tripletree compliance

NEXT GENERATION COMPLIANCEBUILDING A PLATFORM APPROACH TO ENTERPRISECOMPLIANCE AND RISK MANAGEMENT

A TripleTree Industry Analysis

SPOTLIGHT REPORT WWW.TRIPLE-TREE.COM 952.253.5300

TABLE OF CONTENTS

INTRODUCTION 2

THE COMPLIANCE LANDSCAPE – DEFINING A SECTOR AMID RAPID GROWTH 4

ASSESSING AND MANAGING ENTERPRISE RISK 5

MATURING PLATFORMS 9

CONCLUSION 11

THE TRIPLETREE TEAM 12

TripleTree, LLC

7601 France Avenue SouthSuite 150Minneapolis, MN 55435

t 952.253.5300f 952.253.5301

www.triple-tree.com

MINNEAPOLIS 952.253.5300 WWW.TRIPLE-TREE.COM Q1 2008 COMPLIANCE PAGE 1

Compliance is undoubtedly one of hottest, but perhaps one of the most misunderstood sectors within enterprise software. The complexity of corporate governance and a stricter regulatory environment are driving the market for solutions that help enterprises manage risk, satisfy compliance mandates, and meet government initiatives.

Though the scope of the term compliance varies from vendor to vendor, TripleTree views compliance as the broader set of business practices and technologies that seek to fi nd solutions in the areas of enterprise risk management, corporate governance, IT governance, and compliance controls management. The vendor landscape is rapidly expanding as both emerging vendors and global technology leaders roll out solutions and product road maps for an expanding market. These solutions are engineered to address a fl ood of regulatory requirements in establishing good governance practices and industry standards which are now at the forefront in the highest levels within most organizations.

This Executive Digest is the fi rst in a series from TripleTree addressing the evolution of governance, risk and compliance market. At a high level, it assesses why compliance and risk management needs are top-of-mind for enterprises and where vendors are creating automated solutions to serve these evolving set of needs. It will conclude with a viewpoint of how an enterprise-wide compliance platform and ecosystem will evolve in what is currently a highly fragmented market.

Looking ahead to future Executive Digest reports, TripleTree’s compliance research agenda will cover:

An expanded view on compliance, risk management, and governance platforms with perspectives on platform approaches to managing compliance initiatives;

A review of the various delivery models and deployment scenarios for compliance solutions ranging from licensed software to SaaS, and hybrid models to outsourcing; and

A viewpoint for emerging company CEOs on compliance solutions that will assess how this sector may mature including areas for cooperation, likely vendor consolidation and ideas for value maximization.

•

•

•

PAGE 2 Q1 2008 COMPLIANCE WWW.TRIPLE-TREE.COM MINNEAPOLIS 952.253.5300

INTRODUCTION

Compliance Management is Top-of-Mind for C-Level ExecutivesEnterprises of all sizes are scrambling to establish compliance solutions to address the tens of thousands of federal, state, local, and international regulations ranging from well known mandates such as Sarbanes-Oxley (SOX), Patriot Act, HIPAA, and NERC in the U.S., to J/SOX in Japan and Basel II in Europe, plus a number of lesser known compliance arenas like FISMA, PCI and alpha-numeric combinations like ISO 15489 and SEC 17a-4.

There are simply too many regulations affecting every aspect of an organization’s business processes and systems to manage them effectively ad-hoc. With billions of dollars of potentially business-wrecking fi nes, it is becoming increasingly clear that compliance initiatives must be addressed through automation and a comprehensive, repeatable process rather than as a one-off project. A range of functionality can be included in a comprehensive compliance solution. Based on TripleTree’s ranking of compliance vendors, a basic list of tech-enabled functions must minimally include:

• Business Process Modeling• Controls Automation (both IT & Business/Financial)• Dashboards• Document Management• Financial Reporting Integration• Policy Management• Risk Management

Audit Support

Given the cross functional application and infrastructure technologies that are impacted by compliance mandates, today’s compliance solutions must link or collaborate with enterprise content management, business intelligence, business performance management, and various reporting and analytical applications.

