Magic Quadrant for Enterprise Governance, Risk and Compliance Platforms

04 October 2012 | ID:G00226167



The enterprise governance, risk and compliance platform market has matured to a strategic focus on enterprise risk management. Many vendors are looking toward the next market phase, which includes adding or integrating with business analytics and scorecarding capabilities.

Market Definition/Description

Governance, risk and compliance (GRC) as a marketplace can be broadly divided between GRC management (GRCM) products for the oversight and operation of risk management and compliance programs, and other GRC products for the automation and monitoring of controls. For a comprehensive description of the GRC marketplace, see "A Comparison Model for the GRC Marketplace, 2011 to 2013," which addresses the enterprise GRC (EGRC) platform and its relationship to other GRCM markets, such as IT GRCM (see "MarketScope for IT Governance, Risk and Compliance Management" ), operational risk management (ORM; see "A Banker's Guide to Credit, Market and Operational Risk Management Software Functionality" ) and financial governance (see "Q&A: Current Issues in Financial Governance" ).

Each of these markets demands some of the functionality that is inherent in the EGRC platform. Instead of acquiring separate solutions for finance, IT and other business units, many enterprises are choosing to use a single EGRC platform and, when necessary, integrating the many point and functional solutions to satisfy specific GRC needs. Reporting and managing through a single platform potentially give executives, auditors and managers a holistic view of the enterprise's risk and compliance postures, as well as views sorted by requirement, entity and geography. As the EGRC platform market continues to mature, some vendors are seeking to meet these new demands through a single, tightly integrated platform, while others are adopting a plug-and-play strategy, where customers can grow into the solution through the successful implementation of separate, but integrated modules.

The primary purpose of the EGRC platform is to automate much of the work associated with the documentation and reporting of the risk management and compliance activities that are most closely associated with corporate governance and strategic business objectives. The primary end users include internal auditors and the audit committee, risk and compliance managers, legal professionals, and accountable executives. The key functions of importance to these groups are:

  • Risk management: Supports risk management professionals with the documentation, workflow, assessment and analysis, reporting, visualization and remediation of risks. This component focuses on general ORM; however, it may collect data from specialized risk analytics tools to provide a consolidated view of ERM. Many industry-specific risk management requirements may not be supported. For example, many banks require highly specialized capabilities for Basel II compliance. Only a few EGRC platform vendors support the ORM needs of banking, and most vendors prefer to integrate the platform with specialized solutions from other vendors.

  • Audit management: Supports internal auditors in managing work papers, and scheduling audit-related tasks, time management and reporting.

  • Compliance and policy management: Supports compliance professionals with the documentation, workflow, reporting and visualization of controls objectives, controls and associated risks, surveys and self-assessments, attestation, testing, and remediation. At a minimum, compliance management will include financial reporting compliance (Sarbanes-Oxley [SOX] compliance), and also support other types of compliance, such as ISO 9000, Payment Card Industry, industry-specific regulations, SLAs, trading partner requirements and compliance with internal policies. This function includes a specialized form of document management that enables the policy life cycle from creation to review, change and archiving of policies; the mapping of policies to mandates and business objectives in one direction, and risks and controls in another; and the distribution to and attestation by employees and business partners.

  • Regulatory change management: Supports the ability to respond to changes in regulations. When a rule is changed or a new one emerges, it enables a business impact analysis and supports the management of the change to related controls, risk assessments and policies.

The EGRC platform can integrate with business applications, business intelligence (BI), enterprise content management, controls automation, monitoring solutions (such as segregation of duties), IT technical controls (such as server configuration auditing) and continuous control monitoring (CCM) for transactions. The EGRC platform also integrates with specialized GRCM solutions, such as environmental, health and safety (EH&S) compliance, quality management and industry GRCM applications.

The GRC market is eight years old, and all the vendors in the Magic Quadrant have a level of functionality that will meet the needs of most buyers. Differentiation today is about the ability to deliver advanced risk management functionality, with analysis of the impact of risks on business performance, domain expertise in multiple highly regulated industries, and ease of use and configurability. In the past, differentiation was about how well the basic core functions of a GRC platform — audit management, compliance management, risk management and policy management — were addressed. Because this market is approaching maturity, it is likely that Gartner will produce a MarketScope next year, rather than a Magic Quadrant.

Magic Quadrant

Figure 1. Magic Quadrant for Enterprise Governance, Risk and Compliance Platforms
Research image courtesy of Gartner, Inc.

Source: Gartner (October 2012)

Vendor Strengths and Cautions

BPS Resolver

BPS Resolver demonstrated BPS Resolver GRC Cloud 6.2, which is most often delivered as software as a service (SaaS). With a strong focus on linking risk and performance metrics, BPS Resolver also demonstrated good capabilities for audit management, compliance management and risk management. Policy management is limited. It is still a relatively small player in the market, with most of its revenue coming from North America. Having improved its technology architecture and shown that it can execute against a multiregion geographic strategy, BPS Resolver has earned a move from the Niche Players quadrant to the Visionaries quadrant.

  • Market Understanding — BPS Resolver clearly understands the direction of the market toward more integration of risk and performance management.

  • Market Strategy — BPS Resolver is able to articulate well a strategy that is appealing to boardrooms and senior executives.

  • Product — It is one of the few best-of-breed vendors that is able to clearly enable the causal linkages between key risk indicators (KRIs) and key performance indicators (KPIs). It also has a balloting function for collaboration on qualitative analysis of risks and controls.

  • Product Strategy — There is no evidence that BPS Resolver is integrating with other business applications, nor is there much focus on improving its risk analytics.

  • Product — Lacking the ability to integrate with external automated controls, it is not suitable for IT GRCM. Basic ORM functionality is competent, but it would not be adequate to support large financial services firms that have Basel II/III and Solvency II compliance requirements.

CMO Compliance

CMO Compliance demonstrated version 7.1, released in 2012. With global headquarters in London, CMO Compliance has a solid global support and sales organization. It has a strong legacy in health and safety compliance and has expanded to EGRC. CMO Compliance had the best mobile platform of any vendor evaluated. CMO Compliance is in the Visionaries quadrant and has good capabilities for asset-intensive industries, where its domain expertise is most relevant.

  • Product Strategy — Case management is an emerging requirement for many GRC customers, and CMO Compliance demonstrated above-average capabilities there. For asset-intensive industries, such as heavy manufacturing, aviation, oil and gas, and mining, it has a very good content strategy.

  • Geographic Strategy — It has very good global coverage.

  • Product — CMO Compliance is strong overall. It includes a learning management system for tracking training, which is very useful to ensure an understanding of policies and to track the training on them. Customers noted that configuration is very easy, and that they can navigate easily with wizards that enable them to enter data and respond to queries without a lot of screen clutter.

  • Customer Experience — Customers were very satisfied, and many references noted that the product exceeded expectations for many of the uses it was put to. References applied the product broadly across a variety of use cases.

  • Market Understanding — CMO Compliance has solid domain expertise in operations GRC for asset-intensive industries (for example, health and safety compliance). It should develop a better understanding of the enterprise risk management (ERM) needs of senior executives.

