A TripleTree Indu...

INTRODUCTION                                                        2


                              Compliance is undoubtedly one of hottest, but perhaps one of the most

Compliance Management is Top-of-Mind for C-Level Executives
Enterprises of all sizes are scrambling...

                              Defining a Sector Amid Rapid Growth

Approaching compliance management with consistency across an organization is
IT Governance
                                       Through our proprietary research, TripleTree has discovered patterns ...
Figure 1: TripleTree’s Compliance Market Map Q-Diagram

              Business Risk and Compliance                      ...
Figure 2: A “Top-Down/Bottom-Up” Approach to Compliance


As stated, the fragmented market for compliance solutions has been comprised of
a narrow set of contro...
HCM, and supply chain assets. Newly acquired capabilities from the likes of Versa
                               also play...

The compliance automation category includes many components, such as
compliance control point automation, GRC,...

                               Kevin Green, Managing Partner
                               • Co-founded TripleT...

Scott Donahue, Principal
• 15+ years financial strategy analysis and business development consultation
About TripleTree

TripleTree, LLC is a research-based investment bank serving growth companies, investors

and global acqu...
Upcoming SlideShare
Loading in …5

TripleTree Compliance


Published on

Published in: Business
1 Like
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

TripleTree Compliance

  3. 3. INTRODUCTION Compliance is undoubtedly one of hottest, but perhaps one of the most misunderstood sectors within enterprise software. The complexity of corporate governance and a stricter regulatory environment are driving the market for solutions that help enterprises manage risk, satisfy compliance mandates, and meet government initiatives. Though the scope of the term compliance varies from vendor to vendor, TripleTree views compliance as the broader set of business practices and technologies that seek to find solutions in the areas of enterprise risk management, corporate governance, IT governance, and compliance controls management. The vendor landscape is rapidly expanding as both emerging vendors and global technology leaders roll out solutions and product road maps for an expanding market. These solutions are engineered to address a flood of regulatory requirements in establishing good governance practices and industry standards which are now at the forefront in the highest levels within most organizations. This Executive Digest is the first in a series from TripleTree addressing the evolution of governance, risk and compliance market. At a high level, it assesses why compliance and risk management needs are top-of-mind for enterprises and where vendors are creating automated solutions to serve these evolving set of needs. It will conclude with a viewpoint of how an enterprise-wide compliance platform and ecosystem will evolve in what is currently a highly fragmented market. Looking ahead to future Executive Digest reports, TripleTree’s compliance research agenda will cover: • An expanded view on compliance, risk management, and governance platforms with perspectives on platform approaches to managing compliance initiatives; • A review of the various delivery models and deployment scenarios for compliance solutions ranging from licensed software to SaaS, and hybrid models to outsourcing; and • A viewpoint for emerging company CEOs on compliance solutions that will assess how this sector may mature including areas for cooperation, likely vendor consolidation and ideas for value maximization. PAGE 2 Q1 2008 COMPLIANCE WWW.TRIPLE-TREE.COM MINNEAPOLIS 952.253.5300
  4. 4. COMPLIANCE MANAGEMENT Compliance Management is Top-of-Mind for C-Level Executives Enterprises of all sizes are scrambling to establish compliance solutions to address the tens of thousands of federal, state, local, and international regulations ranging from well known mandates such as Sarbanes-Oxley (SOX), Patriot Act, HIPAA, and NERC in the U.S., to J/SOX in Japan and Basel II in Europe, plus a number of lesser known compliance arenas like FISMA, PCI and alpha-numeric combinations like ISO 15489 and SEC 17a-4. There are simply too many regulations affecting every aspect of an organization’s business processes and systems to manage them effectively ad-hoc. With billions of dollars of potentially business-wrecking fines, it is becoming increasingly clear that compliance initiatives must be addressed through automation and a comprehensive, repeatable process rather than as a one-off project. A range of functionality can be included in a comprehensive compliance solution. Based on TripleTree’s ranking of compliance vendors, a basic list of tech-enabled functions must minimally include: • Business Process Modeling • Controls Automation (both IT & Business/Financial) • Dashboards • Document Management • Financial Reporting Integration • Policy Management • Risk Management • Audit Support Given the cross functional application and infrastructure technologies that are impacted by compliance mandates, today’s compliance solutions must link or collaborate with enterprise content management, business intelligence, business performance management, and various reporting and analytical applications. MINNEAPOLIS 952.253.5300 WWW.TRIPLE-TREE.COM Q1 2008 COMPLIANCE PAGE 3