•


COMPLIANCE MANAGEMENT

Defi ning a Sector Amid Rapid Growth

An entire sector of software vendors have emerged to offer solutions engineered to automate compliance processes and features as previously listed. TripleTree tracks over 300 such vendors and has only scratched the surface. A few vendors have designed a platform approach to broad-based compliance issues within the enterprise, but the majority are best classifi ed as point solution vendors addressing only particular compliance control areas. Many others have largely stumbled into the compliance category from adjacent markets such as security, business intelligence, or content management.

The rise of the point solution vendors began in the late 1990s as enterprises began to realize that manually addressing regulations through audits and ad-hoc home-grown tracking applications was simply not cost effective. Largely, many of these fi rms have specialized in one or a few regulatory mandates such as Sarbanes- Oxley and have worked to broaden their solution into other regulatory and control areas. In addition to these specialists, ‘compliance’ has become a magic descriptor fi nding its way into almost every enterprise software vendor’s solution vernacular and product road map, making it very diffi cult for enterprises to sort out an ever growing landscape of providers.

Though no clear consensus exists on the current size of the compliance market, some analysts peg the sector as a greater than $50 billion opportunity and others see it as much smaller. The wide range in sizing is indicative of how varied the market defi nitions of the space are. Based on scores of TripleTree vendor briefi ngs and end-user feedback, what is clear is that the defi nitions of compliance are shifting to meet economic and legislative demands. As such, the more innovative providers of compliance solutions are being forced to pivot and hone their market awareness, strategy, messaging and product development.

Defi nitions: Common defi nitions for compliance areas are absent in our risk-aware business culture. Compliance is a broad reaching concept that touches a number of business processes and functional domains within an organization. Vendor solutions need simplifi cation for interest and adoption to grow.

Fragmentation: Many organizations are using numerous compliance solutions particular to the needs of the CFO, general counsel, chief compliance offi cer, CIO, and marketing. With these distinct buyers come misconceptions about how compliance policies should be mandated and managed.

Incomplete Solutions: A majority of software vendors claim to have a complete compliance solution but only address a narrow set of requirements around specifi c control points or a handful of regulations.

Emerging Vendor Leadership: Enterprise platform players and a select group of innovative ISVs are driving solution defi nition in the compliance sector. During the next few quarters, awareness, acceptance and a resulting consolidation in the sector will occur as global fi rms fi ll gaps in their solutions.

•

•

•

•


THE COMPLIANCE LANDSCAPE

ASSESSING AND MANAGING ENTERPRISE RISK

Approaching compliance management with consistency across an organization is challenging. In most organizations, compliance control is not a holistic process and most issues are addressed at the business unit or product level. The following is a simplifi ed view of a typical enterprise:

• Human capital management teams must adhere to labor laws• Finance departments manage various regulations and disclosures as well as provide means for transparency and independent verifi cation• Manufacturing teams address product safety and quality requirements• Legal dictates internal policies while collaborating with external counsel on litigation issues, discovery, and IP protection• IT departments focus on security and data privacy• Marketing departments are managing key customer and billing information with sales teams, channel partners and customer service. As a by-product of this fragmentation, information and process silos have emerged across these departments and the resulting compliance investments will remain ad-hoc for the foreseeable future. However, compliance solutions that remain narrowly focused around discreet issues will struggle to become a relevant compliance platform.

Regulatory ComplianceRegulatory compliance remains a critically important function and a component of most broad risk management and governance platforms. To properly understand and manage risk, meet regulatory and corporate requirements, and execute on governance initiatives, enterprises need a robust and comprehensive application suite and these suites are beginning to materialize as Governance, Risk and Compliance (GRC) solutions.

For many compliance vendors, GRC and their component terms (governance, risk and compliance) are often used interchangeably. However, TripleTree believes clear distinctions should and must be drawn between the scope and functionality for solutions that address compliance risk management and governance automation.

