This Gartner Magic Quadrant for enterprise governance, risk and compliance (EGRC) platforms presents a global view of Gartner's assessment of the main software vendors that should be considered by organizations seeking a technology solution to support the oversight and operation of enterprisewide risk management and compliance programs. Buyers should evaluate vendors in all four quadrants. Those from the Niche Players and Visionaries quadrants are driving innovation in areas such as business process modeling of controls and risks, business rules for compliance, policy training and certification, and knowledgebases for risk management and compliance. Challengers often have reasonable functionality and good pricing, but may lag the leaders in advancing their range of GRC functions for specific industries or professional roles. Leaders have proven GRC functionality in all four primary GRC management (GRCM) functions — audit management, compliance management, risk management and policy management — and they have executed across several industries with support for multiple professional roles.

The scores and commentary in this Magic Quadrant (see Figure 1) are based substantially on multiple sources. Customer perceptions of each vendor's strengths and challenges are derived from GRC-related inquiries with Gartner and an e-mail survey of vendor customers conducted in May 2009, with follow-up reference phone discussions. The evaluators also have drawn from observations of products, a vendor-completed questionnaire about their EGRC platform strategies and operations, and question-and-answer sessions with vendors.

The EGRC platform market derives from the need for many entities to improve the oversight of corporate governance — including financial reporting compliance, enterprise risk management and related audits. Many organizations also want to consolidate other GRC activities into a common platform. Therefore, an EGRC platform must solve immediate GRCM needs associated with corporate governance and also enable an enterprise to pursue future consolidation and integration of GRC activities.

GRCM is defined as the automation of the management, measurement, remediation, and reporting of controls and risks against objectives, in accordance with rules, regulations, standards and policies. Many enterprises typically consider a GRCM application to satisfy a specific requirement, such as Sarbanes-Oxley compliance, an industry-specific regulation or operational risk management for a business process. However, enterprises often have other GRCM activities in mind, such as audit management, additional regulations, IT governance, remediation management and policy management, which they eventually may integrate into a more consolidated EGRC approach.

Most enterprises are also looking for solutions that support their strategies for more controls automation, which falls outside the scope of GRCM, but the reporting from continuous controls monitoring of ERP and other controls automation in the IT infrastructure need to be integrated into the EGRC platform. Although they may have an immediate, specific GRCM requirement in mind, many enterprises are concerned that point solutions will impede their holistic visions.

"Governance," "risk management" and "compliance" are general terms that can apply to a wide range of products, IT initiatives and business requirements. These three terms have many valid definitions throughout the Gartner client base. These definitions illustrate the relationship of the three terms:

• Governance — The process by which policies are set and decision making is executed.
• Risk Management — The process for addressing risk with a balance of mitigation through the application of controls, transfer through insurance and acceptance through governance mechanisms.
• Compliance — The process of adherence to policies and decisions. Policies can be derived from internal directives, procedures and requirements, or external laws, regulations, standards and agreements.

Gartner, as aligned to both a supply- and demand-based market perspective, has developed a specific market structure for these general terms — GRC. GRC as a marketplace can be broadly divided between GRCM products for the oversight and operation of risk management and compliance programs, and other GRC products for the automation and monitoring of controls. For a comprehensive description of the GRC marketplace, see "A Comparison Model for the GRC Marketplace, 2008 to 2010," which addresses the EGRC platform and its relationship to other GRCM markets, such as IT GRCM, operational risk management and financial governance. Each of these markets demands functionality that is inherent in the EGRC platform. Instead of acquiring separate solutions for finance, IT and other business units, many enterprises are choosing to use a single EGRC platform and, when necessary, integrating the many point and functional solutions to satisfy specific GRC needs. Reporting and managing through a single platform gives executives, auditors and managers a holistic view of the enterprise's risk and compliance postures, as well as views sorted by requirement, entity and geography.

The GRC marketplace is undergoing a transition from U.S.-centric to global. Demand for GRC solutions is highest in the U.S., where corporate governance regulations are the most stringent. However, as other countries such as Canada, Japan, India and members of the European Union, have begun to enforce similar regulations, demand has increased globally. Another market trend that is driving buying decisions is enterprise risk management (ERM). Many companies are responding to the ERM emphasis by Standard & Poor's in its credit ratings, increased attention to risk management by regulators and closer scrutiny of risks to business objectives by boards of directors. Interest in risk management in government agencies is also increasing, and in the U.S., the White House Office of Management and Budget has issued requirements to government agencies for risk reporting related to the distribution of funds from the American Recovery and Reinvestment Act of 2009 (ARRA; stimulus spending).

