-
Forrester Research, Inc., 60 Acorn Park Drive, Cambridge, MA
02140 USA
Tel: +1 617.613.6000 | Fax: +1 617.613.5000 |
www.forrester.com
The Forrester Wave: Governance, Risk, And Compliance Platforms,
Q1 2014by Christopher McClean, Nick Hayes, and Renee Murphy,
January 27, 2014
For: Security & Risk Professionals
Key TaKeaways
Its No Longer worth Trying To Define Distinct GRC Platform
submarketsUnlike in previous years in which Forrester published
distinct enterprise GRC and IT GRC Forrester Waves, this report
compared all of the top GRC platform vendors, regardless of their
primary target markets. This reflects growing customer interest in
consolidated platforms, and vendor successes that frequently span
traditional boundaries.
The Leaders show The Greatest ability To support Diverse Use
CasesEMC RSA, IBM, MetricStream, Nasdaq OMX BWise, and Rsam have
all finished in the Leaders position before, and Enablon is new to
the category. All six of these vendors have shown strong
fundamental platform capabilities, and most importantly, the
flexibility to help customers address changing market and business
demands.
The strong Performers and Contenders are well worth Considering
On shortlistsAgiliance, CMO Compliance, LogicManager, Mega, Modulo,
Protiviti, Resolver, SAI Global, SAP, Thomson Reuters, and Wynyard
make up the long list of Strong Performers, all having leading
capabilities and winning deals with specific focus areas. Likewise,
SAS Institute and The Network are Contenders that should be
strongly considered for certain use cases.
www.forrester.com
-
2014, Forrester Research, Inc. All rights reserved. Unauthorized
reproduction is strictly prohibited. Information is based on best
available resources. Opinions reflect judgment at the time and are
subject to change. Forrester, Technographics, Forrester Wave,
RoleView, TechRadar, and Total Economic Impact are trademarks of
Forrester Research, Inc. All other trademarks are the property of
their respective companies. To purchase reprints of this document,
please email [email protected]. For additional
information, go to www.forrester.com.
For Security & riSk ProFeSSionalS
why ReaD ThIs RePORT
Growing diversity in the governance, risk, and compliance (GRC)
platform market is blurring the lines between historical
subsegments, as organizations push their GRC programs into the far
reaches of business processes and initiatives. In Forresters
43-criteria evaluation of the most relevant 19 GRC vendors, we dug
deep into their technologies and strategies to separate the Leaders
from the Strong Performers and Contenders. Based on briefings,
demos, customer surveys, interviews, and actual use of the
products, this report presents a detailed and transparent
assessment to help you select the GRC platform best able to meet
your business needs.
table of contents
GRC Technology Decisions are Getting More Difficult
Its Not worth Defining submarkets For GRC Platforms
Governance, Risk, and Compliance Platform evaluation
Overview
evaluation analysis
Vendor Profiles
supplemental Material
notes & resources
Forrester conducted product evaluations in July 2013 and
interviewed 18 vendor companies: cMo compliance, enablon, iBM
openPages, logicManager, Mega, MetricStream, Modulo, nasdaq oMX
BWise, Protiviti, resolver, eMc rSa, rsam, Sai Global, SaP, SaS
institute, the network, thomson reuters, and Wynyard.
related research Documents
assess your Grc Program With Forresters Grc Maturity
Modeloctober 2, 2013
the Forrester Wave: it Governance, risk, and compliance
Platforms, Q4 2011December 1, 2011
the Forrester Wave: enterprise Governance, risk, and compliance
Platforms, Q4 2011november 30, 2011
The Forrester wave: Governance, Risk, and Compliance Platforms,
Q1 2014a Detailed evaluation of the 19 Most relevant Grc Software
Vendorsby christopher Mcclean, nick Hayes, and renee Murphywith
Stephanie Balaouras and kelley Mak
2
15
7
2
10
4
January 27, 2014
www.forrester.comhttp://www.forrester.com/go?objectid=RES100082http://www.forrester.com/go?objectid=RES100082http://www.forrester.com/go?objectid=RES57691http://www.forrester.com/go?objectid=RES57691http://www.forrester.com/go?objectid=RES57692http://www.forrester.com/go?objectid=RES57692http://www.forrester.com/go?objectid=BIO1835http://www.forrester.com/go?objectid=BIO4584http://www.forrester.com/go?objectid=BIO6204http://www.forrester.com/go?objectid=BIO1123
-
For Security & riSk ProFeSSionalS
the Forrester Wave: Governance, risk, and compliance Platforms,
Q1 2014 2
2014, Forrester Research, Inc. Reproduction Prohibited January
27, 2014
GRC TeChNOLOGy DeCIsIONs aRe GeTTING MORe DIFFICULT
For all the growth and maturity of the GRC platform market, its
a segment that still eludes clear definitions and boundaries. Risk
and compliance professionals are discovering new ways to leverage
these technologies for greater efficiency and control, but now they
face hard choices about how far to take them; what use cases they
can support, whether to consolidate multiple applications into a
single platform, and how to successfully roll out their program to
build business success.
Organizations GRC Technology environments Grow More Complex
Forrester surveyed 66 GRC customer organizations for this report
and found that almost half (44%) have more than one GRC platform.1
For example, after a recent implementation that took more than a
year, one financial services organization with tens of thousands of
employees now has six GRC platforms in production, including one
that the vendor no longer supports and another that the company
plans to phase out. Similarly, a compliance manager for a large
energy company also described an environment with at least four GRC
platform implementations, two of which were separate instances of
the same product.