  5. 5. THE COMPLIANCE LANDSCAPE Defining a Sector Amid Rapid Growth An entire sector of software vendors have emerged to offer solutions engineered to automate compliance processes and features as previously listed. TripleTree tracks over 300 such vendors and has only scratched the surface. A few vendors have designed a platform approach to broad-based compliance issues within the enterprise, but the majority are best classified as point solution vendors addressing only particular compliance control areas. Many others have largely stumbled into the compliance category from adjacent markets such as security, business intelligence, or content management. The rise of the point solution vendors began in the late 1990s as enterprises began to realize that manually addressing regulations through audits and ad-hoc home-grown tracking applications was simply not cost effective. Largely, many of these firms have specialized in one or a few regulatory mandates such as Sarbanes- Oxley and have worked to broaden their solution into other regulatory and control areas. In addition to these specialists, ‘compliance’ has become a magic descriptor finding its way into almost every enterprise software vendor’s solution vernacular and product road map, making it very difficult for enterprises to sort out an ever growing landscape of providers. Though no clear consensus exists on the current size of the compliance market, some analysts peg the sector as a greater than $50 billion opportunity and others see it as much smaller. The wide range in sizing is indicative of how varied the market definitions of the space are. Based on scores of TripleTree vendor briefings and end- user feedback, what is clear is that the definitions of compliance are shifting to meet economic and legislative demands. As such, the more innovative providers of compliance solutions are being forced to pivot and hone their market awareness, strategy, messaging and product development. • Definitions: Common definitions for compliance areas are absent in our risk-aware business culture. Compliance is a broad reaching concept that touches a number of business processes and functional domains within an organization. Vendor solutions need simplification for interest and adoption to grow. • Fragmentation: Many organizations are using numerous compliance solutions particular to the needs of the CFO, general counsel, chief compliance officer, CIO, and marketing. With these distinct buyers come misconceptions about how compliance policies should be mandated and managed. • Incomplete Solutions: A majority of software vendors claim to have a complete compliance solution but only address a narrow set of requirements around specific control points or a handful of regulations. • Emerging Vendor Leadership: Enterprise platform players and a select group of innovative ISVs are driving solution definition in the compliance sector. During the next few quarters, awareness, acceptance and a resulting consolidation in the sector will occur as global firms fill gaps in their solutions. PAGE 4 Q1 2008 COMPLIANCE WWW.TRIPLE-TREE.COM MINNEAPOLIS 952.253.5300
  6. 6. ASSESSING AND MANAGING ENTERPRISE RISK Approaching compliance management with consistency across an organization is challenging. In most organizations, compliance control is not a holistic process and most issues are addressed at the business unit or product level. The following is a simplified view of a typical enterprise: • Human capital management teams must adhere to labor laws • Finance departments manage various regulations and disclosures as well as provide means for transparency and independent verification • Manufacturing teams address product safety and quality requirements • Legal dictates internal policies while collaborating with external counsel on litigation issues, discovery, and IP protection • IT departments focus on security and data privacy • Marketing departments are managing key customer and billing information with sales teams, channel partners and customer service. As a by-product of this fragmentation, information and process silos have emerged across these departments and the resulting compliance investments will remain ad-hoc for the foreseeable future. However, compliance solutions that remain narrowly focused around discreet issues will struggle to become a relevant compliance platform. Regulatory Compliance Regulatory compliance remains a critically important function and a component of most broad risk management and governance platforms. To properly understand and manage risk, meet regulatory and corporate requirements, and execute on governance initiatives, enterprises need a robust and comprehensive application suite and these suites are beginning to materialize