“I know the pieces fit, cause I watched them tumble down” - Schism, Tool
Global Enterprise Governance, Risk and Compliance (GRC) is a +$40 billion market, growing at a compounded Annual growth Rate (CAGR) of ~13%. It is also fundamentally broken and highly fragmented.
The growth in this industry is driven by increased regulation, across different geographies and industries, stemming from legislation and industry standardization bodies. Proactive enforcement from agencies has increased the stakes for corporations to comply with GRC regulations and forced organizations to create accountability charters – leading to increased spend on suppliers in order to meet these standards. GRC software has made significant strides in recent years, as Enterprises software sprawl (On-premise, Cloud, SaaS), required buyers and vendors alike to meet compliance goals in highly complex environments.
Historically, GRC vendors focused on enterprise-wide policies within the siloes of an organization, all while assuring via a combination of software and services (consulting, security reviews, pen-testing) that the governing policies for enterprises are consistent, and comply with such requirements. Traditional vendors which dominated this market included IBM, SAS, RSA-Archer, ServiceNow, SAP, Microsoft, FIS and Thomson Reuters. The main sub-categories in GRC include:
o Compliance Management: Making sure organizations are compliant with governing law (geographical, industry)
o Risk Management: evaluating potential risks (internal tools, external tools; on-premise, cloud ; Supply chain / vendors)
o Audit Management: Audit trail log creation and querying
o Policy Management: Organizational GRC policies creation, orchestration and enforcement of such policies
As the type of software consumed by Enterprises sprawled, governing bodies started standardizing the compliance frameworks and requirements which software vendors need to comply with in order to service customers. For example, software vendors were increasingly required to comply with SOC2 certification in order to service enterprise customers.
As a result, a wave of new GRC vendors emerged, beyond those who help Enterprises make sure their own software meets GRC standards, namely solutions helping independent software vendors and SMBs automate an otherwise laborious and services heavy compliance certification process (SOC2 Automation, HIPAA Automation).
In addition, a delineation emerged between vendors in the GRC space who are servicing buyers (Enterprises requiring data and software that evaluates third-party vendors, supply chain software vendors, etc.), and GRC vendors who are servicing vendors (first-party software).
Security and trust organizations within Enterprises started implementing compliance and security reviews as a critical step in vetting, and onboarding new Software and SaaS vendors who sell into their organizations. Initially, this practice was mainly used by the largest cloud software providers, however, over time, it trickled into the broader enterprise market, and has now become a key sales practice across a wide variety of sectors, including law firms, insurance companies, consulting firms, and more.
The survey process typically would come through a series of questions related to the security, resiliency, testing compliance and policies those software vendors abide by. These were typically filled out manually by multidisciplinary teams from Sales Engineering, Sales Ops, Security, CTO and Finance functions, and took anywhere from weeks to months to fill out. The back-and-forth nature of this process created serious friction in the sales cycle. Moreover, given the repetitive nature of the questions, the process caused skilled teams to perform daunting and repetitive work, especially in large scale organizations, which onboard hundreds and thousands of new customers per quarter.