Both of these customers had great things to say about the value
their GRC tools deliver a common sentiment among GRC customers
however, the strategic and tactical decisions involved to ensure
that the technology environment is efficient and effective are
dizzying, to say the least.
ITs NOT wORTh DeFINING sUbMaRKeTs FOR GRC PLaTFORMs
For the past decade, few GRC systems could address the various
risk and compliance needs of all the different parts of even a
medium-size enterprise. Instead, vendors targeted specific
requirements of a single department or function typically IT,
finance, or health and safety. Now however, vendors are shedding
their past niche specialties to compete for bigger and broader
deals, creating a complex marketplace of many diverse competitors.
For this Forrester Wave research effort alone, Forrester considered
over 50 vendors that all market GRC capabilities.
But dont lump any vendor into this growing group based just on
marketing language. A true GRC platform includes four basic
functions:
1. A relational database stores GRC data and maps its context
within the organization. Fundamental to GRC is the ability to
understand the relationships between risks, controls, policies,
requirements, assets, processes, and other objects.
2. A workflow engine facilitates GRC processes. This is how to
make sure people know when and how to conduct assessments, audits,
remediations, action plans, and other relevant tasks.
-
For Security & riSk ProFeSSionalS
the Forrester Wave: Governance, risk, and compliance Platforms,
Q1 2014 3
2014, Forrester Research, Inc. Reproduction Prohibited January
27, 2014
3. Content management capabilities store critical documentation.
These features allow organizations to create, review, update,
distribute, and archive records such as policies and audit
findings.
4. Reporting capabilities create understanding and drive
decisions. Analysis of vast GRC information is necessary for
business decision-makers, auditors, regulators, and boards of
directors.
Use Cases are extremely Diverse, and That Diversity will Only
Increase
Rapidly evolving business and regulatory environments constantly
introduce new customer scenarios and requirements for GRC
platforms. In some cases, its heavily regulated financial firms
reacting to new rules in the Dodd-Frank Act, sometimes its
manufacturing and retail firms working to improve their third-party
risk management processes, and other times its contractors managing
controls and processes for major events like the Olympics or the
FIFA World Cup, or a Smart Grid deployment.
Any aspect of the organization that has performance objectives,
by definition, has risks to the achievement of those objectives.
For complex or especially important aspects of the organization,
managing all of these risks is nearly impossible without
technology, which means companies will continue to see the value
that GRC platforms can bring to everything they do.
If you have a specific Use Case, adjust The wave weightings To
your Needs
The Forrester Wave model is an incredibly flexible tool,
enabling you to customize how much each of the 43 criteria
influence the vendor rankings, which gives you a more targeted list
of vendors to consider based on your specific requirements. While
the Leaders in the Wave will usually remain high on the list
regardless of what you change, some vendors will rise significantly
with different weightings. To show you how this works, Forrester
created a few additional sets of weightings based on some common
initial GRC implementations:
Corporate compliance, environmental compliance, and social
responsibility. Forrester developed these weightings for scenarios
where the main use of the GRC platform will be to manage policies,
develop an effective training and awareness, and extend the scope
of the program to cover environmental health and safety. Using
Forresters suggested weighting revisions, you will see several
vendors rise significantly higher on your list: CMO Compliance,
Protiviti, SAI Global, and The Network (in alphabetical order). See
the endnote for the detailed weightings suggestions.2
IT GRC and third-party risk management. Use these suggested
weightings if the primary function of the GRC platform will be to
manage IT risks and compliance requirements both internally and
across the supply chain. With these revised weightings, the vendors
that rise significantly higher on your list include Agiliance, IBM,
Modulo, and Protiviti (in alphabetical order). See the endnote for
the detailed weightings suggestions.3
-
For Security & riSk ProFeSSionalS
the Forrester Wave: Governance, risk, and compliance Platforms,
Q1 2014 4
2014, Forrester Research, Inc. Reproduction Prohibited January
27, 2014
Financial controls and operational risk. For GRC professionals
working for organizations in the financial services industry or
with a heavy emphasis on financial controls and operational risk,
Forrester recommends customizing the criteria using weightings that
focus on risk management, control monitoring and enforcement, and
audit management. Emphasizing these criteria with Forresters
suggested weighting revisions, the vendors that rise most
significantly on your list are IBM, Mega, Protiviti, and Resolver
(in alphabetical order). See the endnote for the detailed
weightings suggestions.4
GRC Vendors and Platforms are Improving In Maturity, but several
Issues Persist
Customers are generally satisfied with the GRC platform they
chose, often due more to the positive relationships they have with
their vendor rather than the specific technical capabilities.
Two-thirds (66%) of GRC customers rated the overall vendor
relationship with the highest levels of satisfaction (9 or 10 on a
0-10 scale), whereas only 32% gave the same marks for the products
end user experience, and an even smaller portion (28%) were very
satisfied with the dashboard and analytics capabilities. Customers
see the business value, but the technical functionality, ease of
use, and reliability of the platform are areas where most GRC
vendors still fall short.5
GOVeRNaNCe, RIsK, aND COMPLIaNCe PLaTFORM eVaLUaTION
OVeRVIew
To assess the state of the governance, risk, and compliance
platform market, Forrester evaluated the strengths and weaknesses
of the top software vendors.