Consolidation in the EGRC platform market is picking up pace significantly. Paisley was acquired by Thomson Reuters early this year, and in the third week of July 2009 alone, three acquisitions were announced: IDS Scheer by Software AG, Cura by SoftPro Systems, and Axentis by Wolters Kluwer. None of these acquisitions will have any immediate impact on their current customers, although product improvements and new capabilities made possible from capital infusions by acquirers are likely.

The primary purpose of the enterprise GRC platform is to automate much of the work associated with the documentation and reporting of the risk management and compliance activities that are most closely associated with corporate governance. The primary end users include internal auditors and the audit committee, risk and compliance managers, and accountable executives. The key functions of importance to these groups are:

• Audit management — Supports internal auditors in managing work papers, and scheduling audit-related tasks, time management and reporting.
• Policy management — A specialized form of document management that enables the policy life cycle from creation to review, change and archiving of policies.
• Compliance management — Supports compliance professionals with the documentation, workflow, reporting and visualization of control objectives, controls and associated risks, surveys and self-assessments, testing and remediation. At a minimum, EGRC management not only will include financial reporting compliance (Sarbanes-Oxley compliance), but also can support other types of compliance, such as ISO 9000, Payment Card Industry, industry-specific regulations, service-level agreements, trading partner requirements and compliance with internal policies.
• Risk management — Supports risk management professionals with the documentation, workflow, assessment and analysis, reporting, visualization, and remediation of risks. This component focuses on operational risk management but may collect credit and market risk information from other risk management tools to provide a consolidated view of enterprise risk management. There will be specific industry-focused risk management requirements. For example, for banking, it can include highly specialized capabilities for Basel II compliance.

The EGRC platform can integrate with business applications, business intelligence, enterprise content management, controls automation, monitoring solutions (such as segregation of duties), IT technical controls and continuous controls monitoring. The EGRC platform also integrates with specialized GRCM solutions, such as environmental, health and safety (EH&S) compliance; quality management; and industry GRCM applications.

For a comprehensive market description, see "The Enterprise Governance, Risk and Compliance Platform Defined."

Vendors were included in this Magic Quadrant if they met these criteria:

• Ability to deliver three of the four primary GRCM functions: audit management, compliance management, risk management and policy management.
• Credible presence in the marketplace: defined as at least $7.5 million in annual revenue from EGRC platform software, at least 50 customers, and customers able to be referenced for corporate-governance-related GRC activities such as financial reporting compliance and ERM.

Vendors were excluded if they did not meet the functional, revenue, and implementation criteria; did not have adequate referenceability; or were an industry-specific or highly specialized solution.

EGRC platform vendors that did not meet the revenue requirement, did not have the required number of customers or were not rated due to the other criteria, but offer a platform that supports at least three of the four primary GRCM functions, are:

