Most analysts break the market down into two broad categories: IT GRC and Enterprise GRC (eGRC). The vendors generally don't make it any easier for potential enterprise customers, as the IT GRC players often claim they do eGRC, and all the eGRC vendors saying they encompass IT as well.
To a degree, they're both right. RSA Archer, for example, generally regarded as something of a hybrid leaning more to the IT side, has had some success in the eGRC market.
See more in
"They're not mutually exclusive, and that's why it gets fuzzy," said Paul Proctor, Gartner vice president of security and risk management. "Each says they do the other, and, to some degree, they are all correct. They are separated because some are clearly better at the eGRC top-down look at everything, and some that are clearly from an IT background and better at IT."
Michael Rasmussen, , president of Corporate Integrity, doesn't even think IT GRC is an accurate term, preferring "IT Risk and Compliance." Labels aside, he says the two can be differentiated in two areas:
The first is content. In enterprise GRC implementations, the customer supplies all the content, or control libraries. On the other hand, IT GRC is pre-populated with a lot of content, such as sample IT policies and controls libraries. This makes sense, because IT is a very specific domain, with IT-specific content. eGRC content can be almost anything.
"Enterprise GRC content is much more all over the map: financial controls, labor standards and compliance issues, import and export laws, health and safety, and so on," said Rasmussen. "The compliance domains for enterprise GRC are so broad.
The second, which speaks to the focused nature of IT content, is the ability to connect with other IT and IT security systems and applications, such as vulnerability and configuration management and change management.