threats related to IT, providers or anything tied to cybernetics. They must therefore be equipped with the right tools to protect themselves, as all companies are concerned,” concludes Alain Ter Markossian.