• CA — U.S. company. Its platform supports compliance management, risk management and policy management. CA is a late entry to the market and has not yet reached the threshold of 50 implementations for inclusion. CA's EGRC offering is based on its Clarity PPM platform, offering the potential for a portfolio approach to risk management and compliance, plus good project management features for complex GRC activities or remediation.
• Compliance 360 — U.S. company with a software as a service (SaaS) solution. Its platform supports compliance management, risk management and policy management. Compliance 360 is a pioneer in linking content from LexisNexis feeds and other sources to specific compliance requirements. It markets functionality for general financial reporting compliance and risk management. Because the Compliance 360 strategy is tightly focused on the healthcare and insurance industries, it was on the borderline for inclusion. Because the vendor did not respond to the questionnaire, the references were limited, and Gartner inquiries related to Compliance 360's experience and offerings in corporate-governance-related GRC activities were also limited, we decided that there was not enough information available publicly and within Gartner to justify inclusion.
• DoubleCheck — U.S. company. Its platform supports audit management, compliance management, risk management and policy management. DoubleCheck has worked to target larger customers. At this time it does not meet the minimum revenue criterion for inclusion.
• Neohapsis — U.S. company. It has acquired the EGRC platform technology of the former vendor Certus, and plans to revitalize the offering with a new release in 3Q09. At this time, it does not meet the minimum criteria for revenue and implementations for inclusion.
• List Group — Italian company. Its platform supports audit management, compliance management, risk management and policy management. List has several large implementations in banks, and supports advanced risk analytics. It does not meet the minimum criterion for number of implementations.
• Optial — U.K. company. Its platform supports audit management, compliance management, risk management, and limited policy management. Optial has several implementations with financial services organizations, and supports advanced risk analytics. It does not meet the minimum criteria for revenue and implementations.
• SAP — German company. Its platform supports compliance management and risk management. It has made significant progress during the past year at developing an integrated platform, and has shown innovation in integration of risk management and performance management. However, the integrated platform was not announced until May 2009, too late for consideration in this year's Magic Quadrant.
• Sword Achiever — Part of Sword Group of France. Its platform supports audit management, compliance management, risk management and policy management. It has a strong focus on ISO compliance and quality management, particularly with life sciences, fast-moving consumer goods (FMCG), and energy. It was included in the 2008 Magic Quadrant, but was removed this year due to limited referenceability for corporate-governance-related GRC functions, such as financial reporting compliance and risk management.
• Trintech — U.S. company. In 2008, Trintech acquired EGRC platform vendor Movaris. It has integrated Movaris' risk management, compliance management, and policy management functionality with account reconciliation and financial close software to create its Unity Financial Governance, Risk and Compliance Platform. The revenue from its EGRC platform does not meet the minimum criterion for inclusion.
• Xactium — U.K. company. It is less than a year old and is a small, venture-capital- backed company. Its platform is offered as SaaS and supports risk management, compliance management, audit management and policy management. It uniquely bases its EGRC platform on the salesforce.com platform, giving customers the advantage of a nonproprietary platform that has solid support from a large company, salesforce.com, and a broad community of other users.

Aline (formerly BI International) — Aline has met the minimum revenue and number of implementation requirements to be added to this Magic Quadrant.

Sword Achiever — While it has the functionality for an EGRC platform, most customers are using it primarily for compliance with ISO standards, and not for GRC activities related to corporate governance.

Qumas — Its primary value is in managing the life cycle and communication of policy documents for regulatory compliance, and it does not have an integrated operational risk component as part of its platform. The Qumas compliance solution, DocCompliance, is embedded in Thomson Reuters' Paisley Enterprise GRC offering.

Vendors are assessed on their ability and success in making their vision a market reality. Four of the seven Gartner criteria for ability to execute are the most significant at this early stage of the EGRC platform market:

• Product/Service — Core goods and services offered by the provider that competes in/serves the defined market. This includes current product/service capabilities, quality, feature sets and skills, whether offered natively or through OEM agreements/partnerships as defined in the market definition and detailed in the subcriteria.
• Overall Viability — Includes an assessment of the overall organization's financial health, the financial and practical success of the business unit, and the likelihood of the business unit to continue to invest in the product, offer the product and advance the state of the art in the organization's portfolio of products.
• Market Responsiveness and Track Record — Ability to respond, change direction, be flexible and achieve competitive success as opportunities develop, competitors act, customer needs evolve and market dynamics change. This criterion also considers the provider's history of responsiveness.
• Sales Execution/Pricing — The technology providers' capabilities in all presales activities and the structure that supports them. This includes deal management, pricing and negotiation, presales support, and the overall effectiveness of the sales channel.
• Customer Experience — Relationships, products and services/programs that enable customers to be successful with the products evaluated. This includes the ways customers receive technical or account support. This can also include ancillary tools, customer support programs (and the quality thereof), availability of user groups and service-level agreements.
• Operations — The ability of the organization to meet its goals and commitments. Factors include the quality of the organizational structure — including skills, experiences, programs, systems and other vehicles that enable the organization to operate effectively and efficiently on an ongoing basis.

In 2009, the weighting for market responsiveness and track record was doubled, and criteria for sales execution/pricing and operations were added. These changes were made to account for the increased maturity of the market, which is at a point where we are seeing some consolidation; that resulted in significant shifts in the Ability to Execute position of some vendors (see Table 1).

