An analyst asked me back in November if I had any predictions for GRC for the New Year. I had several, of course, but among the top on my list was content. The initial response from this person was: "Content? Really? Get with the times, Chris, content is yesterday's news. Everyone has COBIT, ISO, COSO and the major frameworks already built into their solutions. GRC in 2009 is all about automation!"

While it's hard to argue with that, the automation question poses its own unique set of challenges for most GRC vendors out there. Most simply don't have the level of automation that the majority of customers are looking for. For the average GRC provider, establishing partnerships with third parties to build and license that automation takes time, and -- last time I checked -- it would cost a pretty penny to go out and buy identity, access control, vulnerability, change and configuration management solutions to begin to put a comprehensive automation story together for risk and compliance (not to mention the lead time needed to integrate all of those technologies!). There is also the fact that many customers already have pieces and parts of a broader IT GRC solution in place today and want to leverage those investments going forward. I speak with these customers all the time (some who even own several IT GRC solutions) and was not surprised to find out that many are moving forward with their own in-house projects and initiatives to solve their automation woes.

So what does all this mean? Well, for one thing, it confirms that automation is indeed a hot topic and driver in the market. It also suggests, however, that automation across broader IT disciplines (let's think about job management, records management and archival, CMDB, etc.) might ultimately be reserved for a select few vendors that have the portfolio and resources to make it a reality.

But I digress"¦back to content and my original prediction. In November, I predicted that content would remain a compelling feature for GRC vendors because it is, in essence,
knowledge
. Knowledge is something that GRC vendors should always be interested in, because it allows them to reach out to broader customer bases, and introduces new ideas and use cases for product functionality. So whether it's DIACAP or NIST content for federal customers, HITRUST/HIPAA/CMS content for healthcare providers, MAR content for insurance companies or FERC/NERC content for the energy sector, content will allow a vendor with standard GRC functionality to have a very targeted conversation with a potential buyer.

So was I right? I think I can already start to collect my bets from that prediction, even though it's only February. The first proof point I will offer up is the acquisition of Paisley by Thomson Reuters, which was finalized January 7th. While this may be an extreme example, here you see a knowledge broker buying a "vanilla" GRC product with the intentions of building another vehicle to push its content to its customers. The second example I will offer up is the Brabeion acquisition by Archer, which was announced 20 days later. This acquisition was clearly influenced by the fact that Brabeion has an exclusive license to PwC's control library.

So, you may be wondering, is it just more and different types of content that GRC vendors are looking for? No. Yes. Well, maybe. I think every vendor out there has its own strategy with regards to content. Some vendors are playing "keep-up with the Joneses" and would just like to have content in a matrix to map back to a control or process, while others are eagerly looking to build a story around that content, which might include specific surveys, templates, policies, procedures, training, workflow and customized reporting.

The good news for GRC vendors is that the ROI for modest investments in new content can be huge, and there is a lot of material out there that can be obtained cheaply and with relative ease. So keep a watch out for more announcements in the GRC space related to content. Given the economic climate, business in the Big 4 and other professional services firms is hurting at the moment and you can expect that, with the growing number of consultants on the bench, these experts will be thinking up new and innovative ways to harness the knowledge that collectively exists within their organizations. GRC vendors will be right there to consume and deliver that content when they do!