The evaluation highlighted Product Capabilities, Vendor
strategy, and Market Reach
Based on extensive market research, an assessment of customer
needs, ongoing work helping our clients develop strong GRC
programs, and constant engagement with GRC vendors and
practitioners, we developed a comprehensive set of 43 evaluation
criteria to compare and contrast the most relevant vendors. These
criteria fit into three categories:
Current offering. The vertical axis of the Forrester Wave
graphic reflects the strength of each vendors product offering,
including its capabilities to deliver content management, risk and
control management, workflow management, GRC management and
analytics, audit management, GRC breadth and depth, domain-specific
support, and underlying technical functionality.
Strategy. The horizontal axis measures the viability and
execution of each vendors strategy, which includes the company
vision and strategy, product vision and strategy, support for GRC
roles, and feedback from customer references.
Market presence. The size of each vendors bubble on the
Forrester Wave graphic represents each vendors presence in the GRC
market, based on its financial viability, customer base, GRC staff,
and global presence.
-
For Security & riSk ProFeSSionalS
the Forrester Wave: Governance, risk, and compliance Platforms,
Q1 2014 5
2014, Forrester Research, Inc. Reproduction Prohibited January
27, 2014
Vendors In This wave have broad Capabilities, Market Presence,
and Relevance
Forrester included 19 vendors in the assessment: Agiliance, CMO
Compliance, EMC RSA, Enablon, IBM, LogicManager, Mega,
MetricStream, Modulo, Nasdaq OMX BWise, Protiviti, Resolver, Rsam,
SAI Global, SAP, SAS Institute, The Network, Thomson Reuters, and
Wynyard. Each of these vendors has (see Figure 1):
Capabilities to support a wide range of GRC use cases. Every
vendor in the Forrester Wave has a substantial enough breadth of
capabilities to address the needs of governance, risk management,
and compliance professionals across multiple industries, domains,
and use cases.
Substantial market presence. All vendors evaluated in this
Forrester Wave had at least 100 customer organizations and earned
more than $10 million in GRC revenue during 2012.
Relevance to the market. Inclusion in this Forrester Wave means
that the vendor actively competes in the GRC market, showing up in
competitive situations and discussions among Forrester clients.
Of the 19 vendors invited to participate in our evaluation,
Agiliance was the only vendor that declined the invitation.
However, considering the companys past participation and continued
effort to position itself as a GRC platform vendor, Forrester chose
to include it in the evaluation as a nonparticipant.
-
For Security & riSk ProFeSSionalS
the Forrester Wave: Governance, risk, and compliance Platforms,
Q1 2014 6
2014, Forrester Research, Inc. Reproduction Prohibited January
27, 2014
Figure 1 Evaluated Vendors: Product Information And Selection
Criteria
Source: Forrester Research, Inc.106501
Vendor
CMO International
EMC RSA
Enablon
IBM
LogicManager
Mega International
MetricStream
Modulo
Nasdaq OMX BWise
Protiviti
Resolver
Rsam
SAI Global
SAP
SAS
The Network
Thomson Reuters
Wynyard Group
Product evaluated
CMO Compliance
RSA Archer GRC
Enablon Risk Management Suite
IBM OpenPages GRC Platform
LogicManager
Mega GRC Solutions
MetricStream GRC Platform
Modulo Risk Manager
Nasdaq OMX BWise
Governance Portal
GRC Cloud
Rsam GRC Platform
Compliance 360
SAP Risk Management, SAP Process Control
SAS(r) Enterprise GRC
The Integrated GRC Suite
Accelus Enterprise GRCAccelus Risk Manager
Wynyard Risk Management
Productversion evaluated
8
RSA Archer GRC Platform 5.4
Enablon 6 R5
6.2.1
LogicManager 13
V1R1
6.1
Version 8.2
4.1.4
4
7.1
Version 8
2013.1
version 10.1
6.1
2013.6
Version 4.4Version 4.7
8.3
Productrelease date
February 2013
June 19, 2013
June 2013
May 19, 2013
June 2013
June 2013
September 2012
July 1, 2013
June 2013
October 2012
June 2013
May 2013
March 2013
July 2013
Q2 2013
June 28, 2013
April 2012October 2012
March 2013
-
For Security & riSk ProFeSSionalS
the Forrester Wave: Governance, risk, and compliance Platforms,
Q1 2014 7
2014, Forrester Research, Inc. Reproduction Prohibited January
27, 2014
Figure 1 Evaluated Vendors: Product Information And Selection
Criteria (Cont.)
Source: Forrester Research, Inc.
Vendor selection criteria
Capabilities to support a wide range of GRC use cases. Every
vendor in the Forrester Wave has a substantial enough breadth of
capabilities to address the needs of governance, risk management,
and compliance professionals across multiple industries, domains,
and use cases.
Substantial market presence. All vendors evaluated in this
Forrester Wave had at least 100 customer organizations and earned
more than $10 million in GRC revenue during 2012.
Relevance to the market. Inclusion in this Forrester Wave means
that the vendor actively competes in the GRC market, showing up in
competitive situations and discussions among Forrester clients.
106501
eVaLUaTION aNaLysIs
The evaluation uncovered a market in which (see Figure 2):
The Leaders all show great flexibility and ability to support
different GRC domains. EMC RSA, Enablon, IBM, MetricStream, Nasdaq
OMX BWise, and Rsam earned a spot in the Leaders category by
focusing on their breadth of capabilities and flexibility to
address new and changing requirements. A common Leader
characteristic is the ability to successfully support a wide range
of different GRC domains and functions.
Strong Performers are relevant for many important use cases.
Agiliance, CMO Compliance, LogicManager, Mega, Modulo, Protiviti,
Resolver, SAI Global, SAP, Thomson Reuters, and Wynyard may not
have the same breadth of capabilities as the Leaders, but they
rightfully win business over the Leaders on a fairly regular basis.
