"For example, they're looking at how an organization is able to identify, measure and mitigate risks, with less concern for what those risks are."

One noteworthy trend Proctor sees coming in the market is a consolidation of GRC tools within organizations, tied in with a new approach to how some in the industry are viewing IT GRC and EGRC tools. The products have generally been treated as separate entities, but firms such as Gartner are beginning to rethink whether IT and enterprise GRC are in fact separate markets. Proctor says IT GRC software, which has traditionally focused on gathering IT-related data, has garnered a much smaller market than EGRC software and is just another aspect of what EGRC is all about. When CSOs are exploring capabilities for GRC, he says, they should consider whether they need a separate tool for IT GRC.

Some of the enterprises that are using GRC tools are running multiple versions because different departments and business units bought different tools--each with their own strengths--based on the needs of the individual department. Proctor says this approach misses the point of GRC software, which is to provide a singular view of governance, risk and compliance within the organization. "If everyone buys their own tool then they're only getting automation for their own processes or department," he says.

"Some organizations have as many as five of these tools, and in organizations where that happens they have no central oversight of this."