Compliance Management Software Market

Part
01
of five
Part
01

Compliance Management Software Market Size

Based on our research, assumption, and calculation, the current market size for the Enterprise Governance, Risk and Compliance (EGRC) is roughly estimated to be approximately $7.86 billion.

Compliance Management Software Market Size

Global Market:

  • In 2018, the global market size for Enterprise Governance, Risk and Compliance (EGRC) was estimated to be $27.80 billion.
  • The market is expected to grow at a CAGR of 12.9% from 2019 to 2025.
  • According to a 2019 report by Markets and Markets report, the global market size for Enterprise Governance, Risk, and Compliance (eGRC) market is $31.5 billion, and it is expected to grow at a CAGR of 10.3%from 2019 to 2024.
  • By 2024, the global market is expected to reach $51.5 billion.

North America Market:

  • According to the report by Market and Markets, North America is expected to hold the largest market size during the forecast period.
  • However, the APAC region is expected to see the highest growth rate during the forecast period which is attributed to the "various eGRC vendors that are expanding their reach in the region to cater to the changing customer requirements."
  • As per a report by Grand View Research report, "North America is projected to continue its dominance, accounting for over 30% of the overall market share in terms of revenue in 2025."
  • Based on the graphical representation given in the Markets and Markets report, we roughly estimated the market size for North America to be $10.5 billion in 2019 and by 2024, the market size is roughly estimated to reach $17.17 billion.
  • As per our assumption and calculation presented in the 'Research Strategy section', we have calculated the North America market size for Enterprise Governance, Risk and Compliance (EGRC) to be $8.34 billion.
  • Therefore, the current (2019) market size (average value of both of the above-mentioned data as discussed in Research Strategy -section Calculation) for Enterprise Governance, Risk and Compliance (EGRC) in North America is approximately [($8.34 billion + $10.5 billion)/2] = $9.42 billion

US Market:

  • Major vendors in the US market include IBM, Microsoft, Oracle, SAS Institute, Dell EMC, FIS, MetricStream, SAI Global, and others.
  • The North America market is divided into the US and Canada markets.
  • As per the Markets and Markets report, among all the countries of North America, "the US is expected to lead in terms of the adoption of eGRC solutions."
  • The "growing business complexities and changing regulatory requirements are expected to drive the market growth in the region."
  • Therefore, the US is expected to represent the largest segment in the North America Market.
  • As per the latest available data, according to 2015 Statistics of U.S. Businesses, there were 5.9 million firms in the U.S.
  • Based on the Government of Canada site, as of December 2015, the Canadian economy totaled 1.17 million employer businesses.
  • Based on our assumption and calculation, the current market size for the Enterprise Governance, Risk and Compliance (EGRC) is roughly estimated to be approximately $7.86 billion in 2019.

Research Strategy:

Initially, we searched for a precompiled statistics for the market size in the US for Governance, Risk, and Compliance Software (GRC) through authoritative market research and press release databases such as Grand View Research, Technavio Research, Markets and Markets, PR News Wire, Global News Wire, Reuters, and others. But all the search results provided reports on global data for the market size and CAGR with regional breakdown behind paywalls. So, we could not access the data for the US from those reports.

However, through the above-mentioned search, we were able to calculate a rough market size for North America. Our next strategy was to look for the US share in the North America market to further calculate the desired market size for the US Governance, Risk, and Compliance Software (GRC). But none of the above-mentioned reports and a few others such as Market Watch, Micro Market Monitor, CFO, and others could provide the percentage share of the US market in the North America market.

We also tried to see if there is any percentage figure available for the US market in the total global market but again none of the reports included this data. However, this search indicated that North America accounts for the largest market share with the major market share in the US. But, this was not sufficient to calculate the US market size.

Then we decided to derive the market size using alternate data. As there is no information available related to the percentage share of the US market in Global or the North America market, we decided to use the alternative data to arrive a rough estimation for the US market size for Enterprise Governance, Risk and Compliance (EGRC). During our research, we have learned that the market for Enterprise Governance, Risk and Compliance (EGRC) is dependent on the number of businesses available in any particular region, we decided to use this data to estimate the US percentage share in the North America market to further derive the US market size for the Enterprise Governance, Risk and Compliance (EGRC).