Vendors are rated on their understanding of how market forces can be exploited to create value for customers and opportunity for themselves. Five of the eight criteria for completeness of vision (see Table 2) were considered significant for the EGRC platform market:

• Market Understanding — Ability of the provider to understand buyer needs and translate these needs into products and services. Vendors that show the highest degree of vision listen to and understand buyer wants and needs, and can shape or enhance those wants with its added vision.
• Offering (Product) Strategy — A provider's approach to product development and delivery that emphasizes differentiation, functionality, methodology and feature set as they map to current and future requirements.
• Vertical/Industry Strategy — The provider's strategy to direct resources, skills and offerings to meet the specific needs of individual market segments, including vertical industries.
• Innovation — Direct, related, complementary and synergistic layouts of resources, expertise or capital for investment, consolidation, and defensive or pre-emptive purposes.
• Geographic Strategy — The provider's strategy to direct resources, skills and offerings to meet the specific needs of geographies outside its native geography — directly or through partners, channels and subsidiaries — as appropriate for that geography and market.

At this early stage, marketing and sales strategies do not vary significantly among the vendors. Although not yet a major factor, vendor business models could become significant differentiators as vendors try to take advantage of the next stage of market growth.

The EGRC platform market is still evolving, but the vendors in this market have had time to develop their products and strategies in other precursor markets. Because they have developed with a focus on corporate governance and executive reporting requirements, vendors with experience in the finance GRCM market have an advantage in the EGRC platform market. Of the four leaders, Thomson Reuters, Oracle and OpenPages were leaders in last year's "Magic. Quadrant for Enterprise Governance, Risk and Compliance Platforms." BWise is a newcomer, and its progress is attributable mostly to continued good execution of its road map, which helped to close the gap on product functionality, particularly reporting. Customers will be looking for leaders to provide additional functionality such as support for ERM, integration with advanced business intelligence and corporate performance management applications, more-flexible and ad hoc reporting, and more support for the internal audit organization. They will also expect support across multiple geographies. The large vendors are best positioned for these requirements, yet smaller vendors are in the Leaders quadrant because of continued viability, more-advanced functionality and market understanding.

Vendors in the Leaders quadrant are:

• OpenPages
• Thomson Reuters
• BWise
• Oracle
• MetricStream

Challengers have proven viability, demonstrated market performance and the ability to exceed customer expectations on technical functionality. Challengers need to focus on their product road maps, as well as their sales, marketing, geographic and vertical industry strategies to move into the Leaders quadrant.

While there were several vendors in the Challengers quadrant last year, the market has been changing rapidly to more of a focus on ERM and audit support. To capture that shift, the weighting for market responsiveness and track record was doubled, and criteria for sales execution/pricing and operations were added this year. This new weighting on market-performance-related criteria lowered the position on the Ability to Execute axis for several vendors. Some vendors that were challengers last year have modified their road maps and began to add new product capabilities to address these market shifts. They moved into the Visionaries quadrant.

Methodware is the only vendor in the Challengers quadrant.

Visionaries have a solid understanding of the market, as demonstrated by domain expertise and responsiveness to customer expectations. They are actively executing against an aggressive product road map that expands support to additional regulatory and nonregulatory compliance and risk management needs.

Vendors in the Visionaries quadrant are:

• Cura Software Solutions
• Archer Technologies
• Protiviti
• Mega

Niche vendors have specialized capabilities for a particular market subsegment, but are missing some primary or secondary functions that make for a complete platform. Vendors could also be in the Niche Players quadrant because they have a novel business model. Only time can tell whether the models will succeed. Niche players may also target a specific industry vertical or the needs of particular professionals.

Vendors in the Niche Players quadrant are:

• Aline
• Axentis
• IDS Scheer

Aline is a U.S.-based vendor with 52 employees. It has effectively targeted the midmarket, and also has a few large business customers. Led by former Cognos management, it has developed a good relationship with Cognos-IBM.

Aline delivers all four GRCM primary functions — audit management, compliance management, risk management and policy management. However, the lack of survey functionality is a major deficit. The platform is based on .NET and is delivered 100% as SaaS.

• It shows innovation. Its integration of risk management and performance management is an advanced and visionary feature for this market.
• It bundles a lot of knowledge transfer into its implementation.

• It does not have survey functionality or policy training and certification.
• It does not maintain 24/7 global support; support is available during U.S. East Coast business hours.

Archer Technologies is headquartered in the U.S. and has 125 employees. Basing its platform on the Archer SmartSuite Framework, originally developed for the IT GRCM market, the company has made a sustained commitment to the EGRC platform customer. Besides IT GRCM, the platform supports financial management compliance, audit management, risk management, policy management, incident management, business continuity and other functions.

