PRELIMINARY FINDINGS OF THE OCEG

2019 TECHNOLOGY STRATEGY SURVEY

PRESENTERS
FRENCH CALDWELL, Founder and Chief of Research, FCInsight
PATRICK POTTER, GRC Strategist, RSA
CAROLE SWITZER, Co-Founder and President, OCEG

99/99/99
Housekeeping

• Download slides at https://go.oceg.org/preliminary-findings-from-

the-2019-oceg-grc-technology-strategy-survey
• Answer all 3 polls
• Certificates of completion
(only for OCEG All Access Pass holders)
• Evaluation survey at the close of the webinar
• Find the recording on the Resource tab of the OCEG site, under
Archived Webinars
Learning Objectives

• Learn how your organization's approach to use of technologies for

managing and auditing GRC compares to others
• Gauge the maturity of your technology improvement projects and
plans
• Gain information about the factors that influence the choice of
technology solutions and your peers' budget plans for these
acquisition
Poll #1

Do you have an OCEG All Access Pass (a paid membership) and would
you like to receive CPE credit for this event?
a. Yes, I have an All Access Pass and I would like to receive a Certificate of
Completion for this event
b. Yes, I have an All Access Pass but I do not need a Certificate of Completion
c. No, I do not have an All Access Pass but I would like to get one and receive CPE
credit for this and future webcasts I attend
d. No, I do not have an All Access Pass and I don’t want to buy one at this time (so
I won’t get CPE credit for this event)
 The OCEG 2019 GRC Technology Strategy Survey
About OCEG . . . was analyzed by FCInsight. . .
OCEG is a global, nonprofit think tank and community. We invented GRC. We
Whether in search of insights on the challenges of improving
inform, empower and help advance more than 50,000 members on governance,
corporate and IT governance, building the right GRC and
risk management, and compliance (GRC).
RegTech architecture for business success, or market trends
Independent of specific professions, we provide content, best practices, education, and emerging technologies, working with analysts who
and certifications to drive leadership and business strategy through the application understand technology markets and business objectives is
of the OCEG GRC Capability Model™ and Principled Performance®. An OCEG essential. FCInsight’s forward-looking thought leadership helps
differentiator, Principled Performance enables the reliable achievement of business and GRC leaders ensure that they are prepared with
objectives while addressing uncertainty and acting with integrity. the right technology, services, and GRC strategies to preserve
corporate integrity, protect brands and reputations, and ensure
Our members include c-suite, executive, management, and other professionals exceptional business performance.
from small and midsize businesses, international corporations, nonprofits, and
government agencies. We assist them and their organizations in developing and
implementing GRC capabilities that enable Principled Performance by providing
authoritative resources for integrating the governance, assurance and
management of performance, risk and compliance.
For more information visit http://www.oceg.org or contact us at info@oceg.
RSA Archer Suite, a leader in the 2018 Gartner Magic Quadrant for integrated risk management,
empowers organizations of all sizes to manage multiple dimensions of risk on one configurable,
integrated software platform. With RSA Archer, organizations can quickly implement risk management
processes based on industry standards and best practices—leading to improved risk management
maturity, more informed decision-making and enhanced business performance.

“The OCEG GRC Technology Survey is a must-read for GRC

professionals who want to improve the alignment of their
technology architecture to organizational requirements
and business objectives.”
Key findings

• GRC adoption is increasing

• Preference is shifting to the cloud
• Most are planning to move to a single GRC platform or a core GRC
solution in a federated architecture
• There remains a long journey ahead, especially for LSEs
• Investment in GRC is increasing and becoming an enterprise-level
decision
GRC adoption increasing
 Level of alignment and utilization
Organizational alignment of GRC technology Utilization of existing GRC technology
60% 50%
45% 44%
50% 48%
40% 38%
42%
35%
40%
30% 28%
27%
30% 31%
30% 25% 22%
24% 21%
20%
19%
20% 14%
15%
10%
10% 6%
4% 5%
2%
0% 0%
Poor Fair Good Excellent Poor Fair Good Excellent
2016 2019 2016 2019

9
 Level of alignment and utilization by enterprise
size
Organizational alignment of tech to GRC needs Utilization of existing tech for GRC
60% 60%
52% 52%
48% 49%
50% 50%
41%
40% 40% 38%
35% 34%
31% 31%
30% 30%
25% 24% 24%
22%
20% 20% 20%
20% 20%

11%
10% 10% 8%
6%
4%
2% 2% 2%
0% 0%
Poor Fair Good Excellent Poor Fair Good Excellent

LSE MSE SMB LSE MSE SMB

SMB = 1 to 1000 employees
MSE = 1001 to 10,000 employees
LSE = 10,001+ employees

10
Moving to the cloud
SaaS vs on-premise
All
50%
45%
45%
39%
40%
35%
31% 30%
30%
25% 21%
20%
15%
15%
9% 10%
10%
5%
0%
SaaS / Cloud Hosted On Premise Installation No preference Don't Know
2016 2019
 SaaS vs on-premise

GRC leaders GRC participants

60% 60%
52%
49%
50% 45% 50% 46%

40% 40%
31%
30% 28% 30% 27%
22% 21% 23%
20% 20% 14%
12%
10%
10% 5% 7% 10% 6%

0% 0%
SaaS / Cloud On Premise No preference Don't Know SaaS / Cloud On Premise No preference Don't Know
Hosted Installation Hosted Installation
2016 2019 2016 2019