Therefore, we decided to search for the number of businesses in the US and Canada as the North America market is divided into these two segments. We then found the latest available data for 2015 for the number of businesses in the US and Canada. This data was used to calculate the market size for the US market for Governance, Risk, and Compliance Software (GRC). Below we have provided the details of our calculation:

Calculation:

#1. North America Market Size:

  • For 2018, the global market size for Enterprise Governance, Risk and Compliance (EGRC) was $27.80 billion in 2018.
  • The market is expected to grow at a CAGR of 12.9% from 2019 to 2025.
  • Therefore, for 2025, the global market size for Enterprise Governance, Risk and Compliance (EGRC) would be = $57.57 billion (using Omni CAGR calculator)
  • North America is projected to continue its dominance, accounting for over 30% of the overall market share in terms of revenue in 2025.
  • Therefore, for 2025, the North America market size for Enterprise Governance, Risk and Compliance (EGRC) would be = 30% of $57.57 billion = $17.27 billion
  • If we assume that the North America market has followed the similar growth rate from 2019 to 2025, we can estimate the current market size for 2019 for North America to be = $8.34 billion (using Omni CAGR calculator)
  • Also, Based on the graphical representation given in the Markets and Markets report, we roughly estimated the market size for North America to be $10.5 billion in 2019 and by 2024, the market size is roughly estimated to reach $17.17 billion.
  • We took an average of both of the above-mentioned data to get the roughly estimated market size for Enterprise Governance, Risk and Compliance (EGRC).
  • Therefore, the current (2019) market size for Enterprise Governance, Risk and Compliance (EGRC) in North America is approximately [($8.34 billion + $10.5 billion)/2] = $9.42 billion

Alternate Data Points to Calculate the US Market Size

  • As per the latest available data, according to 2015 Statistics of U.S. Businesses, there were 5.9 million firms in the U.S.
  • Based on the Government of Canada site, as of December 2015, the Canadian economy totaled 1.17 million employer businesses.
  • The percentage share of the above two would be = US: Canada = 5.9 million: 1.17 million
  • Therefore, the North America market size ($9.42 billion) for 2019 can be divided is the same ratio = $7.86 billion (US) and $1.56 billion (Canada)
  • Also, it been found that the US accounts for the largest market share in the North America market, so, the above estimation seems to be true to some extent for the US. Therefore, the current market size for the Enterprise Governance, Risk and Compliance (EGRC) is roughly estimated to be approximately $7.86 billion in 2019.
Part
02
of five
Part
02

Compliance Fines- Government Entities (US)

The United States Environmental Protection Agency (EPA), Financial Industry Regulatory Authority (FINRA), and U.S. Department of Health and Human Services (HHS) are among the U.S. government entities that charge fines for compliance violations. EPA fined Volkswagen $2.8 billion, FINRA fined Citi Group $1.25 million, and HHS charged New York-Presbyterian Hospital and Colombia University $4.8 million. A detailed report of the government entities is presented below.

The United States Environmental Protection Agency (EPA)

  • EPA is mandated to protect the environment and human health by ensuring that Federal Laws regarding "human health and environment are administered and enforced". The agency implements the laws by creating regulations as well as setting national standards.
  • The agency ensures compliance with the set environmental requirements. When necessary, EPA takes criminal and civil enforcement actions against persons or entities violating environmental laws.
  • EPA enters into agreements with parties that are willing to comply with cleanup orders through its Superfund Authorities. In the event of non-compliance, EPA introduces statutory penalties depending on the duration of non-compliance. A stipulated penalty may be agreed upon by both parties at the beginning of an agreement. If a party doesn't comply, EPA introduces a treble penalty where they can recover "up to three times its costs".
  • The agency can also resort to civil penalties that involve monetary payments by a party due to violations. In extreme cases, EPA can impose criminal penalties that involve a judge during the sentencing and the violating entity may be ordered to compensate people affected by the violations.
  • In 2017, EPA fined Volkswagen $2.8 billion for selling vehicles in the U.S. by using a device designed to manipulate and cheat on emission tests. Similarly, the serving general manager of Volkswagen in the U.S. was also fined $400,000 for overseeing the sale of non-compliant vehicles in the U.S.

U.S. Department of Health and Human Services (HHS)

  • The HHS's role is to "enhance and protect the health and well-being of all Americans" by facilitating advances in public health, medicine, and social services. The HHS is tasked with the enforcement of HIPAA privacy and security regulations and handling violations.
  • In the event of non-compliance, the OCR can impose civil penalties where the party is required to pay for the violation. The amount is determined based on a predetermined tiered penalty structure.
  • Criminal penalties can also be imposed and the process involves the Department of Justice where violators are prosecuted in a court of law. Similar to civil penalties, the fines are imposed based on the penalty tiers.