  • Product Strategy — To better serve the needs of senior executives and corporate directors, CMO Compliance should improve its ability to analyze risks to strategic objectives and business performance.

Cura Technologies

Cura Technologies demonstrated Cura Enterprise, version 3.8.0, which was released in December 2011. In 2011, Cura focused on improving functionality related to workflow, rule engine, integration and audit trail enhancements. Improvements in these areas demonstrate its commitment to continued product development and allowed Cura to maintain its position in the Visionaries quadrant.

  • Vertical/Industry Strategy — Although manufacturing and natural resources remain the dominant industry focus for Cura, it continues to have a broad-based strategy that also targets industries such as financial services, construction, engineering, telecommunications, pharmaceuticals and utilities/energy.

  • Innovation — The company continues to invest in developing its Cura Enterprise product, with two product releases in 2011 and another two releases planned in 2012. Planned features include mobility enhancements to support EH&S, as well as incident management requirements.

  • Pricing — Cura maintains a tiered, user-based pricing model that is very straightforward. In addition, its pricing is viewed by its customers as highly competitive.

  • Customer Experience — Cura's customers are mostly satisfied with the current functionality and services provided.

  • Product — Policy management remains an area of needed improvement for Cura because of its limited document management and workflow capabilities. In addition, its bow-tie risk assessment functionality provides good visualization of risk data, but it requires an additional license from a third-party vendor.

  • Market Responsiveness and Track Record — The number of new product implementations has remained flat during the past three years. Following the acquisition by SoftPro Systems in 2009, Gartner expected a significantly larger growth rate for new product implementations with a corresponding increase in revenue.

  • Overall Viability — Without demonstrated growth in new product implementations and revenue, Gartner views Cura's overall viability in the long term as questionable.


RSA, The Security Division of EMC offers the RSA Archer eGRC Platform. The release demonstrated was version 5.2, which became available in May 2012. Despite its strong focus on IT security applications, RSA is making large strides in integrated GRC, using its IT customer base to gain entrance to non-IT prospects, and gaining EGRC market recognition among prospects where it has no pre-existing base. With Archer's IT GRC heritage, RSA still has a bias toward IT-centric examples in demonstrations, but it is able to provide many non-IT examples. Having gotten beyond early difficulties in the rollout of Archer 5 to its installed base, RSA has been able to focus on a more aggressive vision during the past year and is showing that it can execute against it — thereby earning a move from the Challengers quadrant to the Leaders quadrant.

  • Marketing Strategy — RSA has made great strides in gaining mind share in the EGRC market. Its legacy IT GRC installed base of users is often the best advocate for expansion to the rest of the enterprise. However, RSA is also executing successfully against a strategy based on non-IT use cases that is gaining it new enterprise customers where there is no IT GRC installed base.

  • Product Strategy — The Archer Exchange, with both paid Archer and non-paid community content, provides RSA a way to address many different platform use cases beyond the core functions. Recognizing a gap in financial services domain expertise, RSA has invested to close that gap with improvements in content and templates for financial services customers and by stressing competencies that are in financial services, such as vendor risk management and loss event analysis. Notably, it has the best vendor-managed content strategy of any of the vendors evaluated.

  • Product — Its product is above average for ease of use and configurability.

  • Vertical Strategy — RSA articulates a cross-industry, role-based strategy without a focus on any particular vertical. Although it can put together solutions that are vertical relevant for individual customers, the lack of a strategic approach to highly regulated verticals led to a gap in market share in financial services (outside of IT departments) and underinvestment in other vertical-specific domain expertise — a gap it is working to close, but which is not yet reflected in a coherent vertical strategy.

  • Product — RSA did not demonstrate well the ability to support ORM for the capital allocation calculations that are required for Basel II/III and Solvency II compliance, which is a gap it needs to close to support large financial services firms.

  • Pricing — RSA has a large number of modules. Although the cost of each module is reasonable, because most use cases will require two or three of them, the total license cost can exceed the expectations of some customers. The licensed content and solutions from Archer Exchange can also add incremental costs, although customers get a few paid solutions without cost, and there is much community-based content available without cost.


Enablon demonstrated Enablon 6. With global headquarters in Paris, a North American headquarters in Chicago, and a direct presence in Canada, Australia, the U.K. and Spain, its foundations are in operational GRC, with solutions for EH&S, quality management and corporate sustainability performance management. Enablon's legacy in operational GRC provides for strong capabilities in case management, and in analyzing the impact of risks on performance. As it engages more directly in more core EGRC implementations, and develops its strategy further for the market, Enablon has moved from the Challengers quadrant to the Visionaries quadrant.

  • Product — Enablon is very strong in case or incident management, and is able to visualize and configure the workflow for each investigation. It also has a solid regulatory change management capability. Its ability to analyze the impact of KRIs on KPIs is well above average. The version demonstrated to Gartner had above-average process visualization and looked relatively simple to work with to create complex workflows.

  • Overall Viability — Enablon has a large and growing customer base, and consistent year-over-year revenue growth.

  • Vertical/Industry Strategy — Enablon is well-suited for manufacturing, natural resources and utilities, as well as other industries where sustainability and EH&S represent a large component of overall risk and compliance exposures.

  • Customer Experience — Overall customer satisfaction was above average, but the breadth of use for the platform was below average, with most customers citing that they used the product for just one or two functions. The most uses were for case or incident management and for ORM.

  • Operations — Customers cited longer than average time to implement, with the majority stating six months or greater. However, Enablon customers often integrated the product with other targeted EH&S applications, which could account for longer implementations.


IBM demonstrated version 6.1 of its OpenPages GRC Platform that was generally available on 8 May 2012. IBM continues to integrate OpenPages with its growing portfolio of business analytics and risk management software products, including Algorithmics risk modeling, Cognos reporting, Q1 Labs for security information and event management, and SPSS predictive analytics. Opportunities for deeper integration among these products exist within IBM's road map and will serve to further solidify IBM's position in the Leaders quadrant if it follows through.

  • Market Understanding — OpenPages has broad coverage of EGRC-related requirements, with particular strengths in ORM and compliance. By combining this functionality with increased operational, credit and market risk analytics capabilities offered through Algorithmics, IBM is well-positioned to support the needs of companies seeking a full-scope ERM solution.

  • Marketing Strategy — IBM is focusing on the integration of risk management and performance management through its multiple offerings beyond OpenPages, which is growing the overall EGRC market opportunities. This shift in focus is garnering the attention of key stakeholders beyond risk management and compliance, such as board members and C-suite management representatives.

  • Product — The integration of Cognos makes it easy for end users to build their own custom reports. In addition, OpenPages continues to possess solid workflow capabilities, and it offers a mature, full-scope audit management solution.

  • Vertical/Industry Strategy — OpenPages maintains a strong presence in the banking and insurance industries, with proven capabilities to support Basel II Advanced Measurement Approaches and Solvency II requirements. In addition, IBM continues to expand into other highly regulated industries, such as utilities/energy and healthcare.

  • Pricing — OpenPages pricing is user-based and tiered with options to purchase individual modules within the platform. However, customer references indicate that OpenPages is priced higher than most of the products from competitors.