GRCCompliance management is the label used to describe a holistic compliance framework which can span an enterprise through transparent and effi cient processes. We narrowly classify GRC as a subsegment of technology solutions within the broader compliance management framework. Though this naming convention may seem counterintuitive given that ‘C’ in GRC stands for ‘compliance’, this nomenclature is used by a majority of leading vendors and industry analyst groups. While several GRC solutions exist, TripleTree defi nes a complete GRC program as one which takes a federated approach integrating compliance control points into broader, collaborative enterprise-wide schemas. End-users can be easily confused as vendors use GRC as an umbrella term to describe point based solutions that treat individual compliance and risk initiatives as compartmentalized silos within an organization, as opposed to taking a more top-down approach.


IT GovernanceThrough our proprietary research, TripleTree has discovered patterns where IT Governance (ITG) is transcending pre-defi ned boundaries into a broader IT governance, risk and compliance management (IT-GRC) defi nition. Broadly speaking, traditional ITG is a framework by which organizations leverage internal IT assets to support and manage governance, risk and compliance initiatives across the enterprise. Inherent in these ITG strategies are how the procedures and responsibilities which govern risk and compliance integrate with work fl ows. While GRC vendors cater to the CEO and CFO, IT Governance solutions have been deployed as controls designed to resolve pain points of the CIO such as data management, portfolio management, performance management and disaster recovery. Vendors are fi nding that the most effective ITG platforms integrate technologies which extract value from the IT infrastructure by integrating previously isolated IT control points into a top-down decision making process.

Early IT Governance solutions were limited to best-of-breed applications that helped facilitate Project Portfolio Management (PPM) initiatives and decision making processes surrounding IT investments. By providing tools that helped analyze, prioritize, and make decisions, these solutions created a framework and process by which organizational IT goals could be measured and initiatives for value creation discovered.

Corporate leaders are now taking a top-down approach for compliance control across the enterprise and are looking to IT as a critical support for GRC and all enterprise compliance initiatives.

An Enterprise-Wide View on Compliance ManagementThough many vendors currently offer tools that address many compliance control points, a platform has not yet evolved to adequately address all key elements of enterprise compliance management.

An enterprise-wide compliance solution must address both the management needs that span business and IT. Information management, analytics, fi nancial controls, internal audits, eLearning, labor laws and traditional IT governance areas like asset management, security, and content management are inclusive of these needs. A holistic enterprise compliance platform must address both the “top-down” business-facing processes and systems and the “bottom-up” IT controls of the organization.

Only by creating an enterprise-wide ecosystem that unifi es the decision making process between GRC, ITG, ERP, BI, and CPM systems can an organization fully realize the value of its compliance programs.


.

Understanding the

Components of GRC

Governance is the framework

that defi nes how corporations are

managed to achieve corporate

goals.

Risk Management is the process

of identifying and assessing

enterprise risk within a developed

framework to address those risks.

Though risk management is a

discipline practiced throughout

enterprise, it has historically been

implemented on an ad-hoc basis

to address isolated risk silos.

Compliance Management

defi nes how corporations conform

to guideline laws set forth by

governmental agencies or industry

standards. It also defi nes internal

policies and best practices.

Compliance technologies have

traditionally been control point

solutions which help users conform

to a set of parameters for a specifi c

risk or regulation (i.e. Sarbanes-

Oxley). These technologies

typically implement transparency

measures to assure outsiders that

an organization is compliant.

t

S hared S ervices

• Auditing / R eporting / Dashboards• Analytics• P olicy / P roces s Management• W orkflow• B est P ractices• Legis lative / Regulatory

• Document Management• Incident Management• C onsulting / Services

P roject P ortfolio R es ource As s et R es ource Management

E nvironmentalHealth & S afety

E thics P rograms

C orporate F ilings

Indus try Specific R egulations

Marketing C ompliance

C ontract Management

IP /Knowledge Management

Human R es ources

Training C ertification

eDis covery

IT S tandards / S OA

Data Management/ IL M

Dis as ter R ecovery/ C ontinuity

P roject P ortfolio Management Management

As s et C hange & C onfiguration

Management

S ervice Management

ID Management & S egregation of Duty

Us er Activity Monitoring

Security Management

P erformance Management

C apacity P lanning

R is k Analytics

Operational R is k

F raud As s es s ment/AMC

Internal AuditF inancial C ontrols

- S ox, B asel II, HIP AA, C OB IT

Storage

Archival &Records

Management

ERP

Database

StrategicConsultingFramework

EnterpriseApps

Content

Partners

Business Risk and Compliance

IT Risk and Compliance

IT Compliance

IT Risk

TripleTree has outlined a list of 30 representative control points within an enterprise risk and compliance management platform.

