Services for Organizations

Using our research, best practices and expertise, we help you understand how to optimize your business processes using applications, information and technology. We provide advisory, education, and assessment services to rapidly identify and prioritize areas for improvement and perform vendor selection

Consulting & Strategy Sessions

Ventana On Demand

    Services for Investment Firms

    We provide guidance using our market research and expertise to significantly improve your marketing, sales and product efforts. We offer a portfolio of advisory, research, thought leadership and digital education services to help optimize market strategy, planning and execution.

    Consulting & Strategy Sessions

    Ventana On Demand

      Services for Technology Vendors

      We provide guidance using our market research and expertise to significantly improve your marketing, sales and product efforts. We offer a portfolio of advisory, research, thought leadership and digital education services to help optimize market strategy, planning and execution.

      Analyst Relations

      Demand Generation

      Product Marketing

      Market Coverage

      Request a Briefing

        Robert Kugel's Analyst Perspectives

        << Back to Blog Index

        Companies Are Lagging in GRC Maturity

        Ventana Research recently completed benchmark research on governance, risk and compliance (GRC), three business activities that are naturally linked. Although managing them requires separate and sometimes very different processes, on the whole these activities affect each other: Effective corporate governance ensures compliances with laws, regulations and company policies, and without governance, there’s no way to control risk. Separately or considered together, managing governance, risk and compliance is increasingly important.

        Risk is part of any business undertaking and comes in many forms. Managing it involves anticipating negative events, understanding their costs, determining whether potential benefits outweigh the risks, and applying controls to prevent risk events or mitigate their impacts if they occur. Managing risk intelligently is a hallmark of successful companies.

        Similarly, compliance with existing laws and regulations is essential. Governance ensures that processes are in place to perform legally mandated tasks (such as filing forms or performing tests) in ways that reduce or eliminate the risks and consequences of failing to meet requirements.

        Automating tasks in governance, risk and compliance can enable organizations to complete them regularly and quickly while avoiding both errors that mean having to redo the tasks and the costs of mismanaged risks or inadequate compliance. Software that automates aspects of GRC management processes, from collecting data to analyzing it to submitting status updates or reports, can monitor risks and alert people when thresholds are passed. It likewise can manage the steps required for compliance approval.

        Yet it seems that most organizations don’t deal effectively with GRC. Our research finds a solid majority of companies (63%) in the bottom half of our maturity distribution in their management of governance, risk and compliance. Our analysis, which assesses maturity in four organizational categories, found that companies are more mature in People and Process and less mature in Technology and Information. In both the last two categories, more than 70 percent of research participants ranked at the two lowest maturity levels. Regarding Information, the research uncovered what we view as a lack of engagement in the core issue of access to and use of the data necessary to measure and assess risk. One barrier that many companies face is their use of spreadsheets in GRC processes, which by themselves can introduce unacceptable levels of risk and errors.

        Among the factors holding companies back here is that, like so many purely administrative tasks, corporations (especially those that are not heavily regulated) look to satisfice their compliance obligations, not optimize them. Investments that could improve the efficiency of these processes have a low priority. Another factor is that while risk management is a well-understood business requirement in financial services, with centuries of established practices and metrics, it’s much less well developed in most other industries. Companies typically consider risk in business decisions, but they do so more informally and in an inconsistent fashion. Thus, critical information needed for formal risk measurement and assessment is either not captured by a company’s IT systems or captured in a form that it is not useful for this purpose.

        It’s certainly true that governance, risk and compliance activities do not generate revenue and rarely confer a strategic advantage. Nonetheless, organizations should not treat these activities lightly. Most companies do not need to make wholesale changes to their business priorities to add GRC processes, and they don’t need to make major investments to achieve measurable improvements in how they execute these processes or manage risks. Simply automating the processes as much as possible lets companies meet requirements while cutting the time and effort to manage them.

        At present there are no software tools that address GRC as a package, as we’ve noted before. Our benchmark research shows that as organizations begin to consider options for each facet of their GRC compliance – whether financial, operational or IT – they must look for practical qualities in software, particularly usability and functionality, that will help them complete tasks more easily.

        We expect to see a market developing to handle GRC as a platform as vendors build more unified and coherent arrays of offerings. I expect the driver of this to be a desire by large consulting partners with broad GRC practices to work with a limited set of vendors. Since many GRC projects require a heavy dose of intellectual property and expertise, I believe customers will find value in working with one or possibly two vendors, blending their intellectual property with packaged software. Organizations that take these steps will be more confident that they handle GRC well and turn their attention to other activities that directly impact their success.


        Robert Kugel – SVP Research


        Robert Kugel
        Executive Director, Business Research

        Robert Kugel leads business software research for Ventana Research, now part of ISG. His team covers technology and applications spanning front- and back-office enterprise functions, and he personally runs the Office of Finance area of expertise. Rob is a CFA charter holder and a published author and thought leader on integrated business planning (IBP).


        Our Analyst Perspective Policy

        • Ventana Research’s Analyst Perspectives are fact-based analysis and guidance on business, industry and technology vendor trends. Each Analyst Perspective presents the view of the analyst who is an established subject matter expert on new developments, business and technology trends, findings from our research, or best practice insights.

          Each is prepared and reviewed in accordance with Ventana Research’s strict standards for accuracy and objectivity and reviewed to ensure it delivers reliable and actionable insights. It is reviewed and edited by research management and is approved by the Chief Research Officer; no individual or organization outside of Ventana Research reviews any Analyst Perspective before it is published. If you have any issue with an Analyst Perspective, please email them to

        View Policy

        Subscribe to Email Updates

        Posts by Month

        see all

        Posts by Topic

        see all

        Analyst Perspectives Archive

        See All