  • Customer Experience — The level of satisfaction among customer references has decreased in the area of implementation support. This may be because of challenges with integrating legacy OpenPages support teams into the larger IBM organization.

  • Operations — The time frame for implementation can be extended in many instances because of significant data and user role configuration requirements. Although this may reflect the complex nature of typical client operations and related requirements, it should be factored into project plans and total costs, because a greater degree of services is required.

Jade Software-Methodware

Methodware, which is owned by Jade Software, demonstrated ERA Kairos version 8.1, released in 2012. Methodware offers a platform that is very easy to navigate and is intuitive to the end user. Its strongest capabilities are in ERM, vendor risk management and business continuity planning. In March 2012, Jade created a new company, the Wynyard Group, to focus specifically on ERM, fraud intelligence and enforcement. Methodware is a key component of the Wynyard Group's offerings and will be managed by Wynyard going forward. With its marketing focus on financial services and good support for ERM, but with gaps in functionality and architecture, Methodware remains in the Visionaries quadrant.

  • Market Understanding — Methodware has a good understanding of ERM and the relationship of risk management and performance management. The Wynyard Group adds domain expertise in anti-bribery and anti-corruption, which is an emerging focus of many GRC buyers.

  • Product — Methodware uses "methods" (widgets or wizards) to intuitively walk a user through complex assessments and testing. These methods avoid the screen clutter that is common to most EGRC platforms. The method design studio makes it simple to visualize workflows and design methods. Data visualization makes relationships clear and the investigation of relationships easy. For example, in the audit management module, the risk universe was illustrated by business unit and corporate objective. Heat maps illustrate before and after risk mitigation, and it is easy to navigate to data from the heat map. Loss event linkages to risks and controls are clear, and incidents can be linked to evaluate patterns. Vendor risk management is a strength. Also, Methodware is one of the few EGRC platform vendors with a solid business continuity planning capability.

  • Geographic Strategy — Methodware has excellent coverage and support for a relatively small vendor.

  • Product — Policy management remains below average. Survey capability is limited and is done through the creation of methods. Some administrator functions, particularly in audit management, use an older interface that is more difficult to navigate and is not as intuitive. This contrast is glaring when compared to the simple and intuitive navigation for the rest of the product.

  • Customer Experience — Overall customer satisfaction was above average, but when asked whether the product met expectations, some customers cited uses where it was below expectations. Policy management was the function most often cited as below expectations.


Mega demonstrated its Mega Suite, version 4.0, which was released in February 2012. Mega remains in the Visionaries quadrant and continues to evolve its EGRC platform, with a strong focus on business process architecture. Mega's business process focus emanates from its roots as an enterprise architecture software provider and serves as a key differentiator for its EGRC product.

  • Product Strategy — Mega continues to rely on strategic alliances with key partners to provide additional content and functionality, such as KRI libraries (RiskBusiness), risk factor analysis (Probayes), statistical modeling (MATLAB) and CCM (Approva).

  • Innovation — The company is increasing its significant investment in R&D to provide future SaaS capabilities and additional functionality to support mobile capabilities for loss data capture and operational incident management.

  • Product — Mega has made significant improvements in its audit management functionality and continues to focus on strengthening its ability to address the ORM requirements for financial services.

  • Customer Experience — Client surveys indicate a consistent level of satisfaction with Mega's product offering and level of support.

  • Operations — Most of Mega's implementation projects extended beyond six months and required a significant amount of custom coding to support the client requirements. This may help explain the relatively low number of new implementations. Extended implementation times can be attributed to Mega's clients embracing the business process architecture elements of the platform. However, Mega must look to improve in this area to scale its EGRC customer base successfully.

  • Vertical/Industry Strategy — Roughly half of Mega's current customer base is financial-services-oriented. As a result, Mega continues to invest heavily in supporting the needs of that market. However, the financial services marketplace for EGRC software is largely saturated, and additional growth will require an increased focus on other industries. Mega is increasing its focus on other industries, such as manufacturing, utilities and government, and must continue to develop its EGRC functionality to meet these industries' diverse needs.


MetricStream demonstrated MetricStream GRC Platform, version 6.0, which was originally released in March 2010. The company offers a broad-based EGRC platform to a wide range of customers across a number of different industry verticals. MetricStream also provides an IT GRC software solution that was recently bolstered by its acquisition of TBD Networks and its vPanorama technology. vPanorama provides the ability to manage virtual IT assets in public and private cloud environments.

  • Product Strategy — MetricStream focuses on a broad array of areas of evolving need, including audit management and regulatory change management.

  • Vertical/Industry Strategy — The company has built a solid client base across industries, including banking and financial services, energy and utilities, life sciences and healthcare, manufacturing and high tech, and consumer and retail.

  • Innovation — MetricStream is investing in improvements to its software through more advanced application functionality and platform enhancements, such as its AppStudio development capabilities.

  • Market Responsiveness and Track Record — The number of new implementations year over year continue to increase, with a corresponding increase in reported revenue.

  • Operations — Time frame for implementation exceeded six months for the majority of clients surveyed. This can be attributed to the level of customization that is typically required to implement the platform. MetricStream is focusing on product improvements to limit the level of customization for future implementations.

  • Pricing — MetricStream is highly customizable and configurable. This ability to adapt to a customer's processes can add significant cost to an implementation. Some customers have noted that the final costs significantly exceeded the original quotes. This issue can be managed by careful control of changes during implementation.


In May 2012, BWise was acquired by Nasdaq OMX as a core component of its Corporate Solutions group and is now referred to as BWise, a Nasdaq OMX company. The acquisition could help BWise expand its sales in North America. With the Nasdaq customer base, opportunities exist for BWise to expand sales into the midmarket and to verticals other than financial services, where BWise traditionally has been strong. BWise demonstrated version 4.1 SP3, which was released in 2011. BWise's position in the Leaders quadrant is based on a mature EGRC platform — to which BWise continues to add more advanced capabilities, an experienced management team and an innovative product strategy. It is the only vendor besides the large ERP vendors to offer an organic CCM solution that integrates with its EGRC platform.

  • Product — BWise has strong capabilities in compliance management and risk management, with both qualitative and quantitative capabilities. It has solid loss event and root cause analysis, with an integrated Monte Carlo engine. Its platform includes a business process modeling capability to document and visualize business processes, risks and controls. It has one of the best project risk management capabilities of all the vendors evaluated. An optional CCM capability is also available. It is one of two EGRC platform vendors that support entity management.

  • Operations — BWise has a stable, experienced management team that has remained in place after the acquisition. Customer references state that they are realizing value from the product very quickly after implementation.

  • Market Responsiveness — Revenue growth has been consistent during the past two years, but it is not increasing fast enough for BWise to maintain a relative position higher than other Leaders. Poor economic conditions in Europe, where BWise is headquartered, are partly to blame, as well as some challenges in growing its North American base. The Nasdaq sales force and customer base, however, give BWise new capabilities to grow sales worldwide.