Control points on the top half of the diagram are functions typically associated with business risk and compliance management. The bottom half of the diagram shows IT risk and compliance management control points.

The Shared Services box in the center tie together compliance within the business units and the IT elements throughout an organization. These services help to better integrate governance, risk and compliance decision processes with other business goals.


Figure 1: TripleTree’s Compliance Market Map Q-Diagram

Source: TripleTree

This “top-down/bottom-up” model is considered a goal for many of today’s compliance providers as organizations ultimately will want a comprehensive solution from a trusted vendor. Engineered solutions designed to help an organization understand and manage its broad compliance initiatives effi ciently will include automated control points for both the business units and IT.

Because enterprise compliance suites are early in their evolution, organizations must work toward adopting a federated framework by integrating several point based controls into a unifi ed system. Organizations that apply this federated approach should seek a pre-integrated multi-vendor solution based on a common data repository. This will help to maintain a holistic view of business risk and compliance initiatives that are in line with business processes. Moreover, the unifi ed data repository will allow organizations to leverage common shared services and enable executives to make decisions based on a single, consistent data source as opposed to deciphering multiple disconnected data streams.

Source: TripleTree


Figure 2: A “Top-Down/Bottom-Up” Approach to Compliance

CommonEngine

Analytics

FoundationBased

Extensible(SOA)

Business Risk and Compliance

IT Risk and Compliance

Frameworks

MATURING PLATFORMS

As stated, the fragmented market for compliance solutions has been comprised of a narrow set of control points, a limited set of regulations and some foundations in IT governance. Recent sector consolidation point toward a maturation of thinking by leading vendors. We predict the evolution of compliance solutions will be driven by leading enterprise software vendors and specialized compliance management vendors racing to fulfi ll enterprise compliance needs as represented in both halves of our Q-Diagram on page 7. Today’s compliance specialists are represented by a list of vendors offering both licensed software and SaaS-based solutions.

Vendor comparisons are diffi cult since sector defi nitions and actual capabilities within the compliance stack do not match up. From the list above, each fi rm represents some functionality for fi nancial controls, audit automation or regulatory control. Solution maturity is varied.

Risk Management capabilities also vary widely among vendors. For instance, one vendor may have strong dashboard and reporting capabilities alerting users to compliance defi ciencies, while another may take a more process-centric approach focused on defi ciency remediation. Yet another vendor may have engineered strong ties into a business intelligence-centric, corporate performance management suite for complex analytics.

A few vendors are messaging and delivering around a “top-down/bottom-up” approach by touching on several areas of business risk and compliance as well as IT risk and compliance. However, no single vendor (or ecosystem of ISVs) provides the comprehensive enterprise-wide compliance solution like the one outlined in our Q-Diagram.

Consolidation - Further Defi ning the SectorNot surprisingly, global technology platform vendors like Oracle and SAP are beginning to push their GRC/compliance message and assemble their respective platforms. In terms of capability, market reach, and ability to execute, we consider the global vendors as the group most capable of assembling the functionally for a holistic enterprise compliance platform.

Oracle’s strategy includes leading with its fi nancial applications, middleware, content management (Stellent), and recently acquired compliance assets such as LogicalApps. Ecosystem partners (ISVs and service providers) will become increasingly important to Oracle as it broadens its compliance defi nition within its GRC strategy.

SAP’s GRC strategy is based on the strength of its fi nancial application platform,


CACompliance 360HPIBM

••••

OracleOpenPagesPaisleyProtiviti

••••

ResolverSAPOthers

•••

HCM, and supply chain assets. Newly acquired capabilities from the likes of Versa also play a signifi cant role. SAP’s pending Business Objects acquisition foretells of an increasing focus on analytics and intelligence as a broader risk management strategy.