13
 SaaS vs on-premise
Enterprise size Geographical market

60% 60%
52% 51%
50% 50%
42% 39%
39% 37% 40%
40%
30% 29%
30% 30% 27%
25%
20%
20% 17% 20%
14% 14% 14% 14% 12%
10% 9%
10% 6% 10%

0% 0%
SaaS / Cloud On Premise No preference Don't Know SaaS / Cloud On Premise No preference Don't Know
Hosted Installation Hosted Installation

LSE MSE SMB EGM RGM

Established GRC markets (EGM) = North America, Europe,
SMB = 1 to 1000 employees Australia, New Zealand, South Africa
MSE = 1001 to 10,000 employees Rising GRC markets (RGM) = Asia, Middle East, Latin America,
LSE = 10,001+ employees Africa (except SA)

14
One platform to rule them all
GRC solution strategy going forward

2% A centralized “GRC Platform” for the entire

16% enterprise across all relevant categories to
your business
A federated "GRC Platform" for certain
categories and "best of breed" solutions in
39%
others
A distributed range of "best of breed"
13% solutions in different categories that
operate independently of each other
Don't know

Other

31%
Poll #2

Of the choices below, which one is most important to your

organization’s future GRC technology strategy?
a. Cloud-based
b. Having a single GRC platform
c. Integrability with other enterprise solutions (BI, ERP, core business
solutions, etc.)
d. Innovation with RegTech (artificial intelligence, robotics, and other
emerging tech)

17
GRC solution strategy going forward – GRC
leaders vs GRC participants
100%
A centralized “GRC Platform” for the
90% entire enterprise across all relevant
80% 36% categories to your business
48% A federated "GRC Platform" for certain
70%
categories and "best of breed" solutions
60% in others
Don't know
50%
35%
40% 29%
30% A distributed range of "best of breed"
10% solutions in different categories that
20% 10% operate independently of each other
10% 17% Other
10%
0%
GRC Leaders GRC Participants
Current use of GRC technology
Normalized percentages of those who do have a GRC solution

Single GRC platform - a centralized solution

24% 26% for the entire enterprise across all relevant
categories to the business
Federated - a "GRC Platform" for certain
18% 16% categories and "best of breed" solutions in
others
Best of breed -- a distributed range of "best
of breed" solutions in different categories
42% 40% that operate independently of each other
Departmental silos -- a GRC solution in a
department

16% 18%

2016 2019
Current use by organization size

Normalized percentages of those who do have a GRC solution

12%
Single GRC platform - a centralized solution
18% 17%
for the entire enterprise across all relevant
15% categories to the business
Federated -- a "GRC Platform" for certain
8% 8%
categories and "best of breed" solutions in
others
40% Best of breed -- a distributed range of "best
22% 17% of breed" solutions in different categories
that operate independently of each other
Departmental silos -- a GRC solution in a
11% department
13% 10%

LSE MSE SMB

Investment decision making
GRC spending trends
SMB MSE LSE Overall
Increase 51% 41% 50% 47%
Stay the same 26% 24% 22% 24%
Decrease 4% 6% 6% 6%
30%

25% 24% 23%

21%
20% 19% 19% 20% 19%
17% 16%
15%
11%
10%

5% 3% 3%
1% 1% 2% 1%
0%
Same as last Increase of up Increase of Increase of Decrease of up Decrease of Decrease of Unsure
year to 10% 10% to 25% greater than to 10% 10% to 25% greater than
25% 25%
2016 2019
Criteria for evaluating new GRC purchases
Criteria 2019 2016 Change
Price 1 2 +1
Ease of use 2 1 -1
Functionality 3 3
Configurability 4 4
Customer service 5 6 +1
Ability to integrate with ERP 6 7 +1
Industry specilization 7 5 -2
Breadth of functionality 8 9 +1
Company stability/viability 9 8 -1
Brand name 10 11 +1
Local office 10 10
Poll #3

Do you agree or disagree with this statement: My organization’s

finance, strategic planning, or other lines of business are using risk and
regulatory intelligence in decision-making more so than 3 years ago.
a. Strongly agree
b. Somewhat agree
c. Somewhat disagree
d. Strongly disagree

24
Who is making future GRC technology
decisions
9%
7%
40%
12% Enterprise
Multiple departments
Single department
Group/issue level
33%
Unsure
Which functions influence the GRC buy
decision
80%

70%

60%

50%

40%
67% 64%
30% 57%
46% 46%
20%
32%
10% 20%
13%
6%
0%
IT Risk Compliance Audit Finance Legal Business Other HR
Management Continuity
Who holds the final spend decision for GRC
technology
9% 4%
23%
Information technology
11%
Finance
Risk Management
16% 20% Other
Compliance
18% Audit
Legal
Full report also includes details on priority
solution areas
• Enterprise GRC Platforms
• Compliance management
• Risk management and analytics
• Audit management and analytics
• IT risk management
• Cyber incident and breach response
• IT compliance management
• Automated control enforcement and monitoring
• Business continuity management
• Third party management
• Policy Management
• ….. And others

28
Questions?