For many customer needs or specific scopes of implementation,
vendors in this category are the best choice to solve many key GRC
challenges.
The Contenders will give other GRC vendors strong competition in
their areas of specialty. SAS Institute and The Network both have
certain capabilities unmatched by the other vendors in this
evaluation and will continue to win deals in the GRC space. They
still have work to do to build out their breadth of capabilities
enough to be considered comprehensive GRC platforms, but if they
continue with their current level of commitment, theyll be
important vendors in the market.
This evaluation of the GRC platform market is intended to be a
starting point only. We encourage clients to view detailed product
evaluations and adapt criteria weightings to fit their individual
needs through the Forrester Wave Excel-based vendor comparison
tool.
-
For Security & riSk ProFeSSionalS
the Forrester Wave: Governance, risk, and compliance Platforms,
Q1 2014 8
2014, Forrester Research, Inc. Reproduction Prohibited January
27, 2014
Figure 2 Forrester Wave: Governance, Risk, And Compliance
Platforms, Q1 14
Source: Forrester Research, Inc.
Go online to download
the Forrester Wave tool
for more detailed
product evaluations,
feature comparisons,
and customizable
rankings.
RiskyBets Contenders Leaders
StrongPerformers
StrategyWeak Strong
Currentoffering
Weak
Strong
Market presence
Full vendor participation
Incomplete vendor participation
SAS Institute
The Network
Mega
MetricStream
Resolver
SAI Global
Agiliance
Modulo
Protiviti
CMO Compliance Thomson Reuters
IBM
LogicManager
SAPEnablon
Wynyard
RsamEMC RSA
Nasdaq OMX BWise
-
For Security & riSk ProFeSSionalS
the Forrester Wave: Governance, risk, and compliance Platforms,
Q1 2014 9
2014, Forrester Research, Inc. Reproduction Prohibited January
27, 2014
Figure 2 Forrester Wave: Governance, Risk, And Compliance
Platforms, Q1 14 (Cont.)
Source: Forrester Research, Inc.
Agi
lianc
e
CM
O C
omp
lianc
e
EM
C R
SA
Ena
blo
n
IBM
Logi
cMan
ager
Meg
a
Met
ricS
trea
m
CURRENT OFFERING Content management Risk and control management
Workow management GRC management and analytics Audit management GRC
breadth and depth Domain-specic support Technical functionality
STRATEGY Company vision and strategy Product vision and strategy
Support for GRC roles Customer references
MARKET PRESENCE Financial viability Customer base GRC staff size
Global presence
3.303.004.203.003.501.353.000.004.05
2.812.303.403.053.00
1.741.501.752.002.00
Forr
este
rsW
eigh
ting
50%15%15%15%15%10%10%0%
20%
50%40%20%10%30%
0%35%35%15%15%
3.184.002.703.002.503.702.400.003.70
3.253.004.203.053.00
1.951.501.502.004.00
4.094.254.603.004.003.655.000.004.25
4.064.703.003.754.00
4.435.004.005.003.50
3.983.754.204.004.004.353.000.004.25
3.573.302.604.104.40
2.882.502.504.003.50
3.913.504.604.004.504.353.800.003.00
3.393.703.604.052.60
3.515.002.253.003.50
2.681.753.203.002.503.051.600.003.25
3.422.304.203.404.40
2.381.504.001.002.00
3.692.504.805.004.004.002.800.002.80
2.452.302.203.702.40
2.642.002.752.004.50
4.794.755.005.004.504.655.000.004.70
4.155.003.604.403.30
3.404.002.505.002.50
Mod
ulo
Nas
daq
OM
X B
Wis
e
3.452.754.204.003.002.403.800.003.70
3.063.002.202.753.80
3.413.503.254.003.00
4.344.754.703.004.504.653.800.004.75
4.364.003.805.005.00
4.505.004.005.004.00
All scores are based on a scale of 0 (weak) to 5 (strong).
106501
-
For Security & riSk ProFeSSionalS
the Forrester Wave: Governance, risk, and compliance Platforms,
Q1 2014 10
2014, Forrester Research, Inc. Reproduction Prohibited January
27, 2014
Figure 2 Forrester Wave: Governance, Risk, And Compliance
Platforms, Q1 14 (Cont.)
Source: Forrester Research, Inc.
Pro
tiviti
Res
olve
r
Rsa
m
SA
I Glo
bal
SA
P
SA
S In
stitu
te
The
Net
wor
k
CURRENT OFFERING Content management Risk and control management
Workow management GRC management and analytics Audit management GRC
breadth and depth Domain-specic support Technical functionality
STRATEGY Company vision and strategy Product vision and strategy
Support for GRC roles Customer references
MARKET PRESENCE Financial viability Customer base GRC staff size
Global presence
Forr
este
rsW
eigh
ting
50%15%15%15%15%10%10%0%
20%
50%40%20%10%30%
0%35%35%15%15%
3.453.504.603.003.004.303.000.003.00
2.563.301.804.001.60
2.142.501.252.003.50
3.563.004.505.002.503.703.000.003.20
2.402.304.203.401.00
2.001.502.502.002.00
4.233.755.005.004.503.703.600.003.80
3.903.704.403.404.00
2.092.002.252.002.00
2.853.503.603.002.503.002.400.002.10
3.183.702.603.702.70
2.913.502.253.003.00
3.481.754.304.004.503.403.800.002.90
3.454.002.003.703.60
4.284.504.503.004.50
2.691.253.603.003.502.702.400.002.40
2.072.302.402.801.30
2.403.001.502.003.50
2.114.501.503.000.500.700.600.002.75
2.631.704.203.002.70
2.542.003.752.001.50
Tho
mso
n R
eute
rs
Wyn
yard
3.112.753.304.002.504.003.000.002.65
3.384.003.003.952.60
4.054.504.503.003.00
3.312.504.004.003.503.003.000.003.05
3.673.304.203.054.00
2.812.502.752.004.50
All scores are based on a scale of 0 (weak) to 5 (strong).