as Governance, Risk and Compliance (GRC) solutions. For many compliance vendors, GRC and their component terms (governance, risk and compliance) are often used interchangeably. However, TripleTree believes clear distinctions should and must be drawn between the scope and functionality for solutions that address compliance risk management and governance automation. GRC Compliance management is the label used to describe a holistic compliance framework which can span an enterprise through transparent and efficient processes. We narrowly classify GRC as a subsegment of technology solutions within the broader compliance management framework. Though this naming convention may seem counterintuitive given that ‘C’ in GRC stands for ‘compliance’, this nomenclature is used by a majority of leading vendors and industry analyst groups. While several GRC solutions exist, TripleTree defines a complete GRC program as one which takes a federated approach integrating compliance control points into broader, collaborative enterprise-wide schemas. End-users can be easily confused as vendors use GRC as an umbrella term to describe point based solutions that treat individual compliance and risk initiatives as compartmentalized silos within an organization, as opposed to taking a more top-down approach. MINNEAPOLIS 952.253.5300 WWW.TRIPLE-TREE.COM Q1 2008 COMPLIANCE PAGE 5
  7. 7. IT Governance Through our proprietary research, TripleTree has discovered patterns where IT Governance (ITG) is transcending pre-defined boundaries into a broader IT governance, risk and compliance management (IT-GRC) definition. Broadly speaking, traditional ITG is a framework by which organizations leverage internal . IT assets to support and manage governance, risk and compliance initiatives Understanding the across the enterprise. Inherent in these ITG strategies are how the procedures Components of GRC and responsibilities which govern risk and compliance integrate with work flows. While GRC vendors cater to the CEO and CFO, IT Governance solutions have been deployed as controls designed to resolve pain points of the CIO such as Governance is the framework data management, portfolio management, performance management and disaster that defines how corporations are recovery. Vendors are finding that the most effective ITG platforms integrate managed to achieve corporate technologies which extract value from the IT infrastructure by integrating previously isolated IT control points into a top-down decision making process. goals. Early IT Governance solutions were limited to best-of-breed applications that helped facilitate Project Portfolio Management (PPM) initiatives and decision Risk Management is the process making processes surrounding IT investments. By providing tools that helped of identifying and assessing analyze, prioritize, and make decisions, these solutions created a framework and enterprise risk within a developed process by which organizational IT goals could be measured and initiatives for framework to address those risks. value creation discovered. Though risk management is a discipline practiced throughout Corporate leaders are now taking a top-down approach for compliance control across the enterprise and are looking to IT as a critical support for GRC and all enterprise, it has historically been enterprise compliance initiatives. implemented on an ad-hoc basis to address isolated risk silos. An Enterprise-Wide View on Compliance Management Though many vendors currently offer tools that address many compliance control Compliance Management points, a platform has not yet evolved to adequately address all key elements of defines how corporations conform enterprise compliance management. to guideline laws set forth by governmental agencies or industry An enterprise-wide compliance solution must address both the management needs that span business and IT. Information management, analytics, financial standards. It also defines internal controls, internal audits, eLearning, labor laws and traditional IT governance policies and best practices. areas like asset management, security, and content management are inclusive Compliance technologies have of these needs. A holistic enterprise compliance platform must address both traditionally been control point the “top-down” business-facing processes and systems and the “bottom-up” IT solutions which help users conform controls of the organization. to a set of parameters for a specific risk or regulation (i.e. Sarbanes- Only by creating an enterprise-wide ecosystem that unifies the decision making Oxley). These technologies process between GRC, ITG, ERP, BI, and CPM systems can an organization fully typically implement transparency realize the value of its compliance programs. measures to assure outsiders that an organization is compliant. PAGE 6 Q1 2008 COMPLIANCE WWW.TRIPLE-TREE.COM MINNEAPOLIS 952.253.5300