Archer delivers all four GRCM primary functions — audit management, compliance management, risk management and policy management. It is based on .NET.

• IT GRCM is a core installed base.
• It has an intuitive Web-based interface and navigation.
• Archer Community is a social network for customers to share the applications, content and services they develop.
• It has a set price for an enterprise annual license per module with an unlimited number of users.

• Ongoing support for Archer's breadth of modules and add-ons creates potential for overstretching its resources.
• With nine modules and many add-ons from which to select, customers must be diligent that the capability sought is in the modules they buy. Additional modules or add-ons could add to the price.

Axentis is based in the U.S. and has 100 employees. It was acquired recently by Wolters Kluwer. The Axentis GRC platform is most suitable for organizations needing strong support for legal compliance issues that are policy based, such as policy training and certification of employees for regulatory compliance issues, or for a corporate integrity agreement with a regulator. This training and certification capability is extensible beyond the enterprise to subcontractors and suppliers — an important feature since vendor risk management is increasingly an application for EGRC platforms.

Axentis delivers effectively three of four GRCM primary functions — compliance management, risk management and policy management. The platform is based on .NET and is delivered 100% as SaaS.

In July 2009, Wolters Kluwer acquired Axentis for its CCH division, which also has other audit management, risk management and compliance software offerings. The Axentis position in the Magic Quadrant reflects the improved financial viability brought by the acquisition. Due to publication being so close to the acquisition, the rating and our comments cannot reflect any changes in strategy, technology or business plans.

• It has strong vertical market support for healthcare, insurance and life sciences — including corporate integrity agreement compliance.
• It has a broad set of offerings integrating GRCM with content.
• It received very good customer references.
• It is very well-suited for employee policy training and certification with integrated e-learning.

• There is no road map for internal audit, but it does have an adapter for CCH TeamMate.
• Significant customization of workflow requires vendor support.
• It does not support quantitative risk analysis, which could be important to banks.

BWise is headquartered in the Netherlands and has 117 employees. Its next version, which is scheduled to be released in 2H09, is expected to have enhanced ERP integration, automatically evidencing ERP process and access controls into the BWise GRC platform. BWise has overcome problems with data extraction for ad hoc reporting and offers a backwardly compatible module for older versions.

BWise delivers all four GRCM primary functions — audit management, compliance management, risk management and policy management. It is based on Java Platform, Enterprise Edition (Java EE).

• Its financial services industry compliance — including banking and investment regulations, financial reporting compliance, and IT GRCM.
• Its business process modeling capabilities enable mapping of processes against risks and controls — enabling business process improvements.
• Its support personnel and those deployed for implementation were noted by customers as having solid business domain knowledge.

• There have been some reports of bugs in releases, but they were resolved in a timely manner.
• Although the ability to extract data for ad hoc reporting has been improved, customers note that the product's reporting is not "board level" and not very flexible.

Cura Software Solutions moved its headquarters from Australia to the U.S. two years ago, and now U.S. sales account for more than half its business, although it maintains a strong base in Australia and South Africa. It also has a strategy for the U.K., but does not focus on continental Europe. It has 100 employees.

Cura delivers a highly configurable platform and supports the four GRCM primary functions — audit management, compliance management, risk management and policy management. It has a new content partnership with LexisNexis, which should help with support to corporate compliance officer and general counsel. Cura is based on a combination of C# and .NET.

In July 2009, SoftPro Systems acquired Cura. The Cura position in the Magic Quadrant reflects the improved financial viability brought by the acquisition. Due to publication being so close to the acquisition, the rating and our comments cannot reflect any future changes in strategy, technology, or business plans.

• It has a quick-start module for enterprise risk management, called BridgeWork.
• It has market support for financial services, energy and utilities, and mining industries — particularly within the U.S., South Africa, and Australia.
• It has extensive best-practice knowledgebases, especially with regard to operational risk management, and support for risk management frameworks AS/NZS 4360 and ISO 31000.

• Its audit management capability has just recently been launched and has not been fully market-tested. Cura also has an adapter for CCH TeamMate.
• It has limited native document management, which limits policy management, including policy training and certification, and audit management capabilities. However, it comes with SharePoint integration and has proven integration with Documentum.
• A European market focus is lacking, with the exception of significant headway in the U.K.