  • Product Strategy — With the acquisition, there is some confusion of what a Nasdaq road map will be. Nasdaq brings new capabilities, such as corporate governance training and social analytics, that could help to differentiate BWise in the future. As far as the current strategy, content needs more attention. Few customer references indicated that BWise had deployed content within the product. Improvements in policy management — specifically keeping track of changes with redlining — and in assessing the impact of regulatory changes for regulatory change management are also needed.


Oracle demonstrated Oracle GRC Suite 8.6.4, which was released in August 2011. Oracle has a vast technology portfolio that spans applications, middleware and hardware, and the company places strong emphasis on the integration of its EGRC platform, called Oracle Enterprise Governance, Risk and Compliance Manager, with other Oracle assets. Oracle also offers CCM software applications, which it calls "controls governors," that integrate with the GRC platform. Although the platform is often included as part of a broader ERP deployment, many Gartner clients are comparing it in competitive EGRC platform bids. Oracle remains in the Leaders quadrant based on overall corporate viability, proven execution against its road map, and advanced capabilities to integrate risk management and performance management. Overall satisfaction for customer references was average, with some citing long times to implement and limited use of the product.

  • Market Understanding — Oracle clearly understands the GRC challenges faced by a number of verticals, and also the trends toward the integration of risk management and performance management.

  • Product Strategy — Oracle demonstrated functionality for emerging use cases, such as vendor risk management, case management and advanced risk analytics, including integration with performance management. For several products that are integrated with Oracle Enterprise Governance, Risk and Compliance Manager to extend the functionality of the platform, Oracle provides restricted use licenses at no additional cost. These products include Oracle Database Enterprise Edition, WebLogic Suite, SOA Suite for Oracle Middleware, Oracle Data Integrator Enterprise Edition, and Universal Content Management — each of which may only be used with Enterprise Governance Risk and Compliance Manager Product.

  • Geographic Strategy — Oracle provides good global support directly and through a number of strong partnerships with consultancies.

  • Product — Several customer references noted poor flexibility in audit management and control self-assessments. However, in the version that Oracle demonstrated to Gartner, there were significant improvements in workflow and linkages between the modules.

  • Market Responsiveness and Sales Execution — Oracle's policy is not to provide information on sales of individual products and numbers of customers, so those criteria were estimated based on Gartner inquiries, extrapolations of historical data and customer reference surveys.

  • Customer Experience — Some customer references noted long times to implement and limited use of the product, citing some functional use cases as performing below expectations.


Protiviti is a global consulting firm that helps companies solve problems in finance, technology, operations, governance, risk and internal audit. The company is wholly owned by Robert Half International and is included in Gartner's "MarketScope for Global Enterprise Risk Management Consulting Services." Protiviti also markets its proprietary EGRC software platform, Governance Portal, to its consulting clients and other nonconsulting prospects. Members of Protiviti's Risk Technology Solutions team demonstrated Governance Portal version 3.14, which was released in May 2012. Protiviti returns to the Magic Quadrant this year by surpassing the annual revenue requirement for inclusion. In addition, Protiviti moves into the Challengers quadrant this year from the Niche Players quadrant in 2010.

  • Product — Protiviti possesses strong capabilities for audit management, compliance and policy management, as well as regulatory change management, through its integration with Complinet. In addition, its clients view the Governance Portal as easy to use and to configure.

  • Sales Execution/Pricing — Protiviti's pricing is user-based and highly competitive for its on-premises and SaaS-based solutions.

  • Market Responsiveness and Track Record — The company nearly doubled the number of product implementations in 2011.

  • Operations — The average time frame to implement Governance Portal was less than three months for a majority of clients and required very little custom configuration.

  • Product Strategy — Governance Portal lacks integration with IT GRC or CCM applications. In addition, Protiviti lacks focus on emerging risk management demands, such as advanced risk analytics and vendor risk management.

  • Marketing Strategy — Protiviti states that it remains neutral when recommending EGRC platforms to its consulting clients, which could amount to a significant number of missed opportunities for additional implementations. In addition, Protiviti targets Governance Portal more toward members of senior management in finance, risk management, compliance and internal audit, without a stated focus on the board of directors or other C-suite representatives, such as the Chief Legal Officer.

  • Vertical/Industry Strategy — Although Protiviti supports clients in a broad array of industries, its primary focus for industry-specific content and functionality is limited to the financial services industry.

SAI Global Compliance

SAI Global Compliance demonstrated Compliance 360, version 2012.1, which was released in April 2012. SAI Global corporate is headquartered in Australia, with its compliance division headquarters in North America and a small office in Europe. In 2011, SAI Global acquired Compliance 360, a U.S.-based vendor that delivers its EGRC platform as SaaS. Compliance 360 was strong in the healthcare market and the only U.S.-based vendor with a content partnership with LexisNexis. SAI Global also delivers an EH&S compliance solution called Cintellate, and other GRC-related products, content and services. With a large customer base but unproven in sales of Compliance 360 outside North America, SAI Global is a Challenger.

  • Product Strategy — Case management is a quickly emerging requirement of EGRC platform customers, and SAI Global Compliance's case management capability is very strong. It has a strong content strategy with regulatory feeds from LexisNexis available. However, based on customer references, LexisNexis capability is rarely implemented.

  • Vertical/Industry Strategy — It is very strong in healthcare.

  • Product — SAI Global is good at audit management and very strong at policy management, including e-learning and learning management system capabilities for training and certification on policies. It is very strong on regulatory change management. Reporting is above average, and there is an easy-to-use report wizard. Improvements are needed in risk management — particularly in loss event analysis.

  • Customer Experience — Customer satisfaction was above average. Customers noted a breadth of use cases for which they implemented the product and short implementation times.

  • Market Understanding — SAI Global was able to demonstrate basic linking of risks to strategic objectives, but it needs to improve risk analytics to assess the impact of KRIs on KPIs.

  • Product Strategy — By the road map, it is not clear that emphasis is being placed on improving risk analytics for business performance. Improvements in vendor risk management are planned.

  • Geographic Strategy — SAI Global's domain expertise, prior to the acquisition of Compliance 360, has been concentrated in the Asia/Pacific region. Compliance 360 has been primarily deployed to a U.S. market from a U.S.-based data center. SAI Global plans to deploy Compliance 360 in its EMEA and Asia/Pacific data centers; however, for now, non-U.S. customers should test SAI Global's ability to deliver high performance from data centers closer to their primary locations.


SAP offers several GRC-related products as part of the SAP Analytics portfolio. For this evaluation, it demonstrated SAP Risk Management and Process Control version 10, service pack 8, which was made generally available in July 2011. This latest version of SAP GRC has solidified SAP's position within the Leaders quadrant by providing SAP with a full-scope EGRC solution that, although most often sold to SAP customers, can be used by non-SAP customers.

  • Market Understanding — Although SAP GRC is still used primarily for process control activities such as financial reporting control compliance, its overall functionality has been vastly improved to meet the new market demands for integrating risk management and performance management activities.