  8. 8. Figure 1: TripleTree’s Compliance Market Map Q-Diagram Business Risk and Compliance E nvironmental Indus try Specific F inancial Health & S afety R egulations C ontrols Internal Audit E thics P rograms F raud As s es s ment/AMC Strategic Storage C orporate F ilings Consulting Marketing C ompliance Framework Operational R is k C ontract Management S hared S ervices • Auditing / R eporting / Dashboards R is k Analytics Archival & IP /Knowledge Records • Analytics Enterprise Management Management • P olicy / P roces s Management IT Risk Apps • W orkflow Human R es ources • B est P ractices IT Compliance t • Legislative / Regulatory Training C ertification C apacity P lanning - S ox, B as el II, HIP AA, C OB IT ERP • Document Management P erformance Management Content eDis covery • Incident Management Security Management • C onsulting / Services IT S tandards / S OA Us er Activity Monitoring Data Management/ IL M ID Management & Database S egregation of Duty Partners Dis as ter R ecovery/ C ontinuity S ervic e Management P roject P ortfolio P roject P ortfolio R es ource C hange & C onfiguration As s et R es ource Management Management Management Management IT Risk and Compliance Source: TripleTree TripleTree has outlined a list of 30 representative control points within an enterprise risk and compliance management platform. Control points on the top half of the diagram are functions typically associated with business risk and compliance management. The bottom half of the diagram shows IT risk and compliance management control points. The Shared Services box in the center tie together compliance within the business units and the IT elements throughout an organization. These services help to better integrate governance, risk and compliance decision processes with other business goals. MINNEAPOLIS 952.253.5300 WWW.TRIPLE-TREE.COM Q1 2008 COMPLIANCE PAGE 7
  9. 9. Figure 2: A “Top-Down/Bottom-Up” Approach to Compliance Business Risk and Compliance Foundation Common Based Engine Analytics Frameworks Extensible (SOA) IT Risk and Compliance Source: TripleTree This “top-down/bottom-up” model is considered a goal for many of today’s compliance providers as organizations ultimately will want a comprehensive solution from a trusted vendor. Engineered solutions designed to help an organization understand and manage its broad compliance initiatives efficiently will include automated control points for both the business units and IT. Because enterprise compliance suites are early in their evolution, organizations must work toward adopting a federated framework by integrating several point based controls into a unified system. Organizations that apply this federated approach should seek a pre-integrated multi-vendor solution based on a common data repository. This will help to maintain a holistic view of business risk and compliance initiatives that are in line with business processes. Moreover, the unified data repository will allow organizations to leverage common shared services and enable executives to make decisions based on a single, consistent data source as opposed to deciphering multiple disconnected data streams. PAGE 8 Q1 2008 COMPLIANCE WWW.TRIPLE-TREE.COM MINNEAPOLIS 952.253.5300
  10. 10. MATURING PLATFORMS As stated, the fragmented market for compliance solutions has been comprised of a narrow set of control points, a limited set of regulations and some foundations in IT governance. Recent sector consolidation point toward a maturation of thinking by leading vendors. We predict the evolution of compliance solutions will be driven by leading enterprise software vendors and specialized compliance management vendors racing to fulfill enterprise compliance needs as represented in both halves of our Q-Diagram on page 7. Today’s compliance specialists are represented by a list of vendors offering both licensed software and SaaS-based solutions. • CA • Oracle • Resolver • Compliance 360 • OpenPages • SAP • HP • Paisley • Others • IBM • Protiviti Vendor comparisons are difficult since sector definitions and actual capabilities within the compliance stack do not match up. From the list above, each firm represents some functionality for financial controls, audit automation or regulatory control. Solution maturity is varied. Risk Management capabilities also vary widely among vendors. For instance, one vendor may have strong dashboard and reporting capabilities alerting users to compliance deficiencies, while another may take a more process-centric approach focused on deficiency remediation. Yet another vendor may have engineered strong ties into a business intelligence-centric, corporate performance management suite for complex analytics. A few vendors are messaging and delivering around a “top-down/bottom-up” approach by touching on several areas of business risk and compliance as well as IT risk and compliance. However, no single vendor (or ecosystem of ISVs) provides the comprehensive enterprise-wide compliance solution like the one outlined in our Q-Diagram. Consolidation - Further Defining the Sector Not surprisingly, global technology platform vendors like Oracle and SAP are beginning to push their GRC/compliance message and assemble their respective platforms. In terms of capability, market reach, and ability to execute, we consider the global vendors as the group most capable of assembling the functionally for a holistic enterprise compliance platform. Oracle’s strategy includes leading with its financial applications, middleware, content management (Stellent), and recently acquired compliance assets such as LogicalApps. Ecosystem partners (ISVs and service providers) will become increasingly important to Oracle as it broadens its compliance definition within its GRC strategy. SAP’s GRC strategy is based on the strength of its financial application platform, MINNEAPOLIS 952.253.5300 WWW.TRIPLE-TREE.COM Q1 2008 COMPLIANCE PAGE 9
