In this edition of SaaS Talk, Golub Capital Senior Director Rob Sverbilov speaks with MetricStream Executive Chairman Gunjan Sinha to discuss the value of GRC in every organization, and how companies in the SaaS space can leverage GRC to get ahead.
GRC has become important in the last 30 years due to technology and software adoption with the advent of SaaS. Technology is permeating every facet of global enterprises, and there is a real acceleration in every direction of the digital transformation. This acceleration is all very good, but with it comes a challenge.
When you’re trying to build, let’s say, a high-performance car, you need the accelerator, but you also need the brakes. You need the controls. You need the ability to regulate. In the GRC industry, you need to look at the reverse side of the growth equation and ask, “How do I think about risk management, regulators, compliance and governance?” Ask about your policies, both the written and unwritten social contract that your company has to adhere to.
But GRC is not just about complying with regulations. It is the reason a firm will ultimately win the race in a sustainable manner, because you know when to tap the breaks while accelerating, and it means you’re able to make the turns without crashing into walls, so to speak. You need both the brakes and the accelerators to succeed. You can’t simply operate on accelerators.
In addition to financial services, healthcare, energy and utilities are highly regulated industries, so there’s an automatic driver for firms in these industries to focus more on risk.
GRC is not just about the fines or penalties; the reputational damage of making a mistake can be significant. That’s why in the next 10 years, this is going to be an area where we will have to exercise a greater degree of self-regulation, if not government regulation, and better risk management, governance and compliance.
When I look at industries now, especially where there’s a high technology quotient, where people have access to digital transformation and digital data, there’s a rise in the volume, velocity and variety of data. Therein lies the ability to do and think about the opportunity around GRC, because it allows you to now leverage all the data to get into different markets, especially regulated markets.
Technology companies are amassing unprecedented amounts of data. Data is the new oil. It is the currency that’s going to drive profits and market competitiveness. With data comes a tremendous amount of responsibility. You have to make sure that you’re treating it with the right controls, so that the owners of the data are actually benefiting from their own data. You have to understand where not to use data in a way that compromises data privacy. This is particularly important in the technology sector because we are swimming in data. Our sector is harnessing data to the fullest, but we need to become more responsible about how we manage our own data.
You want the balance of privacy. You want to make sure that the data is readily accessible, yet private. Governance, risk management and compliance have to be thought of as the core in your strategy. You have to create the balance of how you may give people access in a way that doesn’t compromise the policies, regulations, risk profile and risk appetite of your customers.
You need to start thinking about the elements of GRC from day one, because this is what allows you to stay in business. It allows you to build trust with your customers, to prove that you know how to handle their data with the highest level of security, privacy and care. GRC allows you to build your business in a sustainable manner where you stay within the boundaries of corporate governance, risk management and compliance that are represented to your stakeholders. Long before you become a Ferrari, even if you had a bicycle, you still need the brakes on your bicycle.
I would urge the enterprise SaaS companies, including management and board members, to make sure that the GRC journey is a part of the blueprint and not an afterthought. It is not something that you do after you go public or after you become a certain size. You’re responsible for your customers’ data and applications, starting at day one.
My biggest piece of advice is to find a problem that’s worth solving with a real need in the marketplace. Then, you need to surround yourself with high-quality people. I don’t mean people with certain experience levels or certain degrees. You have to really think through, in your universe, what does high-quality mean? Entrepreneurship is a game of high performance, and it starts with people. When I look at everything that I’ve done, I see that it’s because I had a really good set of people around me. I urge people, entrepreneurs and founders, to be more open-minded when curating their ecosystem and environment. You maximize your chances of success by including the right set of people.
Today, more companies are going public later and later in their lifecycle. With the amount of capital that is sitting in the private markets, and if you assume a downturn to be a couple of years, there’s ample private capital you can deploy to help build your business. So, you don’t need the public markets to build your business.
The fundamental change that happens is how your customers perceive their ability to invest in a recession. When it comes down to that, the things that matter, when the markets are buoyant versus when markets are down, are going to be things which “have deeper value proposition.” Some of the best businesses have actually been built in recessionary times. For example, Google came out of the dotcom crash. Companies that have deep value propositions are going to thrive when the recession puts pressure on all the software companies.
In a downturn, people are going to be more operationally focused on their risk tolerance and risk appetite, and turn their attention toward executing risk management more soundly within higher margins. Your value proposition has to go deeper to make the cut, to get the funding needed to be able to help you continue to stand up and grow.
The second thing I would highlight is that, by definition, the SaaS business is about a recurring business model, which is very powerful. That’s what investors and entrepreneurs like about them. That’s the positive part of it, that you actually are building a business that you can rely on, even if your growth has slowed down. The only counter thing would be to make sure that customer engagement and customer success go deeper. You need to be able to count on your revenues and not see a spike in customer churn or other metrics that take away from your base of recurring business.
First, you’re going to see more and more applications of artificial intelligence (AI) in the world of GRC. You’re going to see more intelligence flowing in, so that GRC can be more of a preventative tool, instead of a reactive tool. It won’t be quite like autopilot where the car runs on its own, but it will be like keeping your hands on the wheel while the car knows how to make turns and navigate through traffic. GRC will become more AI-driven and semi-autonomous in many places. It will avoid failures, risk, catastrophic fines and brand damage for companies, with little intervention from people.
The other trend I see is people coming together as hubs to build a GRC ecosystem not just for one company, but a set of companies. This way, they can come together to create things that help a segment of the industry, or vertical, over time.