  • Product Strategy — Integration with other SAP applications remains solid with SAP GRC version 10. The company also has bolstered its product strategy with the integration of key content providers such as Unified Compliance Framework for regulatory content, RiskBusiness for risk libraries and KRIs, and APQC for cross-industry business process frameworks. It is also maintaining a network of partners that provide specialized industry software, including partnerships with HP ArcSight, Novell, CA Technologies, Oversight Systems, Greenlight Technologies, LogLogic, Winshuttle and Sensage, among others.

  • Innovation — SAP is investing in new technologies to support its future EGRC platform capabilities, such as advanced, high-speed data analytics powered by SAP's Hana in-memory computing technology and mobile capabilities for policy approval and report viewing.

  • Sales Execution/Pricing — Although SAP has made strides in adjusting its pricing model for SAP GRC from enterprise-based to user-based, the clients surveyed have an enterprise-based pricing model and still view the product as more expensive than products from other vendors. Client emphasis on SAP's Access Control products for segregation of duties and role specification requirements continues to be a limiting factor for adoption of the broader EGRC platform. In addition, several of the integrated content providers require separate license purchases to gain access.

  • Customer Experience — Several customers indicated problems with prior versions of SAP GRC and with the upgrade to SAP GRC version 10 Access Control. However, those who were using the current version were mostly or very satisfied with the product.

  • Operations — Significant configuration efforts by IT personnel and implementation time frames beyond six months were noted by a large percentage of clients surveyed.


SAS demonstrated SAS Enterprise GRC version 5.1, which was released in February 2012. SAS is known for strong capabilities in ORM and broad-based risk analytics, with numerous algorithms for predictive and descriptive analytics, including Monte Carlo simulation for robust scenario analysis. Its platform supports compliance and audit functionality well. The company offers a host of complementary GRC-related products and supports diverse functions, such as fraud, sustainability and social media analytics for managing reputational risk. Based on a clear and consistent strategy for integrated risk and performance management, an innovative approach to GRC with advanced risk analytics, and growing sales and revenue, SAS moves from the Visionaries quadrant to the Leaders quadrant.

  • Marketing Strategy — SAS has a clear understanding of the needs of the C-suite and the board, and is able to demonstrate the value of integration of risk management and performance management in the achievement of business objectives.

  • Product — SAS emphasizes its risk analytics capabilities, which include analytic tools, a KPI and KRI catalog, and a loss event database. It also has excellent reporting functionality.

  • Vertical Strategy — SAS has strong capabilities for financial services and also capabilities for utilities.

  • Overall Viability — SAS has strong year-over-year GRC revenue growth and sales.

  • Product — Improvements are needed in regulatory change management and policy management. Usage is not intuitive, and significant expert training is needed. Customers note that configuration of the product is difficult.

  • Customer Experience — Customer satisfaction was average, and some references noted that a few uses for the product did not meet their expectations.

  • Operations — Customers noted long implementation times (some more than a year) and reported significant customization during implementation.

Software AG

Software AG offers its Governance, Risk and Compliance solution. It demonstrated Aris Risk & Compliance Manager version 4.0, and also included Aris Business Architect and Aris Process Performance Manager (PPM). Software AG's solution is most relevant for customers that already are using Aris business process tools or for those who are also looking to develop their business process management capabilities. Software AG has an innovative approach to the market with a vision for increasing automation and business process integration with risk management. Software AG moves into the Leaders quadrant as a result of product improvements and improved market responsiveness.

  • Market Understanding — Software AG has a strong focus on business performance. Through integration with Aris PPM, it is able to show the value of analyzing the impact of KRIs on KPIs.

  • Innovation — At several of its customer sites, Software AG is innovating with complex-event processing and in-memory computing to handle big data analytics for risk monitoring and remediation.

  • Product — Software AG includes ad hoc reporting capabilities via mashups that enable powerful dynamic dashboard configuration capabilities.

  • Product Strategy — While closing gaps on the product core functions, Software AG has been slow to improve its audit management. Policy management, however, has been improved and is competitive.

  • Product — Regulatory change management is weak. Several customer references noted that configuration was not easy. Aris-trained administrators are needed to manage and configure the product.

Sword Achiever

Sword Achiever demonstrated Sword Achiever version 5, which was released in 2011. It has the core functionality required for an EGRC platform, but the company has had challenges in extending its customer base beyond Achiever's legacy as an operational GRC offering focused on compliance with ISO standards and EH&S. Achiever has a rapid release schedule and executes well against its road map. Sword Achiever is improving its competitiveness in the EGRC platform marketplace, and it has begun to close gaps in its domain knowledge for ERM and financial GRC. Sword Achiever remains a Niche Player for now.

  • Product — Audit management is above average. Clients can automatically set audit frequency based on risk assessment, and they can generate automated remediation based on survey results. Planning and assignment of auditors are done well. Risk management is average but with good capability to link KPIs and KRIs.

  • Customer Experience — Customer satisfaction was above average, and references had no negative comments.

  • Market Understanding — Sword Achiever demonstrated the basics for linking risks to strategic objectives but is not able to support in-depth analysis of the impact of risks on business performance. It needs to develop more domain expertise on the GRC challenges facing heavily regulated industries.

  • Product Strategy — Achiever's capabilities were not strong for emerging use cases, such as vendor risk management, risk analytics and case management.

  • Product — Regulatory change management needs improvement.

Thomson Reuters

Thomson Reuters demonstrated Enterprise GRC version 4.4, which was released in 3Q12 and is part of the broader Thomson Reuters Accelus suite. Within its Accelus suite, Thomson Reuters has an array of GRC-related applications beyond its core Enterprise GRC platform that provide specific content and functionality for board communications, financial reporting/disclosure compliance, regulatory intelligence, fraud screening, and compliance training. Its Enterprise GRC platform is offered as an on-premises or a SaaS-based solution. Thomson Reuters remains in the Leaders quadrant based on its growing base of clients and its ability to provide a solid EGRC platform backed by risk and regulatory content.

  • Marketing Strategy — Thomson Reuters' focus on consolidating its solution set for risk and compliance management under the Accelus product line umbrella has proved effective. Its Enterprise GRC platform has benefited from this strategy by exposing it to a wider audience within the target organizations.

  • Vertical/Industry Strategy — The company capitalizes on its strong proprietary regulatory and compliance content to drive new EGRC sales with large financial services organizations, including brokers, dealers, commercial banks and insurance companies. In addition, it possesses strong environmental, anti-bribery, and healthcare legal and compliance content to support regulatory change management activities in industries such as manufacturing, energy/utilities and healthcare providers.

  • Pricing — The pricing model for Enterprise GRC is very clear and straightforward. In addition, a majority of clients surveyed indicated that the total platform cost is in line with or below market price.

  • Market Responsiveness and Track Record — Thomson Reuters demonstrated exceptional growth in the number of new implementations in 2011. It has an optional SaaS delivery mode that is attractive to many companies seeking to minimize upfront costs, especially small and midsize businesses — many of which are just entering the market.

  • Market Understanding — Thomson Reuters clearly focuses on its strengths in audit and compliance management. However, the EGRC marketplace continues to evolve beyond these areas, with a greater emphasis on integration with business performance management activities. This type of integration is a weakness in the current Enterprise GRC platform, but it is included within Thomson Reuters' product development road map for 2013.