106501
VeNDOR PROFILes
Leaders
MetricStream is growing quickly and demonstrating impressive
product enhancements. MetricStreams vision is to embed GRC in the
day-to-day functions of all employees, and its strategy reflects
this broad vision by targeting a wide range of industries, users,
and use cases. MetricStream offers great capabilities in content
management, risk and control management, workflow management, GRC
management and analytics, and GRC breadth and depth. The
MetricStream GRC platform provides high-level building blocks with
reusable code libraries for customers, partners, or MetricStream
staff to design and configure applications in line with specific
GRC needs. The companys fast growth is a disruptive force in the
market, and its continued success will count on its ability to
maintain customer satisfaction amid that growth.
-
For Security & riSk ProFeSSionalS
the Forrester Wave: Governance, risk, and compliance Platforms,
Q1 2014 11
2014, Forrester Research, Inc. Reproduction Prohibited January
27, 2014
BWise once again shows strengths in all major criteria. A Nasdaq
OMX company, BWises strengths shone in content management, risk and
control management, GRC management and analytics, audit management,
and technical functionality. The BWise platform has impressive
document management capabilities and offers integration with other
relevant technologies such as Nasdaqs whistleblower, board
management, transaction monitoring, and media monitoring products.
As BWise continues to integrate with the Nasdaq OMX technology
ecosystem, it will ultimately become a lot more focused on solving
the biggest challenges related to corporate governance. At this
point, however, BWises strategy is very strong in support of all
GRC roles and continues to earn exceptional customer satisfaction
scores.
EMC RSA continues its leadership, building on its already large
customer base. Archer, owned by EMC RSA, continues to be one of the
biggest brands in the GRC platform market, with a strong focus on
financial services and growing emphasis on insurance, energy, and
government. Archer addresses a wide range of GRC use cases,
including policy, risk, compliance, audit, vendor, business
continuity, and threat and incident management. It also offers an
application builder to support clients and partners as they create
applications to meet different GRC requirements. The company has
invested heavily to expand the platforms already substantial
breadth of capabilities with new Focused Solutions, and its growing
customer base will assure that it remains a strong competitor in
the GRC market for the foreseeable future.
Rsam is showing strong innovation and success against bigger
rivals. Relatively small compared with its top GRC platform
competitors, Rsam has demonstrated strong commitment to product
development and innovation. The Rsam platform is a robust tool with
a large number of premapped risks and controls as well as terrific
integration and workflow capabilities. Its a flexible, intuitive
platform with a recently redesigned user interface. The companys
ability to sustain this level of competition will depend on
continued product innovation and its ability to strengthen market
presence through partnerships or other investments.
Enablon has quickly grown much more relevant in the GRC market.
Enablon has a unique vision that incorporates support for customers
strategy, risk, performance, and sustainability efforts, and the
company considers its EHS management to be one of its main
differentiators in the market. Enablon offers a number of unique
GRC communication and collaboration capabilities, such as its
Wizness platform, which provides users a social networking
experience to improve their ability to share GRC best practices and
technical advice. Enablons go-to-market strategy and product
enhancements have led it beyond its historic EHS roots to address a
much broader set of GRC use cases.
IBM OpenPages has historic success in and a dedicated focus on
financial services. With OpenPages, IBM still maintains one of the
strongest brands in the GRC platform market, and there is vast
potential for the OpenPages platform to integrate with other
technologies and services throughout IBM. OpenPages supports a
variety of third-party content and offers
-
For Security & riSk ProFeSSionalS
the Forrester Wave: Governance, risk, and compliance Platforms,
Q1 2014 12
2014, Forrester Research, Inc. Reproduction Prohibited January
27, 2014
integration with IBMs Algo FIRST loss database to supplement
customers internal loss data. For advanced risk analysis, OpenPages
integrates with IBM Algorithmics to provide analysis for credit,
liquidity, and market risk. As these capabilities show, the
companys primary focus continues to be operational risk in the
financial services and insurance industries. While this has
decreased OpenPages participation in competitive deals outside of
financial services, the company is currently executing plans to
extend its presence in other industries as well. In the meantime,
IBM OpenPages still has clear competitive advantages that will help
it maintain a strong position in the market.
strong Performers
Wynyard is a company in transition, demonstrating leadership
along the way. Formerly Methodware, Wynyard showed strength in its
risk management capabilities and strong product vision and
strategy. The company explains that it has a tight focus on
intelligence-led risk solutions, which leverage the legacy
Methodware platform and other Wynyard portfolio products, including
threat intelligence, investigation capabilities, digital forensics,
and financial crime solutions, to create a hard-to-copy,
multi-faceted solution. Wynyard went public in June 2013 and
continues to expand its strong global customer base.
SAP leverages an enormous client base and product innovations to
build its leadership. Focusing on the value of automation and cost
reduction, SAP is particularly well-suited for GRC management and
analytics requirements, offering strong risk quantification,
continuous control monitoring, and risk and control management
capabilities. SAP has continued to develop its GRC portfolio,
primarily by integrating with business applications and aligning
with other SAP technical initiatives, such as analytics, mobile
support, and the SAP HANA database. SAPs success can be seen in its
very large and growing customer base, and the company expects to
continue investing in the growth of its GRC business.
