French CaldwellI’m sitting in the Denver airport on my way to the RSA conference after just having attended the SAS industry analyst summit in Steamboat Springs. This summit was the first time I’ve had much interaction with SAS, or for that matter, any of the other business analytics vendors — by the way, can I call them risk analytics vendors? My first impression is that SAS certainly has a role to play in meeting the burgeoning demand for risk management solutions. However, it’s questionable as to whether they can fit into the Enterprise GRC Platform market in which many of their competitors are placed. I’m going to puzzle this out with my good colleague Doug McKibben and figure out just how risk analytics and GRC align.
One interesting tidbit — in today’s WSJ there’s a story about how Goldman Sachs in its annual report has listed “adverse publicity” as one of the risks facing its business. At the summit, SAS put a lot of emphasis on its social network analysis solution — so will SNA vendors become reputation risk management vendors? At the summit, SAS didn’t position their SNA solution in this way, but perhaps they and other SNA vendors should.
Category: Uncategorized Tags:
5 responses so far ↓
1 Norman Marks March 2, 2010 at 8:47 pm
French, if you take the larger view of GRC (and I know you have) risk analytics and performance management are absolutely part of GRC.
The smart buyer of solutions for GRC selects the products from the GRC supermarket that are necessary for their organization and business priorities. Forgive me for my opinion, which is my own personal view and not necessarily that of my employer, but any time you package a few functionalities together (as you have in the Gartner eGRC platform definition) you are making assumptions about the combination of functionalities that a typical business buyer wants and which merit some level of integration. You may be surprised by how many disagree that the functionalities you have packaged in eGRC are the right selection. For the great majority of companies, for example, policy management is simply not a priority that they will spend scarce resources on.
There are so many valuable solutions and functionalities on the shelves of the GRC supermarket. Some you include in EPM, like performance and strategy management (even though they are core to GRC processes). But there are also products for board briefing, ethics management, investigations and legal case management, continuous monitoring (which you have separated into CCM and not, for some reason, linked to risk management – even though the future of CCM is in monitoring risks and controls), human capital management, compliance, and more.
Rather than thinking about whether the SAS products fit into eGRC, perhaps you might consider another approach to evaluating solutions for GRC? Presumptuous of me, I know – and, again, just my personal view.
2 SAS Summit, Risk Analytics, GRC, and Reputation Risk Management | Management Business Wisdom March 2, 2010 at 9:57 pm
[...] Read more: SAS Summit, Risk Analytics, GRC, and Reputation Risk Management [...]
3 French Caldwell March 2, 2010 at 11:28 pm
Norman —
Thanks for sharing your insight. No argument about most of it. If you’d like to see how we define the GRC marketplace, look at A Comparison Model for the GRC Marketplace. On the update to that, we’ll probably add more about information governance and legal GRC, but for now, it clearly shows how Gartner lays out GRC as a broad category of many different markets.
As far as your comment on policy management, I beg to disagree. Many organizations are using it to ensure their governance strategies are correctly reflected in policies, and that policies link to mandates in one direction, and to control objectives and controls in the other direction. Policy management also is important to the compliance officer, usually in the legal department, and to HR to ensure that employees, partners, and other stakeholders know and understand their roles in risk management and compliance, including ethics, and that a record is captured of their understanding and acknowledgment of their accountabilities and responsibilities. While governance is an intangible, policy management at least provides some evidence of its existence.
Cordially — French
4 reputation management March 3, 2010 at 1:57 am
According to my opinion SAS is already well penetrated among enterprise firms, and fewer greenfield opportunities remain at the top. Now gradually it is noticed that they have been facing a revolt among its users over what it charges for maintenance, one of its major revenue streams. Its delivery of a more gradual, less invasive update process paradoxically complicates that further. It’s hard to convince people to pay for the right to refuse granular updates they might not think they need.
5 Mike Nemecek March 9, 2010 at 7:25 pm
I’m a PR manager at SAS. I think the last commenter (“reputation management”) has SAS confused with another vendor.
SAS is not facing a revolt from its users: our 2009 revenue grew 2.2% to a record $2.31B.
With SAS’ annual license model, customers have the option each year to renew or go elsewhere for their business analytics needs. Thankfully, they see value and continue to return to SAS again and again.
SAS does not charge extra for maintenance or for upgrades (both included in the annual license). And while SAS customers are under no obligation to upgrade their software, most choose to do so for the new features SAS adds based on customer feedback.