  • Product Strategy — The current Enterprise GRC platform lacks a strong risk analytics component and is seldom integrated with products external to Thomson Reuters proprietary solutions. Gartner views these limitations as long-term concerns that could threaten Thomson Reuters' position in the Leaders quadrant.

Wolters Kluwer Financial Services

Wolters Kluwer Financial Services demonstrated ARC Logics for Financial Services. ARC Logics is a brand name applied to several GRC-related products by Wolters Kluwer. ARC Logics for Financial Services replaces the product formerly known as Sword. Other ARC Logics products can be integrated to add additional capabilities — such as CCH TeamMate for audit management and FRSGlobal for regulatory reporting. Based on ARC Logics for Financial Services' slow growth in the market, and a vertical/industry strategy that targets only the financial services industry, Wolters Kluwer Financial Services is in the Niche Players quadrant.

  • Marketing Strategy — Wolters Kluwer Financial Services has a clear and consistent focus on compliance with the proliferating regulations that are impacting the financial services industry.

  • Product Strategy — It is very strong in legal and regulatory content, including regulatory alerts and regulatory impact analysis. FRSGlobal is available to add advanced risk analytics.

  • Product — It has demonstrated integration with TeamMate for above-average audit management. It is very strong in policy management and regulatory change management.

  • Market Understanding — Wolters Kluwer Financial Services is very focused on financial services compliance, with little focus on the integration of risk management and performance management.

  • Vertical/Industry Strategy — The platform solution as demonstrated is directed only at financial services, although there are other compliance and risk management offerings available from Wolters Kluwer to serve other industries.

  • Sales Execution — The core platform based on the former Sword product is not selling well. Wolters Kluwer Financial Services is selling lots of its Policies and Procedures system (the policy management capability), CCH TeamMate for audit management, and regulatory-related content.

  • Product — Delivering the full platform solution requires a number of ARC Logics products and other Wolters Kluwer products. Most customer references said that configuration by administrative users is not easy.

Vendors Added or Dropped

We review and adjust our inclusion criteria for Magic Quadrants and MarketScopes as markets change. As a result of these adjustments, the mix of vendors in any Magic Quadrant or MarketScope may change over time. A vendor appearing in a Magic Quadrant or MarketScope one year and not the next does not necessarily indicate that we have changed our opinion of that vendor. This may be a reflection of a change in the market and, therefore, changed evaluation criteria, or a change of focus by a vendor.


  • CMO Compliance reached the revenue threshold.

  • Nasdaq OMX acquired BWise.

  • SAI Global acquired Compliance 360, which had met the revenue threshold.

  • Wolters Kluwer Financial Services integrated products into its ARC Logics portfolio and met the definitional requirements to be included.


  • Active Risk did not answer Gartner's request for information and did not provide a demonstration. Having a solid competitive offering, it would have been rated regardless; however, its most recent annual report indicated revenue just below the threshold for inclusion.

  • AlignAlytics has shifted its strategy to focus on performance management and no longer meets the market definition for inclusion.

  • LogicManager does not meet the new criteria for presence in two or more geographic regions. It focuses on the North American market.

Inclusion and Exclusion Criteria

Vendors will be included in this Magic Quadrant if they meet these criteria:

  • Ability to deliver at least the following GRCM functions — compliance management, risk management and regulatory change management.

  • Credible presence in the marketplace, which is defined as having at least $12 million in annual revenue for calendar-year 2011 from EGRC platform software and related services, at least 50 customers with live implementations of the software, and customers able to be referenced for corporate-governance-related GRC activities, such as financial reporting compliance and ERM.

  • Multiregion presence, which is defined as having at least five referenced customers with live implementations in each of two or more geographic regions, and physical office locations in at least two geographies. At least one of the regions must be in the U.S./Canada or Europe. Regions include the U.S./Canada, Europe, Latin America, the Middle East and Africa, Japan, Australia, and the rest of the Asia/Pacific region.

  • Several vendors were excluded, because they don't meet the revenue threshold, but they have competitive offerings in the market. These vendors include DoubleCheck, Optial, ProcessUnity and Xactium.

Several IT GRCM vendors also have been crossing over into EGRC on an opportunistic basis, even though they lack a top-down corporate governance and ERM focus, they do not support audit management, and their risk management and policy management are not optimized for non-IT uses. However, they often meet the basic risk management, compliance and policy management needs outside the IT department. Those IT GRCM vendors most often seen crossing over include Agiliance, Modulo and Rsam. It is possible that some may meet the revenue thresholds in the future and develop stronger enterprise strategies and architectures. However, at this point, their primary focus is on supporting IT security professionals with their GRC needs.

Likewise, there are other highly specialized vendors that have basic GRC functionality but are focused on specialized roles. These vendors may take the opportunity at times to tout their EGRC capabilities, but their primary focus is not on enterprisewide support. These include EH&S, quality management, and standards compliance vendors, such as AssurX and BSI Group. Some eventually do cross over through expanding their products or by making an acquisition. MetricStream and Enablon are examples of the former, and SAI Global Compliance and Sword Achiever are examples of standards-compliance-oriented vendors entering the market through acquisition.

Evaluation Criteria

Ability to Execute

Vendors are assessed on their ability and success in making their vision a market reality. The following six Gartner criteria for Ability to Execute were considered:

  • Product/Service: Core goods and services offered by the provider that competes in/serves the defined market. This includes current product/service capabilities, quality, feature sets and skills, whether offered natively or through OEM agreements and partnerships, as defined in the market definition and detailed in the subcriteria. Vendors were evaluated primarily on effective provisioning of the four primary functions — audit management, compliance, risk management and policy management. Ability to support IT GRCM was also an element.

  • Overall Viability: Includes an assessment of the overall organization's financial health, the financial and practical success of the business unit, and the likelihood of the business unit to continue to invest in the product, offer the product and advance the state of the art in the organization's portfolio of products. Overall company revenue and revenue from the EGRC platform were the key determinants.

  • Sales Execution/Pricing: The technology providers' capabilities in all presales activities and the structure that supports them. This includes deal management, pricing and negotiation, presales support, and the overall effectiveness of the sales channel. For sales execution, a key metric was the size of the EGRC platform customer base. For pricing, key metrics were transparency and ease of calculation of the pricing model.

  • Market Responsiveness and Track Record: Ability to respond, change direction, be flexible and achieve competitive success as opportunities develop, competitors act, customer needs evolve and market dynamics change. A key metric was sales performance in 2011 and the first quarter of 2012.

  • Customer Experience: Relationships, products and services/programs that enable customers to be successful with the products evaluated. Customers were asked a variety of questions to determine their experience with the vendor and the EGRC platform, including whether the product met, exceeded or failed to meet expectations; areas where the vendor should improve; and the overall level of satisfaction with the vendor. Key metrics included overall satisfaction, breadth of use, ability to meet performance expectations and negative comments from reference customers.

  • Operations: The ability of the organization to meet its goals and commitments. Factors include the quality of the organizational structure — including skills, experiences, programs, systems and other vehicles that enable the organization to operate effectively and efficiently on an ongoing basis. Key metrics were the experience of senior management and turnover of senior management.