Financial Industry Regulatory Authority (FINRA)

  • FINRA is mandated with the provision of oversight on broker-dealer transactions to protect investors. It aims to safeguard investor confidence through effective and fair enforcement of MSRB, FINRA, and federal securities regulations.
  • FINRA imposes sanctions and fines to the violators to safeguard the interests of investors. Depending on the severity of the violation, offenders may be required to pay a fine, monetary sanction, or restitution. In extreme cases, all the mentioned penalties are imposed.
  • In June 2019, FINRA imposed a fine of $1.25 million on City Group Global Markets due to the violation of Federal Securities Law. Under this law, it is mandatory for broker-dealers to fingerprint "certain associated persons working in a non-registered capacity before or upon association with the firm". City group had violated this regulation from 2010 to 2017.

Research Strategy

In order to find examples of U.S. government entities that charge fines/penalties for compliance infractions we consulted the web for publications, news, articles, and reports about fines imposed by regulatory agencies in the U.S. On finding some examples of fines imposed on violators, we searched the agencies' websites to find information on their mandate and the type of fines they charge.

Part
03
of five
Part
03

Governance, Risk & Compliance Software (GRC) Providers

The top six GRC providers in the United States include IBM, Symantec, ServiceNow, ForcePoint, Qualys, and Workiva.

The link to the spreadsheet is here. An overview of the findings has been presented below.

1. IBM

2. Symantec

3. ServiceNow

4. ForcePoint

5. Qualys

6. Workiva

RESEARCH METHODOLOGY

In order to identify the top GRC providers in the United States, we examined the public domain to find a precompiled list. EsecurityPlant and TrustRadius are two esteemed sources that presented a list of all the top GRC providers on a global level. Together, the lists carried more than 100 GRC providers. These two lists acted as the base of our research.

Subsequently, we condensed the lists by disconnecting the companies headquartered in the United States and prepared a separate list. Further, the prepared list was contracted based on the revenue of the companies to find the top GRC providers in the US. Crunchbase was used to identify the total revenue and the headquarters' location of the companies.
To conclude, the top GRC providers in the United States based on the total revenue of the company include IBM, Symantec, ServiceNow, ForcePoint, Qualys, and Workiva.
Part
04
of five
Part
04

Governance, Risk & Compliance Software (GRC) Providers 2

IBM (OpenPages), Symantec (Control Compliance Suite), and ServiceNow (GRC) are leaders in the field of governance, risk, and compliance software. While IBM and Symantec target audiences in the US, ServiceNow has adopted a global approach. The requested information is summarized in the attached spreadsheet.

IBM (OpenPages)

  • IBM Openpages Operational Risk Management allows businesses to integrate relevant data into a single environment. It automates all aspects of operational risk, including its identification, analysis, and management.
  • IBM OpenPages with Watson is the only cognitive-driven software available. It offers risk management, financial controls, policy and compliance, controls management, and IT governance.

Symantec (Control Compliance Suite)

  • Symantec (Control Compliance Suite) can identify security risks and vulnerabilities and create remedial plans. The automated processes it offers ensure compliance across a range of regulations, mandates, and best practice frameworks.

ServiceNow (GRC)

  • ServiceNow (GRC) allows businesses to confidently manage risk, increase performance, and improve decision-making. It uses continuous monitoring and real-time analysis to identify areas of high risk and non-compliance.
  • The product has four main applications, policy and compliance management, risk management, audit management, and vendor risk management.

Research Strategy

We reviewed a range of precompiled information on the websites of the respective companies to determine the products offered, the pricing, and the features that distinguished each of their products. To determine the target audience, we reviewed market reports, media articles, and marketing strategies.
Part
05
of five
Part
05

Governance, Risk & Compliance Software (GRC) Providers 3

ForcePoint serves more than 20,000 government organizations and enterprises world-wide, while Qualys serves more than 11,000 customers in more than 130 countries. Currently, Workiva works with more than 3,400 customers in over 180 countries, where more than 75% of their clients are Fortune 500 companies. Details have been inserted into columns D through H, rows 6-8 of the attached spreadsheet.