As we foreshadow a consolidation trend, a range of potential consolidators come to mind. In addition to the obvious global enterprise software vendors, fi rms in the integrated information management, publishing, and document services sectors make interesting acquirers. Certain industry-focused vendors and offshore BPO vendors are also of consideration.

Key Drivers:

• Compliance is a top-of-mind category;

• Global technology leaders in applications and infrastructure are racing to be seen as having the most extensive compliance management platform and by extension want to shape the category and its components;

• While no single vendor can organically build a holistic platform today, (the “top-down/bottom-up approach”) compliance ecosystems (e.g. SAP’s recent linkage with Cisco Systems) will begin to emerge and consolidate in order to address multiple compliance requirements;

• Disruptive delivery models like SaaS and hybrid solutions (SaaS- enabled BPO) will become more prevalent, just as they have in other software categories;

• Since no clear sector leader exists, time-to-market is critical. Most of the global players know that a “buy” strategy is a more defi nitive path to market than “build/partner”; and

• Non-traditional players view compliance as a necessary competence for up-sell and cross-sell revenue growth. 2008 will be a pivotal year for M&A in the sector.


Figure 3: Representative Compliance Market Activity Consolidation

D ate B uyer Target D escription

Business Risk and ComplianceO ct-07 Wolters Kluwer PwC (TeamMate Software) Audit management & risk assessmentO ct-07 O racle LogicalApps ERP compliance & monitoring softwareSep-07 X erox Advectis Document management & collaboration SaaS Jun-07 Iron Mountain Accutrac Software Records management & compliance softwareNov-06 Oracle Stellent Content management softwareApr-06 SAP Virsa Systems, Inc. Segregation of duties; SOX compliance

Feb-06 Fujitsu Consulting GIM Risk Management SOX compliance sysetms integration

IT Risk and ComplianceSep-07 O racle Bridgestream Identity and access management Dec-06 IBM C onsul Risk Management IT & compliance management software Jul-06 HP Mercury Business Technology Optimization (BTO) softwareJun-05 CA Niku IT management and governance software

CONCLUSION

The compliance automation category includes many components, such as compliance control point automation, GRC, IT Governance/IT-GRC, risk management, and risk analytics. Today, this category is one of the top areas of enterprise spend.

Though the market is still somewhat undefi ned, the leading enterprise software vendors, pure-play ISVs, and several non-traditional players are working to redefi ne the category and establish a leadership position.

This leadership position will be defi ned on a range of capabilities and compliance solution CEOs must therefore remain constantly aware of the criterion with which they are being evaluated in the market. Because of its importance to the C-Suite and the signifi cant addressable market, TripleTree predicts that a host of players will aggressively pursue a leadership position through internal investment and acquisition. For these CEOs considering liquidity options, below are a few key points:

• Market defi nitions are solidifying now, and over the next six quarters consolidation will conclude.

• Depending on a number of factors, valuation guidelines for licensed software or services-centric compliance businesses will be in the 1-3x revenue range (TTM) with opportunities for premium value creation.

• For pure-play SaaS businesses, recurring revenue growth will be a key metric for garnering a premium well in excess of licensed software businesses.

• Once the initial wave of consolidation has concluded and enterprise vendors establish their platform strategies, additional tuck-under deals will occur, but likely at lower valuations.

As an investment bank and strategic advisor, TripleTree is committed to helping emerging companies understand how to take advantage of trends like those outlined in this report. Over the next few quarters, our compliance research agenda and webcasts will further assess the evolving market, where disruption is likely, and review vendors delivering on their vision. We welcome the opportunity to learn more about your business and how we can help your team climb to the next plateau of market leadership.


