Latest News
Why Governance, Risk and Compliance platforms are hot property in the M&A world

Why Governance, Risk and Compliance platforms are hot property in the M&A world

Risks to businesses are continually evolving and increasing. Whether it’s complying with the latest regulation and legislation, managing complex global supply chains, privacy concerns, cyber-attacks, health and safety, operational challenges, financial performance, or environmental compliance, the list is long, growing, and challenging.

Risks are often interconnected, and the pace of change is driving businesses to adopt software solutions that can provide Boards with real-time risk assessment to support effective management. These Governance, Risk and Compliance (GRC) platforms have never been more critical for organisations. Adoption is filtering down from the Enterprise market to the SMB market at pace where easily configurable, low/ no code, cloud native, ‘out of the box’ solutions are increasingly available. These provide an effective alternative to using spreadsheets and other manual solutions.

The tailwinds driving the GRC software market continue to get stronger, particularly where regulation is increasing and the risks of getting things wrong include financial or reputational ruin. Three areas where the rate of adoption is especially high are supply chain risk management, ESG compliance and cyber risk management.

Supply chain risk management

When you work with suppliers, their risks become your risks and any breaches or failures can cause significant reputational damage and long-term financial pain. These risks could be environmental, social (i.e., failing to pay fair wages or poor working conditions), financial or around management of data.

The size of the risk is driving adoption of software solutions that can offer a real-time view of these risks to the Board, a considerable enhancement compared with the traditional practice of conducting due diligence at take-on, followed by annual audits.

ESG compliance

Increasing mandatory disclosure requirements around climate related risk, following EU approval of the Corporate Sustainability Reporting Directive (CRSD), are putting ESG compliance firmly in the spotlight. This focus is intensified as businesses are recognising that their ESG credentials are influencing employment decisions, consumer behaviour and investment strategies.

Some are making voluntary disclosures over and above regulatory obligations. This is driving rapid adoption of software and tools that report related data points even though some require manual input. The ‘holy grail’ are solutions that can seamlessly collate data through APIs to reduce the human element.

Cyber risk management

According to the Allianz Risk Barometer, data breaches, major IT outages, and ransomware attacks were ranked by UK businesses as their biggest concern in 2022, with risks heightened by the post-pandemic prevalence of remote working. Furthermore, organisations’ diverse digital make-up, with many operating systems and varied digital environments, are also driving demand for platforms that unify and simplify insight and provide control and mitigation of cyber risk.

M&A activity and outlook

Given strong market tailwinds and attractive business model, the M&A market for GRC software vendors remains extremely strong. This is being driven by global, principally PE-backed consolidators. These buy-and-build platforms are pursuing acquisitions on a number of fronts: new products that can be stitched into platforms and cross-sold to the existing customer base, new geographies, new customer sets and new technology to improve the go-to-market proposition.

Notable recent transactions include:

  1. SAI360’s acquisition of Evotix, a London headquartered fast growing mobile first Environment, Health and Safety (‘EHS’) training and compliance firm. The deal bolstered its EHS offering and critically, provided access to the mid-market where there is high potential for market penetration. This was a clear statement of intent following SAI360’s own acquisition by STG in January 2023.
  2. Thoma Bravo backed Cority’s acquisition of Greenstone, a UK-headquartered provider of supply chain and sustainability solutions. The transaction builds their ESG offering, particularly to the Financial Service sector, to which it made inroads in 2022, following the acquisition of Reporting 21.
  3. Ideagen, backed by Hg Capital, continue to be highly active, most recently adding Quadex, a UK based food safety platform, Tritan, a US based provider of health & safety solutions to the maritime sector, and the collaboration tool OnePlace solutions to its impressive stable of solutions. These deals followed hot on the heels of their largest acquisition to date, the acquisition of Enterprise HSE platform ProcessMap in October 2022. The cadence of their M&A activity is expected to continue.  

Private equity interest in the GRC space remains high. Many houses are actively looking to invest, be that into a pure SaaS play or technology-enabled service providers, particularly where there is the potential to transition towards a subscription model over an investment period.

Given the level of liquidity in the market for GRC software solutions, valuations have only softened marginally from the peaks of Q2 2022. Although investors are tending to look beyond paying a multiple of annual recurring revenue and focusing  on profitability, or at least a short runway to it.

As GRC requirements become ever-more onerous for businesses, we expect GRC platforms offering inter-connected solutions to become a must-have for all segments of the market. Our work with corporates and private equity investors driving this growth trend, we have the deep expertise in this market to help GRC businesses position for growth and value realisation.

Author: Ben Dawson, M&A Director

Related Posts