Modulo continues its transition into a tech vendor, impressing
with innovative use cases. Modulos vision, strategy, and execution
show substantial ongoing investment as it continues to evolve from
a services firm into more of a technology vendor. Although more
than half of the companys revenue comes from services, it reported
an outstanding 70% growth in its software business in 2013. And
while the vast majority of its customers are headquartered in South
America, the company is increasing its North America adoption with
personnel investments and by extending its product to handle use
cases well beyond its IT security roots. The solution has great GRC
breadth and depth, offering strong integration capabilities and
addressing vertical market needs through strategic consulting and
business partners. Modulo also has some of the most diverse use
cases in the market.
Thomson Reuters has strong capabilities and continues to invest
in its portfolio. Thomson Reuters demonstrates its commitment to
GRC with investments and acquisitions to strengthen
-
For Security & riSk ProFeSSionalS
the Forrester Wave: Governance, risk, and compliance Platforms,
Q1 2014 13
2014, Forrester Research, Inc. Reproduction Prohibited January
27, 2014
its portfolio of offerings. The product has a good depth of
functionality across the board with especially strong audit
management capabilities. While the integrations among its various
acquired products are taking time and yielding only incremental
benefits, Thomson Reuters is ultimately putting together an
impressive set of product capabilities and services that will make
it an important force in the GRC platform market.
CMO Compliance has a global presence and strong product
strategy. CMO Compliance is focused on asset-intensive industries
like oil and gas, energy, government, healthcare, and contractors,
and its ability to target different industries is primarily based
on its content partners and product flexibility. The companys
offerings are tailored for regulatory compliance, enterprise risk
management, environmental health and safety, quality management,
and audit. Few competitors share the companys level of product
vision and strategy or global presence. The company serves its
target industries with more focus on environmental, health, and
safety than most other vendors in this report, but still competes
heavily with many of them.
Mega solves complex challenges by merging its GRC and enterprise
architecture solutions. Megas unique vision is to help customers
achieve operational excellence with the combined capabilities of
its enterprise architecture and GRC technologies. Mega has
showcased its superb risk and control management, GRC management,
and audit management capabilities. The company has shown ongoing
product improvements and innovation, with a heavy focus on the
financial services industry. Megas ability to compete as a top
vendor in the long term will depend largely on whether the market
accepts the companys unique vision.
Agiliance has a heavy focus on IT risk management, with relevant
IT security capabilities. Agiliance primarily markets to IT
security and IT risk management organizations, with its strongest
capabilities being risk management, reporting and analytics, and
integration. The company touts its key differentiators as offering
quick time-to-value, scalability, and ability to connect its
platform with other IT and security products. Agiliance is a
frequent participant and winner in various industry award
competitions; however, it seems to have fallen behind its closest
competitors in product advancements and competition in large GRC
deals. Still fairly small compared with most Leaders and other
Strong Performers, Agiliances future success will depend largely on
how well its large IT partners leverage their relationship and how
well its solutions live up to its claims of fast time-to-value.
LogicManager focuses on ERM, competing on price, ease, and
flexibility. LogicManager is still a relatively small vendor, with
a clear vision to address enterprise risk management and related
functions from the top down and bottom up, as well as a goal to
deliver solutions that are easy and fast to implement. LogicManager
aims to make its GRC platform flexible enough so customers do not
need to customize through professional services, except in rare
instances. While not having the strongest offering across the
board, third-party partnerships allow users to fulfill additional
capabilities. LogicManagers competitive advantages are largely
based on
-
For Security & riSk ProFeSSionalS
the Forrester Wave: Governance, risk, and compliance Platforms,
Q1 2014 14
2014, Forrester Research, Inc. Reproduction Prohibited January
27, 2014
its approach to ERM, its range of content partners, its
comparatively lower price, and the professional services offered
standard as part of the software license.
SAI Global extends to new verticals by leveraging more internal
assets. SAI Globals GRC business has a legacy of strong performance
targeting the healthcare and insurance industries, with specialized
content and purpose-built solutions. The Compliance 360 platform
has solid capabilities in content management and risk and control
management, with growing proficiency across a variety of verticals.
While SAI Global will continue to be a force in the general
compliance market, the companys ability to continue competing in
the GRC platform market depends on its ability to leverage
partnerships with organizations like ErmsCo, to configure the
product to address a wider range of industries and use cases, and
to leverage more value from other SAI Global assets.
Protiviti, known for consulting, offers a product that competes
on its own merit. Protiviti is most relevant in the GRC market
because of the combination of its technical offerings and its
breadth of consulting capabilities; however, the companys GRC
platform is a worthy competitor in its own right. The company has
shown ongoing improvement in product capabilities, vertical
solutions, and content developed internally and with partners.
Protivitis ability to compete relies primarily on its ability to
target implementations that suit its strengths in audit, policy and
control management, and consulting expertise.
Resolver goes to market with a cohesive strategy on top of its
merged GRC capabilities. Formed by the merger of BPS and Resolver
in January 2010, Resolver brings together the formers strength in
supporting GRC processes in financial services with the latters
pedigree in risk management implementations for utility and natural
resource companies. Somewhat smaller than many of its closer
competitors, Resolver offers a unified solution with the
flexibility to be configured to meet unique organizational needs.
Resolvers strength is in its powerful workflow management and audit
management capabilities. While having a broad vertical strategy,
steady growth, and a focus on ease-of-use product offerings,
Resolver will have to execute extremely well to maintain and grow
its competitive position.