Table 1.   Ability to Execute Evaluation Criteria

Evaluation Criteria




Overall Viability (Business Unit, Financial, Strategy, Organization)


Sales Execution/Pricing


Market Responsiveness and Track Record


Marketing Execution

No Rating

Customer Experience




Source: Gartner (October 2012)

Completeness of Vision

Vendors are rated on their understanding of how market forces can be exploited to create value for customers and opportunity for themselves. The following six criteria for Completeness of Vision were considered significant for the EGRC platform market:

  • Market Understanding: Ability of the provider to understand buyer needs and to translate these needs into products and services. Vendors that show the highest degree of vision listen to and understand buyer wants and needs, and can shape or enhance those wants with their added vision. Vendors understood major EGRC platform trends, particularly the relationship of ERM to business performance.

  • Marketing Strategy: A clear, differentiated set of messages consistently communicated throughout the organization and externalized through the website, advertising, customer programs and positioning statements. EGRC platform vendors were evaluated on whether their strategies were clearly consistent and aligned with market direction.

  • Offering (Product) Strategy: A provider's approach to product development and delivery that emphasizes differentiation, functionality, methodology and feature set as they map to current and future requirements. EGRC platform vendors were evaluated on whether they were closing any significant product gaps, the ability to address a variety of use cases with core and advanced capabilities, and their GRC content strategy.

  • Vertical/Industry Strategy: The provider's strategy to direct resources, skills and offerings to meet the specific needs of individual market segments, including vertical industries. EGRC platform vendors were evaluated on whether they had differentiated offerings for two or more highly regulated industries, could meet the ORM needs of the financial services industry, and had content and capabilities for industry-specific needs.

  • Innovation: Direct, related, complementary and synergistic layouts of resources, expertise or capital for investment, consolidation, and defensive or pre-emptive purposes. The primary metrics for EGRC vendors were R&D investment and significant noncore capabilities.

  • Geographic Strategy: The provider's strategy to direct resources, skills and offerings to meet the specific needs of geographies outside its native geography — directly or through partners, channels and subsidiaries — as appropriate for that geography and market. The primary metrics were direct sales and support presence in multiple geographies, and reseller and service partner support.

Table 2.   Completeness of Vision Evaluation Criteria

Evaluation Criteria


Market Understanding


Marketing Strategy


Sales Strategy

No Rating

Offering (Product) Strategy


Business Model

No Rating

Vertical/Industry Strategy




Geographic Strategy


Source: Gartner (October 2012)

Quadrant Descriptions


The EGRC platform market is consolidating, and the vendors in this market have had time to develop their products and strategies. Customers are looking for Leaders to provide additional functionality, such as support for chief risk officers, integration with advanced BI and corporate performance management applications, business process modeling, more-flexible and ad hoc reporting, planning and resource management for internal audit, and content and specialized capabilities for risk management and compliance beyond the core functions, such as CCM. They also expect support across multiple geographies. The large vendors should be best positioned for these requirements, yet smaller vendors are in the Leaders quadrant because of continued viability, more-advanced functionality and market understanding.


Challengers have proven viability, demonstrated market performance and shown the ability to exceed customer expectations on technical functionality. Challengers need to focus on their product road maps — as well as their sales, marketing, geographic and vertical industry strategies — to move into the Leaders quadrant.


Visionaries have a solid understanding of the market, as demonstrated by domain expertise and responsiveness to customer expectations. They are actively executing against an aggressive product road map that expands support to additional regulatory and nonregulatory compliance and risk management needs, including support for the integration of GRC with business performance. In a consolidating market, smaller Visionaries will have to differentiate themselves with advanced functionality to remain competitive.

Niche Players

Niche Players often have a unique approach to the market. Vendors could also be in the Niche Players quadrant because they have to improve the core platform functions. Niche Players may also target a specific industry vertical or the needs of particular professionals. All vendors in the Niche Players quadrant are successful in the market with competitive solutions.


This Magic Quadrant for EGRC platforms presents a global view of Gartner's assessment of the main software vendors that should be considered by organizations seeking a technology solution to support the oversight and operation of enterprisewide risk management and compliance programs, with the overall objective being improvements in corporate governance and the ability to achieve business objectives.

Buyers should evaluate vendors in all four quadrants. The vendors from the Niche Players quadrant have the core functionality of an EGRC platform and, although having some product or product strategy challenges, offer good value for money, specialized industry capabilities or both. They bring some unique approaches to the market that can be of value to many companies. Several vendors in the Visionaries quadrant are driving innovation in the market through integration with business process modeling, CCM, risk analytics, targeted vertical industry solutions, and other advanced capabilities beyond the core functions required to be in the Magic Quadrant. Leaders are innovating with advanced capabilities, have large customer bases, have solid capabilities in the core platform functions — audit management, compliance management, risk management and policy management — and have executed across several industries, with support for multiple professional roles. Challengers have executed well, but lag the Leaders in advancing their range of advanced GRC capabilities for specific industries or professional roles, or they have a functional or architectural challenge that should be closed.

The placement of the vendors and commentary in this Magic Quadrant are based on multiple sources. Customer perceptions of each vendor's strengths and challenges are derived from EGRC-related inquiries with Gartner, as well as an email survey of vendor customers conducted in June and July of 2012. The evaluations also have drawn from vendor briefings, a vendor-completed questionnaire about their EGRC platform strategies and operations, scripted product demonstration sessions with vendors, and other publicly available and proprietary financial, product and vendor information.

Market Overview

The EGRC platform market derives from the need for many entities to improve the oversight of corporate governance — including financial reporting compliance, ERM and related audits. Many organizations also want to consolidate other GRC activities into a common platform. Therefore, an EGRC platform must solve the immediate GRCM needs associated with corporate governance, and also enable an enterprise to pursue consolidation and integration of a diverse set of operational, IT, legal and finance GRC activities.

GRCM is defined as the automation of the management, measurement, remediation and reporting of controls and risks against objectives, in accordance with rules, regulations, standards, policies and business decisions. Many enterprises typically consider a GRCM application to satisfy a specific requirement, such as SOX compliance, an industry-specific regulation or ORM for a business process. However, enterprises often have other GRCM activities in mind, such as audit management, additional regulations (see "Hype Cycle for Regulations and Related Standards, 2010" ), IT governance, remediation management and policy management, which they eventually may integrate into a more consolidated EGRC approach. In a 2012 Gartner survey of 211 EGRC platform users, the four leading uses were audit management (45%), ERM (40%), ORM (40%), compliance with SOX or similar laws (33%), and IT risk management (25%).

Most enterprises are also looking for solutions that support their strategies for more controls automation, including reporting from CCM of ERP and other controls automation in the IT infrastructure that can be integrated into the EGRC platform. As a consequence, a trend of the convergence of CCM with the EGRC platform is emerging, and there is also a slow trend toward the convergence of IT GRCM and EGRC platform solutions. Some EGRC platform vendors are also starting to add content and capabilities to meet industry-specific operational GRC needs, such as Basel II/III, Solvency II, EH&S compliance, healthcare compliance, and NERC/FERC compliance. Overall, EGRC platform vendors are adding capabilities across a wide spectrum of financial, IT, operational and legal needs.