  11. 11. HCM, and supply chain assets. Newly acquired capabilities from the likes of Versa also play a significant role. SAP’s pending Business Objects acquisition foretells of an increasing focus on analytics and intelligence as a broader risk management strategy. Figure 3: Representative Compliance Market Activity Consolidation D ate B uyer Target D escription Business Risk and Compliance O ct-07 Wolters Kluwer PwC (TeamMate Software) Audit management & risk assessment O ct-07 O racle LogicalApps ERP compliance & monitoring software Sep-07 X erox Advectis Document management & collaboration SaaS Jun-07 Iron Mountain Accutrac Software Records management & compliance software Nov-06 Oracle Stellent Content management software Apr-06 SAP Virsa Systems, Inc. Segregation of duties; SOX compliance Feb-06 Fujitsu Consulting GIM Risk Management SOX compliance sysetms integration IT Risk and Compliance Sep-07 O racle Bridgestream Identity and access management Dec-06 IBM Consul Risk Management IT & compliance management software Jul-06 HP Mercury Business Technology Optimization (BTO) software Jun-05 CA Niku IT management and governance software As we foreshadow a consolidation trend, a range of potential consolidators come to mind. In addition to the obvious global enterprise software vendors, firms in the integrated information management, publishing, and document services sectors make interesting acquirers. Certain industry-focused vendors and offshore BPO vendors are also of consideration. Key Drivers: • Compliance is a top-of-mind category; • Global technology leaders in applications and infrastructure are racing to be seen as having the most extensive compliance management platform and by extension want to shape the category and its components; • While no single vendor can organically build a holistic platform today, (the “top-down/bottom-up approach”) compliance ecosystems (e.g. SAP’s recent linkage with Cisco Systems) will begin to emerge and consolidate in order to address multiple compliance requirements; • Disruptive delivery models like SaaS and hybrid solutions (SaaS- enabled BPO) will become more prevalent, just as they have in other software categories; • Since no clear sector leader exists, time-to-market is critical. Most of the global players know that a “buy” strategy is a more definitive path to market than “build/partner”; and • Non-traditional players view compliance as a necessary competence for up-sell and cross-sell revenue growth. 2008 will be a pivotal year for M&A in the sector. PAGE 10 Q1 2008 COMPLIANCE WWW.TRIPLE-TREE.COM MINNEAPOLIS 952.253.5300
  12. 12. CONCLUSION The compliance automation category includes many components, such as compliance control point automation, GRC, IT Governance/IT-GRC, risk management, and risk analytics. Today, this category is one of the top areas of enterprise spend. Though the market is still somewhat undefined, the leading enterprise software vendors, pure-play ISVs, and several non-traditional players are working to redefine the category and establish a leadership position. This leadership position will be defined on a range of capabilities and compliance solution CEOs must therefore remain constantly aware of the criterion with which they are being evaluated in the market. Because of its importance to the C-Suite and the significant addressable market, TripleTree predicts that a host of players will aggressively pursue a leadership position through internal investment and acquisition. For these CEOs considering liquidity options, below are a few key points: • Market definitions are solidifying now, and over the next six quarters consolidation will conclude. • Depending on a number of factors, valuation guidelines for licensed software or services-centric compliance businesses will be in the 1-3x revenue range (TTM) with opportunities for premium value creation. • For pure-play SaaS businesses, recurring revenue growth will be a key metric for garnering a premium well in excess of licensed software businesses. • Once the initial wave of consolidation has concluded and enterprise vendors establish their platform strategies, additional tuck-under deals will occur, but likely at lower valuations. As an investment bank and strategic advisor, TripleTree is committed to helping emerging companies understand how to take advantage of trends like those outlined in this report. Over the next few quarters, our compliance research agenda and webcasts will further assess the evolving market, where disruption is likely, and review vendors delivering on their vision. We welcome the opportunity to learn more about your business and how we can help your team climb to the next plateau of market leadership. MINNEAPOLIS 952.253.5300 WWW.TRIPLE-TREE.COM Q1 2008 COMPLIANCE PAGE 11
