GRC Software M&A: Who’s Buying?

From cybersecurity to supply chain management, from employee health and safety to environmental disclosures, organizations around the world face an increasing—and increasingly complex—number of challenges. More and more are turning to governance, risk, and compliance (GRC) software to help them manage these challenges, with a notable impact: the GRC market, valued at $50.5 billion in 2023, is expected by Verified Market Research to reach $104 billion by 2030, according to their Governance, Risk Management And Compliance (GRC) Market Size And Forecast.

In addition to demand, GRC has the advantage of being a well-established category, having emerged in the wake of the Sarbanes Oxley Act of 2002 when businesses needed to demonstrate compliance with newly complex regulations. These days, most businesses may need to invest in one or more GRC software platforms to help them ensure compliance with evolving regulations, enhance operational efficiency, and manage risks effectively.

The combination of growing consumer demand and a proven track record are strong tailwinds, which have caught the attention of buyers. This is good news for founders, obviously. Following is an overview of the market and what buyers are looking for.

Trends in GRC

According to Grand View Research’s eGRC Market Size & Trends report, banking, financial services, and insurance (BFSI) is the largest adopter of GRC solutions, driven by the need to manage complex regulations and protect against data breaches and other cyber threats. The IT and telecom sector, where the rising number of cyberattacks makes robust GRC systems a necessity, is the fastest-growing vertical.

In sectors that deal with a combination of swiftly changing environments and enormous amounts of data, AI is helping to make operations both simpler and more secure. By automating tasks such as real-time risk assessments and compliance monitoring, AI can help make data analysis more accurate and speed up responses to potential risks or compliance issues. AI-driven predictive analytics also help organizations anticipate potential challenges before they become problems, enabling companies to take proactive steps.

Of course, AI is a double-edged sword. Increasingly, cybercriminals are using AI in sophisticated attacks and scams including video and voice cloning. Cyber security risks have risen over the past year, and as of 2023, the SEC now requires public companies to disclose material cyber-security incidents that have affected them and to report material information about their cyber-security risk management, strategy, and governance on an annual basis. The need for GRC software to help protect organizations against a host of security threats grows by the day.

Who Is Buying, and Why?

Buyers are drawn to the essential nature of the category. Increasingly complex regulations, growing cybersecurity threats, and a focus on executive and board accountability could potentially provide a broad and growing market. This in turn could help GRC companies be more resilient to economic downturns and may help better position the market as a whole for better sustained growth. On top of that, most buyers are already familiar with the category.

Private equity buyers are attracted to GRC’s steady demand and potential for scalable growth, which could provide stable returns on investment. Strategic buyers are pursuing specialized GRC companies to broaden their overall product suites and address a broader range of compliance and risk management needs. Finally, PE-backed strategics are finding opportunities to roll up niche GRC companies to consolidate market share and create more integrated solutions.

In our experience, the "C" of GRC is particularly attractive to buyers and investors right now.

Because compliance is mandated, it can be easier to convey its importance — most potential customers are aware that they need compliance software, which simplifies the creation of a solid marketing funnel. This, of course, appeals to the M&A market’s appetite for reliability.

Because there are so many permutations of GRC, from state-mandated safety training to international privacy regulations, many GRC SaaS companies focus on niche verticals. This presents potential opportunities for PE-backed platform companies in the space to acquire multiple smaller players in complementary niches for consolidation.

What Should GRC Founders Be Thinking About?

GRC software companies have the advantage of offering products that many companies are mandated to have. Even so, it’s important to stay innovative and pay attention to crucial KPIs.

Buyers and investors are more likely to look for profitability in GRC software companies than in other markets. Founders should execute on revenue growth, paying attention to metrics like lifetime customer value (LTV), cost of customer acquisition (CAC), customer retention rates, and other components of unit economics.

Especially for companies that focus on compliance, high retention depends largely on finding ways to stay relevant. Companies that aren’t changing their offerings regularly may lose market share to those that provide fresher content or more creative delivery. Some GRC SaaS companies are using new mediums, such as podcasts, virtual reality (VR), or augmented reality (AR) simulations to deliver content, and are enhancing the user experience with gamification, customized training paths, social learning tools, and more. For example, NINJIO, a company we recently helped sell, uses short animated videos and Hollywood-style storylines to engage learners and boost retention.

Another area to consider is politics. No one can say for certain what the future holds, but broadly speaking, a Democratic administration is likely to institute more new regulations while a Republican administration is more likely to cut regulations. Even after the upcoming election, it could be months or years before changes are instituted, but it behooves founders in the GRC space to keep an eye on the political climate and understand how changes could impact their niches.

It's important that founders do not wait until their business plateaus before selling, as the valuation and multiple applied to a company's revenue/EBITDA could be dramatically reduced. We're big proponents of selling into growth, and capturing the valuation premium. Given the strong market, and assuming strong KPIs, this may be that time for many GRC companies.

Read more about selling into growth.

This material and the opinions contained herein are for general information only and are not intended to provide specific advice or recommendations for any individual or entity. All opinions and views constitute our judgments as of the date of writing and are subject to change at any time without notice. The material may contain “forward-looking” information that is not purely historical in nature. Such information may include, among other things, projections, forecasts, estimates of market returns and proposed or expected portfolio composition.

Clicking some links in this article will take you to websites independent of and unaffiliated with Vista Point Advisors. The information and services provided on these independent sites are not reviewed, guaranteed, or endorsed by Vista Point Advisors or its affiliates. Please keep in mind that these independent sites' terms and conditions, privacy and security policies, or other legal information may be different.