December 26, 2019
Let’s start with the basics: governance, risk and compliance (GRC), in layman’s terms, can be defined as the umbrella of strategic efforts by an organization to manage its overall functional structure, the risks that are borne out of its functional and structural elements, and to comply with all the laws and regulations applicable to the organization for the time being in force. GRC is an information technology-based approach that synchronizes effectively with the business objectives, managing the risks affecting the business and complying with the regulatory requirements.
Governance in GRC means the hierarchy created in an organization mentioning who is responsible for which decisions in the organization. Also, it defines who the senior executives that manage and control the organizations are and the decision-making powers they are endowed with. Hence, it is paramount that the information that reaches top management executives is sufficient, accurate, and is made available to them on time. It involves ensuring that business activities, such as managing IT operations, are aligned with the organization’s business goals.
Risk management in GRC is a set of activities in an organization that identifies and analyzes the inherent risks in the business and other potential risks that might affect the structural and functional foundations of the enterprise adversely. The activities that fall under risk management are put in place to mitigate such risk factors. It includes a comprehensive IT risk management process that is in sync with the organization’s enterprise risk management function.
Compliance in GRC means having activities that focus on making sure that all laws and regulations applicable to business are followed. And, in cases where there has been any lag in the same, rapid corrective actions are taken, and controls are kept in place in order to not repeat a similar mistake. It includes ensuring that the IT systems and the data contained in those systems are secured and used as per regulatory norms.
Some research and publication houses (mis)characterize what GRC is about by pushing it solely to compliance. However, the long-standing official definition of GRC found in the OCEG GRC Capability Model that GRC is a capability to reliably achieve objectives [GOVERNANCE] while addressing uncertainty [RISK MANAGEMENT] and act with integrity [COMPLIANCE].
The rapid changes in the regulatory environment and increasing third-party relationships are exposing various business risks. It is well-discussed across the globe that the last decade could be termed as the decade of ‘compliance boom’ following the GFC.
Also, the traditional functional roles – legal, internal audit, risk management, and compliance professionals – tend to work in silos that are prone to inefficiencies in information exchange and accountability. The problem inflates when the organization continues to use disconnected/disparate solutions for risk management, internal audit, policy management, and compliance. A huge ignorance/complacency to map the organization’s GRC processes to business strategy usually results in hefty compliance fines. This makes implementing GRC processes in the businesses of the modern age very important and necessary. This ever-increasing requirement has made the GRC solutions market an interesting area of play for tech wizards.
The GRC solutions market is almost ten years old now, and buyers have high expectations with GRC software. The main reason for the same being that GRC in current times is not a back-office job; instead, the same is expected to be intuitive and should have an easy-to-use interface owing to its increased emergence as a core business function. The organizations that have implemented in-house GRC activities in the past decade find the same cumbersome and out-of-date compared to the new generation software, which changes as per variations in various factors around them.
The major drivers, considering the current market trend, which motivate a business to adopt GRC technology solutions are as following:
Constant Change: The regulatory environment is constantly changing nowadays. Also, there are various political, industrial, and economic factors that rapidly change and can create contingencies on businesses anytime. These changes cannot be dealt with the legacy systems or processes, and the same can expose the business to risks that they might not be prepared to deal with.
Increasing associations: Increasing dealings and associations of organizations with third parties and also international or foreign parties are creating regulatory and risk exposure for businesses.
Disintegrated Information: The medium and large organizations have multiple departments in their structural framework. The information in these departments is mostly present in a scattered form, and they seldom have a core system to link their information to and produce the required output. To help the organizations with the management of such bulk data and, to help them in this cumbersome task of populating data to provide a meaningful output, GRC software is put into place.
Limitations of legacy GRC platforms: The new-age GRC platforms are way better than the legacy systems. The new ones are built with the help of advanced systems and are created to support the business in the rapidly changing environment. The legacy platforms have their own inherent limitations and are too rigid to keep pace with the ever-changing forces of the market.
As per a survey conducted by a GRC 20/20 Research LLC, here are the top eight features that businesses demand as per the current market trend:
Also, it has been noted that 38% of the inquiries for implementing GRC activities in their businesses are from large enterprises (i.e., Enterprises having more than 10,001 employees), 51% of the inquiries are from medium enterprises (i.e., enterprises having more than 1001 to 10,000 employees), and the remaining 11% are from small enterprises.
Hence, considering the current market trends and requirements, there’s a huge opportunity for the companies providing a GRC product that can facilitate an automated system, track various activities, and also has the following features:
GRC platforms of the future (some signs of which can be seen in present-day scenarios as well) shall also have various SaaS (Software-as-a-Service) capabilities such as:
The major vendors that provide SaaS capabilities are FixNix, RSA archer, LogicManager, Riskonnect, SAP GRC, ACL GRC, SAI Global Compliance360, MetricStream GRC, BWise GRC, Rsam GRC, and Enablon GRC.
Among these players, some of the full GRC suite providers, such as MetricStream and RSA Archer, are mostly operational risk-focused and targeted for large companies with mature programs. FixNix-like solutions are mostly operational, enterprise risk-focused, modular, and suitable for companies at different compliance maturity levels. We think FixNix is playing in the right market since two-thirds of the GRC solution inquiries are generated by medium and small-sized enterprises.