Contenders
SAS offers a state-of-the-art analytics engine, but governance
and compliance fall short. One of the core differentiating
capabilities of SAS GRC is its ability to measure and quantify
risk, and the company primarily competes in deals that have a heavy
emphasis on risk analytics or requirements to aggregate both
financial and operational risk. The company is developing a
noticeable presence in the GRC market despite still being a
relatively new entrant, and there is a visible commitment to
introducing additional products related to GRC. SAS will maintain
competitive advantages in these deals but still needs work to
compete for broad enterprise GRC deals.
-
For Security & riSk ProFeSSionalS
the Forrester Wave: Governance, risk, and compliance Platforms,
Q1 2014 15
2014, Forrester Research, Inc. Reproduction Prohibited January
27, 2014
The Network offers an impressive compliance solution, but little
else. The Network is a new entrant into the GRC space, and its
go-to-market strategy is to address compliance challenges relevant
to a wide range of organizations, with flexibility to support
industry-specific compliance initiatives when necessary. While
lacking some key GRC platform components, The Networks core GRC
capabilities focus on its full content management functionality and
workflow management. The company will need to start building out
more of its risk and analytics capabilities to contend as a
comprehensive GRC solution, but in the meantime, it will still
challenge GRC platform competitors in a large number of deals.
sUPPLeMeNTaL MaTeRIaL
Online Resource
The online version of Figure 2 is an Excel-based vendor
comparison tool that provides detailed product evaluations and
customizable rankings.
Data sources Used In This Forrester wave
Forrester used a combination of four data sources to assess the
strengths and weaknesses of each solution:
Vendor surveys. Forrester surveyed vendors on their capabilities
as they relate to the evaluation criteria. Following the analysis
of the completed vendor surveys, we compiled the results to
supplement our analysis.
Product demos. We asked vendors to conduct demonstrations of
their products functionality. We used findings from these product
demos to validate details of each vendors product capabilities.
Product sandbox environments. We asked vendor to provide us with
an environment where we could evaluate different aspects of the
application ourselves. The vendors created user profiles with
sample organizational data and made the environments available to
us for a limited window of time as part of our evaluation
process.
Customer reference calls. To validate product and vendor
qualifications, Forrester also conducted reference surveys and
calls with 3 of each vendors current customers.
The Forrester wave Methodology
We conduct primary research to develop a list of vendors that
meet our criteria to be evaluated in this market. From that initial
pool of vendors, we then narrow our final list. We choose these
-
For Security & riSk ProFeSSionalS
the Forrester Wave: Governance, risk, and compliance Platforms,
Q1 2014 16
2014, Forrester Research, Inc. Reproduction Prohibited January
27, 2014
vendors based on: 1) product fit; 2) customer success; and 3)
Forrester client demand. We eliminate vendors that have limited
customer references and products that dont fit the scope of our
evaluation.
After examining past research, user need assessments, and vendor
and expert interviews, we develop the initial evaluation criteria.
To evaluate the vendors and their products against our set of
criteria, we gather details of product qualifications through a
combination of sandbox evaluations, questionnaires, demos, and/or
discussions with client references. We send evaluations to the
vendors for their review, and we adjust the evaluations to provide
the most accurate view of vendor offerings and strategies.
We set default weightings to reflect our analysis of the needs
of large user companies and/or other scenarios as outlined in the
Forrester Wave document and then score the vendors based on a
clearly defined scale. These default weightings are intended only
as a starting point, and we encourage readers to adapt the
weightings to fit their individual needs through the Excel-based
tool. The final scores generate the graphical depiction of the
market based on current offering, strategy, and market presence.
Forrester intends to update vendor evaluations regularly as product
capabilities and vendor strategies evolve. For more information on
the methodology that every Forrester Wave follows, go to
http://www.forrester.com/marketing/policies/forrester-wave-methodology.html.
Integrity Policy
All of Forresters research, including Forrester Waves, is
conducted according to our Integrity Policy. For more information,
go to
http://www.forrester.com/marketing/policies/integrity-policy.html.
Methodology
Forrester field its Q3 2013 Global Governance, Risk, And
Compliance Platforms Forrester Wave Customer Reference Online
Survey to 66 individuals who are current clients of the vendors
included in our Forrester Wave evaluation. Each vendor was asked to
supply a minimum of 3 customers. For quality assurance, panelists
are required to provide contact information and answer basic
questions about their firms usage of the product, revenue, and
budgets.
Forrester fielded the survey from July 2013 to August 2013.
Respondent incentives included a copy of the published
research.
-
For Security & riSk ProFeSSionalS
the Forrester Wave: Governance, risk, and compliance Platforms,
Q1 2014 17
2014, Forrester Research, Inc. Reproduction Prohibited January
27, 2014
eNDNOTes1 Source: Q3 2013 Global Governance, Risk, And
Compliance Platforms Forrester Wave Customer
Reference Online Survey.
2 First, change the Current Offering to 80% and Strategy to 20%.
Then change the criteria weightings as follows: Content management
(50%), Document management (34%), Content distribution and
communication (33%), Employee input (33%), Risk and control
management, and all subcriteria (0%), Workflow management (0%), GRC
management and analytics (5%), Risk quantification and analysis
(0%), Dashboard capabilities and reporting (100%), Audit management
and all subcriteria (0%), GRC breadth and depth and all subcriteria
(0%), Domain-specific support (25%), CSR and environmental risk
management (20%), Corporate compliance management and training
(80%), Technical functionality (20%), Integration capabilities
(5%), Organizational context (5%), Collaboration and communication
support (25%), End user experience (45%), Access management (0%),
Language support (25%), Company vision and strategy (10%), Vertical
strategy (30%), Sustainability of competitive advantages (70%),
Product vision and strategy (20%), Implementation and maintenance
costs (40%), Delivery models (20%), Product version support and
custom code (40%), Support GRC roles (40%), Ability to support
governance roles (20%), Ability to support risk management roles
(0%), Ability to support compliance roles (80%).