  13. 13. THE TEAM Kevin Green, Managing Partner • Co-founded TripleTree, LLC • 25+ years building and advising IT companies • Senior executive roles in public and private IT companies; two as CEO • Active with numerous industry associations, and Board of Directors, including SIIA and Connextions • BA and MBA, University of San Diego David Henderson, Managing Partner • Co-founded TripleTree, LLC • 22+ years in venture capital, business development and as a senior operating executive • Seven years of public accounting experience at Arthur Andersen • CEO of a $400 million asset bank holding company • Active Board of Director on several public and private companies • BA, Moorhead State University; Certified Public Accountant Scott Tudor, Managing Partner • Joined TripleTree in 1998 • Specializes in IT Outsourcing & Managed Services and Healthcare IT • Worked on more than 30 transactions with leading global companies such as UnitedHealth Group and Hewlett Packard • Served as TripleTree’s research chairman • BA and JD, University of Illinois; MBA, Carlson School of Management, University of Minnesota Chris Hoffmann, Senior Principal/Research Director, Technology • Joined TripleTree in 2005 • 19+ years of experience an operating executive, consultant, and analyst in the technology industry • Transaction activity focus in the areas of software and technology • Former President of Tier1 Research; executive positions at Gartner, GE Capital Consulting and IBM Global Services • BA, University of Minnesota-Duluth; advanced studies through the University of Minnesota and Michigan State University Brian Klemenhagen, Senior Principal • Joined TripleTree in 1999 with over ten years of combined investment banking and Wall Street equity research experience • Primary engagement manager across technology, software and outsourcing sectors • Principal contributor to TripleTree’s SaaS research • Prior to joining TripleTree was with RBC Dain Rauscher • BA, Gustavus Adolphus College; MBA, Carlson School of Management, University of Minnesota PAGE 12 Q1 2008 COMPLIANCE WWW.TRIPLE-TREE.COM MINNEAPOLIS 952.253.5300
  14. 14. THE TEAM Scott Donahue, Principal • 15+ years financial strategy analysis and business development consultation including marketing, operations support, and technical product development • Expertise in IT operations and services delivery approaches • Wall Street experience • Served in management roles at leading IT firms • BA, University of California - Santa Barbara; MBA, University of Michigan Scott Prentice, Associate • Focus on M&A and private placement activity in the technology sector • Previously worked on M&A activity at Ingenix, a division of UnitedHealth Group • Prior experience included technology capital investment at Target Corporation and as an IT consultant with Computer Science Corporation • BA, Bethel College; MBA, Carlson School of Management, University of Minnesota Michael Boardman, Senior Analyst • Specializes in research and analysis of industry trends and investment opportunities within Software and IT Services • Prior experience includes an internship with Merrill Lynch • Held a Cisco Certified Networking Associate Degree (CCNA) • BA, University of Minnesota; BSB, Carlson School of Management, University of Minnesota Matthew Flores, Senior Analyst • Dedicated to research and analysis within Enterprise Software, Telco, and Wireless • Research and transaction experience with TripleTree’s Healthcare and Mobile Wireless Teams • BA, Bates College Jeff Kaplan, Senior Advisor • Advises TripleTree’s technology team • Founder and Managing Director of THINKstrategies • Founder of the Software as a Service (SaaS) Showplace® and Managed Service Showplace® • Founding member of the SIIA SaaS Executive Council • Frequent speaker at industry events and contributing columnist for BusinessWeek, Mass High Tech Journal, Financial Times of London, and Network World, among many other industry leading publications MINNEAPOLIS 952.253.5300 WWW.TRIPLE-TREE.COM Q! 2008 COMPLIANCE PAGE 13
  15. 15. About TripleTree TripleTree, LLC is a research-based investment bank serving growth companies, investors and global acquirers. TripleTree conducts proprietary research that guides our work in M&A, growth capital and financial advisory services. Our value-based approach benefits technology- enabled businesses in sectors like healthcare, where technology and services are converging in new delivery models and in other industries where management and investors are in search of creative ways to penetrate and dominate markets and build value. TripleTree’s unique personality is shaped by the experience of our principals, who as former business builders and transaction advisors create strategic outcomes that maximize value for our clients. Copyright © 2008 by TripleTree, LLC t 952-253-5300 f 952-253-5301 7601 France Avenue South Suite 150 Minneapolis, Minnesota 55435