Despite the efforts of EGRC platform vendors to satisfy as many GRC needs as possible, they tend to focus on cross-industry requirements, and many industry-specific GRC solutions will remain. For lack of a better term, these are called "operational GRC." One operational GRC market that is growing rapidly is the energy trading and risk management (ETRM) platform market (see "Magic Quadrant for Energy Trading and Risk Management Platforms" ). Another example of operational GRC is the broad marketplace for financial services risk management solutions (see "A Banker's Guide to Credit, Market and Operational Risk Management Software Functionality" ). Rather than try to replicate the capabilities of these specialized solutions, EGRC platform vendors most often are trying to integrate with them.

IT GRCM Offerings of EGRC Platform Vendors

EGRC platforms serve organizations that take an enterprise approach to compliance and risk management, and that want to have all business units — including the IT organization — on the same GRCM solution. Most vendors with EGRC platforms offer modest IT governance automation functions. At a minimum, EGRC vendors offer the capability to document, survey and report IT risks and controls, but some may lack IT-specific content. Some vendors also provide support for an IT asset repository, IT policy management and the automated collection of IT controls data. Organizations with a primary interest in IT-centric GRCM requirements should be aware that most EGRC platforms balance financial, operational and IT requirements at the expense of IT-centric depth.

Gartner is monitoring the potential convergence of IT GRCM and EGRC functions, such that this differentiation would become generally irrelevant to the market; however, this has not yet happened in 2012. The most significant limiting factor is the divergence of requirements between top-down and bottom-up approaches. In many cases, organizations are buying two separate tools, indicating that this difference is more substantial than just vendor marketing and different buying centers.

This divergence is based on the differences in management and reporting requirements for top-down versus bottom-up approaches. Top-down requirements tend to be led by ERM teams addressing business executive requirements, as opposed to bottom-up requirements, which are typically led by IT or information security operations teams. The vendors continue to add functions that overlap top-down and bottom-up requirements, but convergence will only happen when organizations stop buying multiple tools to address diverging requirements, and agree on one tool to address both approaches comprehensively.

Some EGRC platform vendors qualify as IT GRCM vendors. BWise, MetricStream and OpenPages are EGRC platform vendors that have added IT GRCM capabilities. RSA, The Security Division of EMC is also an EGRC platform vendor, but it started in the IT GRCM market.

Key Trends Affecting the EGRC Platform Market

The EGRC platform is evolving on the basis of several trends, which include:

  • Increased demands on internal audit organizations as they cope with increasing regulatory requirements, ERM oversight and demands for more business performance audits

  • An increasing regulatory focus on anti-corruption and bribery in the aftermath of the financial crisis

  • ERM to support transparency objectives of regulators and decision making by business leaders

  • Risk analytics to support integration of risk management and performance management

  • Regulatory content services and change management to deal with regulatory proliferation

  • The SOX knock-on effect, as organizations find that auditors and regulators worldwide are raising the bar on internal controls even when the law is not as stringent as U.S. SOX (for example, Law 262 in Italy)

  • Consolidation, with a shift from dominance of the market by smaller best-of-breed players to one dominated by larger, well-established vendors

  • Supplier risk management to ensure that third parties do not present unacceptable compliance and risk challenges

  • Social risk management issues emerging from social marketing strategies and the need to ensure compliance with privacy and advertising regulations

  • Operational technology and critical infrastructure protection increases the variety and volume of risk and controls data

The latter three trends do not yet have much influence on the market, but they present a big data problem that will require a much greater investment in complex risk analytics and could lead to a significant transformation of the GRC market during the next three to four years. Specifically, as GRC adapts to social, supply chain and operational technology requirements, the volume of use cases will expand beyond what is reasonable to be included directly on the platform. With the proliferation of use cases, the platform will need to integrate with many more external data sources and applications, thus reversing what has been the evolution during the past six years to support most GRC use cases directly on the platform. Thus, the platform will fade in market positioning importance, but will remain foundational as an enabler for new GRC-related markets.

Evaluation Criteria Definitions

Ability to Execute

Product/Service: Core goods and services offered by the vendor that competes in/serves the defined market. This includes current product/service capabilities, quality, feature sets, skills and so on, whether offered natively or through OEM agreements/partnerships, as defined in the market definition and detailed in the subcriteria.

Overall Viability (Business Unit, Financial, Strategy, Organization): Viability includes an assessment of the overall organization's financial health, the financial and practical success of the business unit, and the likelihood that the individual business unit will continue investing in the product, will continue offering the product and will advance the state of the art within the organization's portfolio of products.

Sales Execution/Pricing: The vendor's capabilities in all presales activities and the structure that supports them. This includes deal management, pricing and negotiation, presales support, and the overall effectiveness of the sales channel.

Market Responsiveness and Track Record: Ability to respond, change direction, be flexible and achieve competitive success as opportunities develop, competitors act, customer needs evolve and market dynamics change. This criterion also considers the vendor's history of responsiveness.

Marketing Execution: The clarity, quality, creativity and efficacy of programs designed to deliver the organization's message to influence the market, promote the brand and business, increase awareness of the products, and establish a positive identification with the product/brand and organization in the minds of buyers. This mind share can be driven by a combination of publicity, promotional initiatives, thought leadership, word-of-mouth and sales activities.

Customer Experience: Relationships, products and services/programs that enable clients to be successful with the products evaluated. Specifically, this includes the ways customers receive technical support or account support. This can also include ancillary tools, customer support programs (and the quality thereof), availability of user groups, SLAs and so on.

Operations: The ability of the organization to meet its goals and commitments. Factors include the quality of the organizational structure, including skills, experiences, programs, systems and other vehicles that enable the organization to operate effectively and efficiently on an ongoing basis.

Completeness of Vision

Market Understanding: Ability of the vendor to understand buyers' wants and needs and to translate those into products and services. Vendors that show the highest degree of vision listen and understand buyers' wants and needs, and can shape or enhance those with their added vision.

Marketing Strategy: A clear, differentiated set of messages consistently communicated throughout the organization and externalized through the website, advertising, customer programs and positioning statements.

Sales Strategy: The strategy for selling products that uses the appropriate network of direct and indirect sales, marketing, service, and communication affiliates that extend the scope and depth of market reach, skills, expertise, technologies, services and the customer base.

Offering (Product) Strategy: The vendor's approach to product development and delivery that emphasizes differentiation, functionality, methodology and feature sets as they map to current and future requirements.

Business Model: The soundness and logic of the vendor's underlying business proposition.

Vertical/Industry Strategy: The vendor's strategy to direct resources, skills and offerings to meet the specific needs of individual market segments, including vertical markets.

Innovation: Direct, related, complementary and synergistic layouts of resources, expertise or capital for investment, consolidation, defensive or pre-emptive purposes.

Geographic Strategy: The vendor's strategy to direct resources, skills and offerings to meet the specific needs of geographies outside the "home" or native geography, either directly or through partners, channels and subsidiaries as appropriate for that geography and market.