IDS Scheer is a large business process management (BPM) vendor headquartered in Germany. It has 3,000 employees worldwide. The ARIS Solution for Governance, Risk and Compliance Management supports compliance management and risk management. It is most suitable for organizations seeking to design risks, controls and key performance indicators (KPIs) in the context of an operational process, and analyze the effects of changes in any of those objects on the others. During the past year, IDS Scheer has added improved survey capability and policy management. It has plans this year to close gaps in audit management and add an operational risk management module.

IDS Scheer delivers two of four GRCM primary functions directly — compliance management and risk management — and audit management can be built on ARIS Business Architect. The IDS Scheer GRC solution is developed on the ARIS Platform, which is based on Java EE.

In July 2009, Software AG announced it is acquiring IDS Scheer. Due to publication being so close to the acquisition announcement, the rating and our comments do not reflect any future changes in strategy, technology, or business plans.

• It is the largest BPM vendor delivering a GRCM solution on a robust platform.
• Its business process analysis capabilities enable mapping of processes against risks and controls — aligning risks with process steps and enabling business process improvements.
• It is useful for organizations with a strategic approach and seeking to align GRC activities to business processes and objectives.

• It is not for organizations looking for a rapidly implemented documentation and reporting application — a business process orientation to risk management and compliance is required.
• It requires competency in the ARIS process-modeling tools.

Mega is headquartered in France, and has 274 employees. The BPM vendor has reoriented its market positioning toward GRC. It acquired its EGRC platform technology from another vendor and added business process modeling functionality that supports the design and modeling of risks and controls in the context of a business process. Having entered the market relatively late, many of its sales have been driven by risk management, more than compliance. It is adding more risk analytics to support ERM.

Mega delivers all four primary GRCM functions — audit management, compliance management, risk management and policy management. It is based on Java EE.

• It has good business process analysis capabilities. Its architecture tool enables mapping of processes against risks and controls — thus enabling business process improvements.
• Customers have noted good responsiveness for development as well as support — geographically focused on continental Europe but with sales and support in North America and elsewhere.
• It has good support for operational risk management.

• It does not have much presence in the U.S. market, which has been the biggest market for EGRC platforms.
• It is still best known as a BPM vendor, although it is marketing its GRC capability heavily.

Methodware was acquired in 2008 by Jade, a more than $20 million software company based in New Zealand. Methodware is a no-frills EGRC platform solution that has proven to be popular with midsize companies and departmental implementations in larger companies.

Methodware delivers all four GRCM primary functions — audit management, compliance management, risk management and policy management. The current platform has proprietary middleware architecture with a Java EE interface and a standard Structured Query Language database interface. The next version (v.8) is scheduled to be a .NET product.

• For a small vendor from New Zealand, it has very good support in Europe and the U.S.
• It has a long track record of proven risk management — good qualitative and quantitative analytic features.
• It focuses on the midsize business marketplace, as well as financial services, higher education, national government and manufacturing vertical markets.

• Its policy management is limited because of a lack of content management.
• It has no native content management, but limited workflow and process automation functionality.

MetricStream is headquartered in the U.S., and has a large development team in India. It has 200 employees. Originally focused on quality management implementations, MetricStream has expanded to support EGRC platform customers with implementations for financial compliance, audit management and risk management. The platform is highly configurable, and MetricStream has worked with customers to develop workflows and reporting specific to their needs.

The MetricStream Enterprise Compliance Platform supports solutions for audit management, compliance management, risk management, policy management and quality management. It is based on Java EE.

• It offers rapid customization — it has a strong reputation for working with customers to deliver a platform specific to their environments.
• Having started in quality management, it understands the GRC environment of companies with heavy physical infrastructure investments and a strong process orientation.
• It manages a community portal — ComplianceOnline.com — and uses that community as a key resource to help with development.

• In some instances, a high degree of customization has resulted in significantly higher than normal implementation costs.
• As a small vendor with a growing number of large customers, it has a wide variety of specialized needs. There could be growing pains in the future with ongoing support.

OpenPages is headquartered in the U.S., and has 140 employees. It has a focus on large customers and good brand recognition in the U.S., Europe and other regions. It has partnered with the Operational Riskdata eXchange Association (ORX), which host loss event benchmarking data for large banks, and provided ORX with the platform for hosting the data. This partnership has raised its visibility with large banks globally. OpenPages has a steady development program; it introduced new modules for privacy and EH&S compliance during the past year, and it plans to release modules for vendor risk management and business continuity in 2H09.

