Last week (SFDC) hosted its annual Dreamforce Conference in San Francisco, and for the first time, the cloud giant’s products could soon have some major implications in the governance, risk, and compliance (GRC) market.

Amidst the chaos of keynotes, partner sessions, guest speakers like Hilary Clinton,, Al Gore, and our very own George Colony, two of SFDC’s major announcements demonstrated how its new offerings and future strategy will position the company to compete in the very big business intelligence market:

  1. SFDC plans to grow from $5.4 billion to $20 billion by competing more directly with BI vendors like SAP
  2. SFDC announced its "Wave" Analytics Cloud offering, which helps deliver dashboards and analytics from any data source in its platform.


Implications For GRC

So why are these announcements relevant for GRC? Three reasons:

  1. will begin competing against GRC vendors, whether intentionally or not. The large vendors that SFDC will compete with in BI – including IBM, SAP, SAS, and even Oracle – also offer GRC products and capabilities. There are clear advantages to managing risk alongside financial, operational, and performance metrics. Ultimately customers will expect risk analytics to be part of their BI vendor’s portfolio.
  2. The Wave Analytics Cloud enables analytics of any data type, including risk data. SFDC is already much more than CRM software, and its Wave Analytics Cloud will enable even more easy-to-use (and build) dashboards and reports – which are key, foundational capabilities for GRC. Vendors in the GRC market all promote the value of reporting and analytics to help customers prioritize compliance and risk mitigation efforts; the question is whether customers will aggregate all risk and compliance data into a single GRC platform or from various GRC systems into a BI environment.
  3. GRC is increasingly moving to the cloud. In comparison to other software markets, GRC platforms lag behind in cloud offerings, largely because: a) GRC platforms host very sensitive data, b) GRC adoption is highest in heavily regulated industries that have historically been more hesitant to move to the cloud, and c) GRC implementations are complex and integrate with financial transaction and other systems that have also more commonly remained on-premises. This is changing. Over the next 2-3 years, companies will put significantly more GRC data and processes into the cloud, and most will be looking for a SaaS provider they know and trust.


What To Watch For: still has a long way to go before we start talking about it as a relevant GRC tool, but the early signs are there. Here’s what we’ll be tracking when it comes to and GRC:

  • When will we start to see GRC data getting pulled into SFDC to analyze risk data alongside sales and marketing data in one central location?
  • When will top player GRC vendors begin to offer native integration with SFDC?
  • How many new cloud GRC vendors partner with SFDC to offer GRC capabilities such as risk assessments, dashboards, and analytics –a few have already cropped up (e.g. XactiumAruvio, and RisKonnect).
  • Will SFDC itself develop a GRC offering to compete against the likes of IBM, SAP, SAS, and Oracle?


What do you think about all of this? Add your own thoughts, and keep the discussion going in the comments section of the blog. And follow me on Twitter (@nickhayes10).