In the 90’s a series of new regulations and high-profile prosecutions forced the healthcare industry to develop legit compliance programs: The Anti-Kickback Statute was followed by the Health Insurance Portability and Accountability Act (HIPAA) of 1996, and the compliance provisions in the Balanced Budget Act of 1997. There were also some public investigations and lawsuits, such as “Operation Restore Trust” in 1995 and the $1.7B penalty lobbed at Hospital Corporation of America for compliance and ethics breaches. So by 2001, healthcare organizations had thoroughly felt the pressure and compliance programs were prolific. What’s interesting to me is that technology companies benefited ($$$) by fulfilling their compliance needs. Today the regulatory landscape continues to evolve in healthcare and elsewhere in tandem with new and more complex risks for organizations. At Bowery Capital we are looking closely at companies and technologies that push forward the Governance, Risk, and Compliance (GRC) programs in enterprises, and paying particular attention to verticals that may experience GRC growth waves like healthcare in the 90’s. One interesting place to be a GRC technology company right now is finance, as it goes from regulation to innovation.
Finance GRC professionals I’ve talked to predict that finance is entering a cycle of GRC technology growth analogous to what healthcare experienced in the 1990s, and I tend to agree. One can easily rattle-off the legal action and legislation that has resulted from financial institutions perpetrating or enabling illegal activity, ethics and process breaches, systemic damage via lax risk and security controls, and other suboptimal standards and behavior. HSBC was fined $1.25B at the end of last year for enabling money laundering by Mexican cartels to the tune of $881MM. Prior to the fine, and contrary to common sense, Mexico was classified in HSBC’s lowest risk category. More generally speaking, the regulatory climate and public expectations for financial institution governance has changed since 2008. Gone are the days of robust prop trading operations and high leverage ratios, and here is the Consumer Finance Protection Bureau and derivatives regulation. Big financial institutions are being forced to adopt sweeping GRC programs to manage risk and remain compliant, and that’s good news for GRC technology companies.
Managing this shift in regulation and public expectation means firming up and consolidating governance, risk, and compliance programs at large financial institutions. But, this is tough. Finance is facing many of the same challenges that healthcare faced in the past as they implemented subpar compliance technology into old-school systems. The finance industry is struggling to efficiently aggregate good data across all these old systems to create a meaningful picture of risk and compliance. What they’re aiming for is the ability to roll-up data and analysis across the total organization into one picture, like a 4th financial statement: the GRC statement. The problem is, most of today’s tools can’t do this very well.
On the bright side, where there is a problem and a big market opportunity (about $10B for GRC technology overall,) solutions follow. And, these future best-in-class GRC solutions for the finance vertical could look forward to the growth the companies serving compliance needs in healthcare in the 90’s and 2000’s experienced. The first GRC tool to meet healthcare compliance needs was Electronic Document Management (EDM,) also known as Enterprise Content Management (ECM.) These technologies solved the problem of properly storing, tracking, and processing unstructured data in a compliant and efficient manner, which at the time was becoming increasingly important and difficult to manage. This came in handy for example when a pharmaceutical company was managing the new drug application process. Documentum and Filenet were two companies that came to prominence with EDM solutions at this time. In part for fulfilling these new GRC demands, Documentum and Filenet were later acquired by EMC and IBM for $1.7 billion and $1.6B, respectively. The now ubiquitous Adobe PDF technology also came to prominence at this time on the back of this trend.
Whether it will be a big old-school player or an upstart that will create the silver bullet platform or modular add-on making finance GRC professionals lives easier is yet to be seen. However when they do, I expect they’ll reap the rewards that EDM technology companies did serving healthcare a decade ago.