Large vendors dominate the governance, risk and compliance software sector, where very few of the multitude of systems on offer have been designed specifically for the insurance industry
A spate of recent and forthcoming regulations worldwide is driving demand for governance, risk and compliance (GRC) software – from the Sarbanes-Oxley and Dodd-Frank acts in the US to Solvency II in Europe and the Lagic standards in Australia.
The US plans to introduce the own risk and consultancy assessment by 2015, and increased pressure on insurers in Europe to comply with pillars 2 and 3 of Solvency II in advance of full implementation of the directive is creating demand for systems to enhance governance and reporting in the risk management area.
Vendors listed in the InsuranceERM guide to GRC software providers
- BWise -- BWise GRC Platform
- Hitec Laboratories -- PolicyHub -- Ten Risk Manager
- IBM -- IBM OpenPages GRC Platform
- MetricStream -- MetricStream Risk Management Solution
- Optial -- Optial SmartStart for Operational Risk -- Optial Business Intelligence
- Oracle -- Oracle Insurance Risk and Solvency
- Protiviti -- Governance Portal
- Redland Business Solutions -- Insight
- Resolver -- GRC Cloud
- SAI Global -- Compliance 360 for Insurance
- SAP AG -- GRC solutions
- SAS Institute -- SAS Enterprise GRC
- Software AG -- GRC Solution
- Thomson Reuters -- Accelus
- Wolters Kluwer Financial Services -- ARC Logics
There are a huge number of vendors in the GRC market, and competition drives a steady rate of consolidation. Specialist US investment bank Berkery Noyes tracked 156 M&A deals among GRC software vendors in 2011 and 2012, for a total estimated value of $9.85bn. But few of these vendors cover insurance specifically.
Most insurance applications come from vendors that cover financial services generally. In the list that follows, only one vendor, Oracle, says its product was conceived specifically for the insurance industry.
A lot of the offerings are also the result of mergers of smaller companies and acquisitions by the very large groups, such as Oracle, IBM, Thomson Reuters and Wolters Kluwer.
Definitions of what constitutes GRC software vary, and there are overlaps between the different categories of governance, risk and compliance and with operational risk. The main ones in the listing below – which covers only products of relevance to insurance – include finance & internal control, legislative compliance, internal audit, risk management, incident management, compliance & policy management, IT GRC and sustainability performance management, scenario management, key risk indicators and audit management.
The biggest challenge for companies concerned about GRC, experts say, is to bring together different operating teams managing separate requirements to achieve a firm-wide view of compliance, risk and internal controls.
This requires a combination of content, taxonomy and software that can connect workflows while preserving solutions that are still capable of serving the individual needs at the level of the enterprise, department or end-user. This convergence process is difficult to achieve, the experts say, although many software vendors claim to be able to facilitate the process. GRC software should also be flexible enough to adapt as the organisation grows or changes strategy.
A unified approach can bring better insight into business practice and a reduction in duplication of work, as well as efficiency and cost savings.
However, a successful GRC strategy does require the engagement of virtually every executive in the company – from the board, CEO, CFO, COO and CRO to heads of audit, compliance, risk management and individual business lines.
See www.insuranceerm.com/guides/grc-guide/ for the list of suppliers.