OpenPages delivers all four GRCM primary functions — audit management, compliance management, risk management and policy management. It is based on Java EE.

• Its viability is a strength. It has a strong management team with good domain knowledge, and a large customer base with high retention.
• It has good functionality to make associations among mandates, policies, procedures and requirements (its taxonomy contains a risk statement, control objectives and control descriptions).
• Reporting and its ability to get to useful data are strengths. It has a Cognos reporting engine and proven integration with Hyperion for advanced financial management reporting.

• Enterprises must contract separately with content providers for Deloitte and other content for IT risks and controls.
• While its self-assessment function is broad and complete, the advanced self-assessment is awkward for the casual user.

Oracle is a software megavendor that is headquartered in the U.S. Oracle GRC Manager is based on technology acquired from Stellent. It supports solutions for audit management, compliance management, risk management and policy management. GRC Fusion Intelligence provides advanced reporting beyond that found in GRC Manager, and it is based on Oracle Business Intelligence Enterprise Edition. Oracle is seeking to provide a full spectrum of GRC products that can be integrated with GRC Manager, including continuous controls monitoring. Some of the offerings that Oracle provides under its GRC umbrella, such as content management and IT security products, are stretching that umbrella too far. However, setting that aside, Oracle has the most complete set of GRC offerings for audit, financial compliance and governance, and ERM of any vendor. Integration of GRC Manager to Oracle Hyperion Financial Management is available via published application programming interfaces (APIs).

Oracle delivers all four GRCM primary functions — audit management, compliance management, risk management and policy management. It is based on Java EE.

• Its suite of controls products, such as Oracle Application Access Controls Governor and Oracle Transaction Controls Governor, can be integrated into the GRC Manager platform.
• Using Oracle Fusion GRC Intelligence enables easier integration of reporting with other Oracle applications.
• It has a very knowledgeable Oracle consulting services arm, as well as effective partnerships with large consultancies for extensive engagements.

• For improved reporting, customers must pay for a separate license for Fusion GRC Intelligence. However, some enterprises find they have excess Fusion Intelligence licenses from other Oracle applications that can be applied to GRC.
• Banks should be careful to discriminate between Oracle GRC Manager and other Oracle risk management and compliance products that are managed by a distinct and separate Oracle business unit.

Protiviti is based in the U.S., and is a 3,000-person global risk consultancy. The Risk Technology Solutions group that is responsible for the Protiviti Governance Portal has 75 employees. During the past year, Protiviti has improved its support for internal audit and added an offline audit workbench. For ad hoc analysis and reporting, it has also integrated Microsoft Excel directly with the platform, enabling population of Excel-based models directly from data in the platform.

It delivers all four GRCM primary functions — compliance management, risk management and policy management; it also demonstrated audit management. The platform is based on .NET.

• Support for internal audit is a strength.
• It has abundant GRC domain expertise and content. It is a well-known risk management and compliance consultancy.
• Its good search function enhances navigation within the application.

• Customers looking for the software only may find that Protiviti will want to follow up with risk management and compliance consulting, or for internal audit support.
• Software revenue is a small portion of Protiviti's overall revenue.

In early 2009, the large media and publishing company Thomson Reuters acquired Paisley. Paisley is integrated into the tax and accounting business division, which also owns Check Point Software. Thomson Reuters offers Paisley Enterprise GRC and a SaaS version — GRC on Demand. Since the acquisition, Thomson Reuters has invested in several enhancements that are scheduled to be generally available in the next version slated for release early in 3Q09, including an improved role-based graphical user interface (GUI); in-context links to Thomson Reuters regulatory, legal and audit content; and a fully integrated controlled document management capability from Qumas.

Paisley delivers all four GRCM primary functions — audit management, compliance management, risk management and policy management. It is based on Java EE.

• There is an opportunity for integration of Thomson Reuters content, which can improve the role and industry configuration of the platform.
• It integrates with Check Point Software and audit content for a specialized internal audit version.
• It has strong audit management with offline capability — it is the chief competitor to CCH TeamMate in that market. It has good planning capabilities for audits and testing.

• Thomson Reuters' strategy for risk management and compliance markets is evolving, and the role of Paisley in that strategy needs more clarity.
• When Thomson Reuters bundles subscription content with Paisley, the pricing component of the software will be less transparent.