North America has the highest global market share in GRC services, as approximately 42% of the inquiries for GRC services arise from North America. The global GRC market is expected to grow from present $31.5 billion in 2019 to $51.5 billion by 2024 (based on the compounded annual growth rate of 10.3%). North America contributes the maximum in generating the revenue for the GRC market. The region is noticing significant developments in the field of GRC. A number of vendors in the region are developing innovative products and solutions with the help of advanced technologies. These technologies include Natural Language Processing and Machine Learning, along with other advanced analytical tools. The growing business complexities and frequently changing regulatory environment in the region has created a high demand for GRC products. FixNix is one of the key players in the North America market that is gaining popularity for its strong product offerings. In 2018, we recognized this player as one of the leading players in the RegTech landscape. Hence, we are revisiting them to understand their growth, product suite, achievements, and growth plan.
FixNix is a pure-play SaaS RegTech startup that provides a governance, risk and compliance (GRC) suite to comply with regulations and simplify the governance processes. FixNix was founded by Shanmugavel Sankaran in 2012 to address and resolve the risks and governance issues in businesses with the help of a software. The company was founded to support organizations working in a fast-changing regulatory environment and help them stay compliant with various internal and external regulations. Shanmugavel got the idea to start FixNix while he was working with Martjack, an e-commerce solutions provider, that wanted a GRC product that had an easy-to-use interface and affordable.
Various vendors in the GRC market normally target fortune 500 companies or other large organizations. Their GRC products are very expensive, and they take a couple of years to implement as well. Hence, smaller businesses are unable to afford such expensive GRC products. FixNix works on a SaaS-based model (Software-as-a-Service) and offers almost all those services at one-tenth the price, while also offering a quicker implementation time.
FixNix offers integrated regulatory compliance solutions for managing clients’ increasingly complex security management, risk management, and regulatory reporting obligations. The ever-increasing regulatory burden and scrutiny necessitate quick action by all, not only those operating in a regulatory environment but also by those who want to demonstrate strong corporate governance to their stakeholders. FixNix has recently launched V6.0 of its RegTech SaaS platform, FreshGRC, which can help clients with their specific needs, whether it is an enterprise-wide cross-function solution or a bespoke audit management solution. FixNix solutions aim to address the grey areas in the existing compliance functions. From silos of unstructured data, inefficient processes, inadequate analytical capabilities, & incompatibility of metadata to poor interpretation of rule changes & lack of standardization in data management – several problem areas need a RegTech makeover. FixNix has a number of product offerings to tackle just this.
The true strength of FixNix’s product suite lies in the interoperability of a wide spectrum of products. FixNix also has three deep tech products:
1. NixWhistle – Blockchain Whistleblower
NixWhistle is a unique product that automates the whistleblower policy. It is the first one to be powered by Blockchain across the world. The product is also powered by distributed ledger technology provided by R3 ‘Corda.’ The product provides an easy-to-use web interface where the employees can blow the whistle anonymously against any malpractices, fraud, or harassment they have observed or faced in their company. On the other end of the web interface would be a whistle-investigator who will investigate the issue and provide the same for a review to the whistle-reviewer. The whistle-reviewer will provide the resolution of the issue and also provide a closure report. In this way, the system of whistleblowing will stay transparent, the status of the whistle blown can be tracked, and the identity of the employee will stay anonymous as well. Download the Datasheet on NixWhistle.
Team FixNix is exploring to spin off the blockchain product as a separate entity, talks are held with blockchain investment funds in the USA.
2. NixViolate – Regulatory Risk Data Lake
NixViolate is a product that has a data bank of millions of violations records, collected from thousands of regulators. The product not only has huge data, but it also works on machine learning, artificial intelligence & text analytics. The primary purpose of this product is to provide regulatory insights to the organization and to help them stay updated with the changes in regulations in the industry they are working in. It also helps the organization in identifying the regulatory issues that an organization may face while planning to enter a new industry.
3. NixPredict – Predictive Analytics
NixPredict is a tool that predicts risks in an organization with up to 95% accuracy with the help of modern technologies such as machine learning & data visualization. It uses the historical data of the organization and predicts the future risk that an organization may face and also future audits that an organization may have to go through. This helps them comply with global regulatory requirements. NixRisk and NixAudit are part of the NixPredict suite as well. Overall, the product minimizes the risks and saves the brand value of the entity.
And the list goes on.
The FixNix Team includes Founder Shanmugavel Sankaran and Co-Founder Kayalvizhi Shanmugavel. It also has an advisory board with 180+ years of combined experience in various industries such as banking, technology, GRC, financial services, and entrepreneurship.
Additional global executives are looking to be hired in New York and Europe to expand their presence. FixNix is in talks with family offices and hedge funds to explore its next growth journey to infuse 10 million USD. Once capital arrangements funding is secured, together, they would build out the business development, sales, marketing, and customer support teams across the two regions. They will also continue to grow and scale the product and engineering teams, all of whom currently reside in Chennai, India. Currently, FixNix has 12 GRC products; however, by adding new experts, the company will target mainly banking, financial services, and industry sectors in North America, Canada, and Europe as a step towards expansion. FixNix is strengthening it's 7 years of research in regulatory technology space with 19 provisional patents in bringing the Software as a Service momentum to fruits of the end-users of the compliance industry. It's working on 15 more in addition to the 19 and formalizing the provisional ones to formal.