3 First, change the Current Offering to 80% and Strategy to 20%.
Then change the criteria weightings as follows: Content management
(5%), Document management (80%), Content distribution and
communication (20%), Employee input (0%), Risk and control
management (15%), risk and control mapping (65%), Risk and control
measurement (10%), Manual assessment capabilities (5%), Control
monitoring and enforcement (20%), Workflow management (5%), GRC
management and analytics (15%), Risk quantification and analysis
(30%), Dashboard capabilities and reporting (70%), Audit management
(5%), Audit data integration (60%), Work paper management (35%),
Audit resource and project management (5%), GRC breadth and depth
(10%), Flexibility to address use cases (50%), Overall breadth and
depth of GRC domain support (50%), Domain-specific support (25%),
IT GRC (60%), Financial controls management (0%), Third-party risk
management (40%), CSR and environmental risk management (0%),
Corporate compliance management and training (0%), Technical
functionality (20%), Integration capabilities (60%), Organizational
context (10%), Collaboration and communication support (5%), End
user experience (5%), Access management (0%), Language support
(20%), Company vision and strategy (40%), Vertical strategy (30%),
Sustainability of competitive advantages (70%), Product vision and
strategy (20%), Implementation and maintenance costs (40%),
Delivery models (20%), Product version support and custom code
(40%), Support GRC roles (10%), Ability to support governance roles
(30%), Ability to support risk management roles (35%), Ability to
support compliance roles (35%).
4 First, change the Current Offering to 80% and Strategy to 20%.
Then change the criteria weightings as follows: Content management
(10%), Document management (40%), Content distribution and
communication (40%), Employee input (20%), Risk and control
management (10%), risk and control mapping (30%), Risk and control
measurement (30%), Manual assessment capabilities (30%), Control
monitoring and enforcement (10%), Workflow management (10%), GRC
management and analytics (10%), Risk quantification and analysis
(50%), Dashboard capabilities and reporting (50%), Audit
management
-
For Security & riSk ProFeSSionalS
the Forrester Wave: Governance, risk, and compliance Platforms,
Q1 2014 18
2014, Forrester Research, Inc. Reproduction Prohibited January
27, 2014
(5%), Audit data integration (35%), Work paper management (35%),
Audit resource and project management (30%), GRC breadth and depth
(5%), Flexibility to address use cases (100%), Overall breadth and
depth of GRC domain support (0%), Domain-specific support (30%), IT
GRC (0%), Financial controls management (100%), Third-party risk
management (0%), CSR and environmental risk management (0%),
Corporate compliance management and training (0%), Technical
functionality (20%), Integration capabilities (20%), Organizational
context (30%), Collaboration and communication support (10%), End
user experience (30%), Access management (0%), Language support
(10%), Company vision and strategy (30%), Vertical strategy (0%),
Sustainability of competitive advantages (100%), Product vision and
strategy (25%), Implementation and maintenance costs (40%),
Delivery models (20%), Product version support and custom code
(40%), Support GRC roles (10%), Ability to support governance roles
(30%), Ability to support risk management roles (35%), Ability to
support compliance roles (35%).
5 Source: Q3 2013 Global Governance, Risk, And Compliance
Platforms Forrester Wave Customer Reference Online Survey.
-
Forrester Research (Nasdaq: FORR) is a global research and
advisory firm serving professionals in 13 key roles across three
distinct client segments. Our clients face progressively complex
business and technology decisions every day. To help them
understand, strategize, and act upon opportunities brought by
change, Forrester provides proprietary research, consumer and
business data, custom consulting, events and online communities,
and peer-to-peer executive programs. We guide leaders in business
technology, marketing and strategy, and the technology industry
through independent fact-based insight, ensuring their business
success today and tomorrow. 106501
Forrester Focuses On Security & Risk Professionals to help
your firm capitalize on new business opportunities safely,
you must ensure proper governance oversight to manage risk
while
optimizing security processes and technologies for future
flexibility.
Forresters subject-matter expertise and deep understanding of
your
role will help you create forward-thinking strategies; weigh
opportunity
against risk; justify decisions; and optimize your individual,
team, and
corporate performance.
Sean RhodeS, client persona representing Security & Risk
Professionals
About Forrestera global research and advisory firm, Forrester
inspires leaders,
informs better decisions, and helps the worlds top companies
turn
the complexity of change into business advantage. our
research-
based insight and objective advice enable it professionals
to
lead more successfully within it and extend their impact
beyond
the traditional it organization. tailored to your individual
role, our
resources allow you to focus on important business issues
margin, speed, growth first, technology second.
foR moRe infoRmation
To find out how Forrester Research can help you be successful
every day, please contact the office nearest you, or visit us at
www.forrester.com. For a complete list of worldwide locations,
visit www.forrester.com/about.
Client SuppoRt
For information on hard-copy or electronic reprints, please
contact Client Support at +1 866.367.7378, +1 617.613.5730, or
[email protected]. We offer quantity discounts and
special pricing for academic and nonprofit institutions.
mailto:[email protected]