ForcePoint (Data Loss Prevention):

  • ForcePoint targets government as well as private enterprises across the globe. Their target is to provide better decision-making abilities and efficient security at the human point with their context-based technologies, and data-centric, integrated solutions. They serve more than 20,000 government organizations and enterprises world-wide. Most of their customers belong to technical, finance, business services, manufacturing, and healthcare industries.
  • Some features of ForcePoint's DLP platform include work across devices, connection to multiple networks, work within cloud apps, securely sharing data with third parties (encryption of data). This platform also allows to identify your riskiest users.
  • Forcepoint's CASB (Cloud Access Security Broker) offers access to cloud apps with enhanced security. CASB utilizes unsanctioned cloud applications, assesses associated risk, and controls sanctioned cloud applications (Office 365, Google Suite, Salesforce, Box, Workday) to prevent the loss of critical intellectual property. It integrates with Web Security, DLP, Next Generation Firewall (NGFW) and Advanced Malware Detection to provide visibility and control in the system. This visibility and control over cloud applications eliminates organizational, security and compliance blind spots. These features provide ForcePoint a competitive advantage over other platforms.

Qualys (Policy Compliance):

  • Qualys targets organizations on a global level in technology, retail, biotech, chemical, and banking industries. Currently they serve more than 11,000 customers across 130+ countries. 70% of Forbes Global 50 companies are their customers. A major share of their current clients are from technical, healthcare, manufacturing, business services, education, and retail industries.
  • Qualys cloud platform is able to cater to all the security and compliance needs of an organization. This platform enables management of Infrastructure security, Cloud Security, Endpoint Security, DevOps, Compliance, and Web app security at one single place.
  • As per third party analysis Qualys maintains the nearly twice as much comprehensive list of critical security vulnerabilities. Qualys updates its databases three times a day, and automatically checks and maintains validation of remedies and links. The company has no hidden costs for hardware, supporting software, installation or maintenance charges. These costs tend to be $3-5 per $1 of software for other solutions. These advantages over competitors make Qualys stand out.

Workiva (Wdesk):

  • Workiva (Wdesk) targets organizations on a global level across all verticals. They currently work with more than 3,400 customers in 180+ countries. More than 75% of their clients are Fortune 500 companies. Major share of their current clients come from finance, energy, utilities & waste treatment, technical, healthcare, retail, business services, real estate, insurance, telecommunications, and hospitality sectors.
  • Workiva (Wdesk) cloud platform connects data and context, unifies people and documents, and ensures governance and compliance across multiple organizational processes like Financial Close Reporting, Internal Audit Management, Internal Audit Management, Regulatory Reporting, SEC Reporting, SOX Compliance, Capital Market Transactions, among others.
  • Wdata is a Workiva platform component that allows users to score data from Enterprise Resource Planning (ERP), Governance Risk and Compliance (GRC) platforms, other third-party, on-premise systems and cloud applications. Once the data is connected in the platform, users can automate updates, track changes and collaborate with colleagues to create reports and regulatory filings. These are some competitive advantages of Workiva over others.


Research Strategy:

Our research team searched through information available on the websites of the respective companies. Information regarding products offered, the pricing, and the features that distinguish each of these companies from competitors was available on official websites. However, we could not locate any solid data surrounding target markets of these companies. We utilized the strategies listed below to find target market of these companies.

First we searched through media/press release from these companies to find the target markets. We were able to find information related to the latest achievements, awards won, recognitions, latest technology implementations, etc. But, we were unable to locate specific markets that are being targeted by these companies or any information related to marketing spend in any specific market.

We then searched through reports published by the respective companies in hope to find data related to marketing expense and target markets for that expense. We only found information related to technological implementations, changes in technology over years, customer testimonies and benefits of their technology. No information related to target markets was present in these sources.

The team also searched for interviews of C suit employees of the respective companies in sources like Diginomica, Authority, Gurufocus, among others hoping to find any mention of their strategies to enter new markets. No information related to target markets was found there, only information related to need of security in enterprises and automation was available in these interviews.

We then looked for reports related to Compliance Software market in general on sources like Marketwatch. The objective was to find any mention of investments in emerging markets by key players (since the companies in question are considered market leaders and have won multiple international level awards) but, no information related to investment trends was found. Only data related to market growth, trends, key players, etc. was available.

We were however, able to locate firmographic details of existing customers of the three companies which are provided in the spreadsheet and findings.
Sources
Sources