Q1 2008 COMPLIANCE WWW.TRIPLE-TREE.COM MINNEAPOLIS 952.253.5300

THE TEAM

Kevin Green, Managing Partner• Co-founded TripleTree, LLC• 25+ years building and advising IT companies• Senior executive roles in public and private IT companies; two as CEO• Active with numerous industry associations, and Board of

Directors, including SIIA and Connextions• BA and MBA, University of San Diego

David Henderson, Managing Partner• Co-founded TripleTree, LLC• 22+ years in venture capital, business development and as a

senior operating executive• Seven years of public accounting experience at Arthur Andersen• CEO of a $400 million asset bank holding company• Active Board of Director on several public and private companies• BA, Moorhead State University; Certifi ed Public Accountant

Scott Tudor, Managing Partner• Joined TripleTree in 1998• Specializes in IT Outsourcing & Managed Services and Healthcare IT• Worked on more than 30 transactions with leading global companies

such as UnitedHealth Group and Hewlett Packard• Served as TripleTree’s research chairman• BA and JD, University of Illinois; MBA, Carlson School

of Management, University of Minnesota

Chris Hoffmann, Senior Principal/Research Director, Technology• Joined TripleTree in 2005• 19+ years of experience an operating executive, consultant, and analyst in

the technology industry• Transaction activity focus in the areas of software and technology• Former President of Tier1 Research; executive positions at Gartner,

GE Capital Consulting and IBM Global Services• BA, University of Minnesota-Duluth; advanced studies through

the University of Minnesota and Michigan State University

Brian Klemenhagen, Senior Principal• Joined TripleTree in 1999 with over ten years of combined investment

banking and Wall Street equity research experience• Primary engagement manager across technology, software and

outsourcing sectors• Principal contributor to TripleTree’s SaaS research• Prior to joining TripleTree was with RBC Dain Rauscher• BA, Gustavus Adolphus College; MBA, Carlson School of Management,

University of Minnesota

MINNEAPOLIS 952.253.5300 WWW.TRIPLE-TREE.COM Q! 2008 COMPLIANCE PAGE 13

THE TEAM

Scott Donahue, Principal• 15+ years fi nancial strategy analysis and business development consultation

including marketing, operations support, and technical product development• Expertise in IT operations and services delivery approaches• Wall Street experience• Served in management roles at leading IT fi rms• BA, University of California - Santa Barbara; MBA, University of Michigan

Scott Prentice, Associate• Focus on M&A and private placement activity in the technology sector• Previously worked on M&A activity at Ingenix, a division of

UnitedHealth Group• Prior experience included technology capital investment at Target

Corporation and as an IT consultant with Computer Science Corporation• BA, Bethel College; MBA, Carlson School of Management, University

of Minnesota

Michael Boardman, Senior Analyst• Specializes in research and analysis of industry trends and investment

opportunities within Software and IT Services• Prior experience includes an internship with Merrill Lynch• Held a Cisco Certifi ed Networking Associate Degree (CCNA)• BA, University of Minnesota; BSB, Carlson School of Management,

University of Minnesota

Matthew Flores, Senior Analyst• Dedicated to research and analysis within Enterprise Software, Telco, and Wireless• Research and transaction experience with TripleTree’s Healthcare and Mobile Wireless Teams• BA, Bates College

Jeff Kaplan, Senior Advisor• Advises TripleTree’s technology team• Founder and Managing Director of THINKstrategies• Founder of the Software as a Service (SaaS) Showplace® and Managed

Service Showplace®• Founding member of the SIIA SaaS Executive Council• Frequent speaker at industry events and contributing columnist for

BusinessWeek, Mass High Tech Journal, Financial Times of London, and Network World, among many other industry leading publications

About TripleTree

TripleTree, LLC is a research-based investment bank serving growth companies, investors

and global acquirers. TripleTree conducts proprietary research that guides our work in M&A,

growth capital and fi nancial advisory services. Our value-based approach benefi ts technology-

enabled businesses in sectors like healthcare, where technology and services are converging

in new delivery models and in other industries where management and investors are in search

of creative ways to penetrate and dominate markets and build value.

TripleTree’s unique personality is shaped by the experience of our principals, who as former

business builders and transaction advisors create strategic outcomes that maximize value for

our clients.

Copyright © 2008 by TripleTree, LLC

t 952-253-5300 f 952-253-5301

7601 France Avenue South Suite 150 Minneapolis, Minnesota 55435

www.triple-tree.com