Magic Quadrant for Enterprise Governance, Risk and Compliance Platforms

The enterprise governance, risk and compliance (EGRC) platform marketplace is maturing, and the experience of the users of EGRC platform solutions is deepening and getting broader. Taking into account this maturity and the increasing professional expertise of governance, risk and compliance (GRC) users, this year's Magic Quadrant analysis placed much more emphasis on reference customer feedback and market expectations. Gartner also has based the product evaluation criteria more on the ability of the vendors to address key use cases than on features and functions. As a result of these changes, the Magic Quadrant ratings better reflect the expectations that buyers in the market have, as well as vendor performance in meeting a globally diverse and growing market. These modified criteria have resulted in significant shifts in the positions of many vendors compared with the 2012 Magic Quadrant.
GRC as a marketplace can be broadly divided between GRC management (GRCM) products for the oversight and operation of risk management and compliance programs, and other GRC products for the automation and monitoring of controls. For a comprehensive description of the GRC marketplace, see "A Comparison Model for the GRC Marketplace, 2011 to 2013." Instead of acquiring separate solutions for finance, IT and other business units, many enterprises choose a single EGRC platform. When a single solution is not feasible, they may still integrate data from the many point and functional solutions to provide a GRC system of record for a single version of the truth. Reporting and managing through an enterprise GRC platform can give executives, auditors and managers a holistic view of the enterprise's risk and compliance postures, as well as views sorted by requirement, entity and geography. As the EGRC platform market continues to mature, most vendors are seeking to meet these new demands through an integrated platform with core modules for risk management, compliance and policy management, audit management, and regulatory change management; customers can grow into the solution through the phased implementation of interoperable modules. As the platform is more clearly defined, several vendors are beginning to develop industry- and function-specific applications that are overlaid on one or more of the core modules of the platform. Examples of these applications include privacy, anti-bribery compliance, business continuity management (BCM), PCI compliance, conflict minerals, Basel II, Solvency II, third-party risk management and many others.
The primary purpose of the EGRC platform is to automate much of the work associated with the documentation and reporting of risk management and compliance activities that are most closely associated with corporate governance and strategic business objectives. The primary end users include internal auditors and the audit committee, risk and compliance managers, legal professionals, and accountable business process owners. The key functions of importance to these groups are:

• Risk management: Supports risk management professionals with the documentation, workflow, assessment and analysis in terms of business impact, reporting, visualization and remediation of risks. Supports business planners and analysts with analysis of risk-adjusted performance. The risk management component is generalized and can be applied to several risk management use cases, such as IT risk management and operational risk management; however, it may collect data from specialized risk analytics such as credit risk management and market risk management tools to provide a consolidated view of ERM. Many industry-specific risk management requirements may not be supported. For example, many banks require highly specialized capabilities for Basel II compliance. Only a few EGRC platform vendors support the operational risk management (ORM) needs of banking with advanced risk analytics. Instead, most vendors prefer to integrate the platform with specialized analytics solutions from other vendors.
• Audit management: Supports internal auditors in developing the long-range audit plan, planning and executing individual audits, scheduling audit-related tasks, and managing work papers, time management and reporting.
• Compliance and policy management: Supports compliance professionals with the documentation, workflow, reporting and visualization of controls objectives, controls and associated risks, surveys and self-assessments, attestation, testing, and remediation. At a minimum, compliance management will include financial reporting compliance (Sarbanes-Oxley [SOX] compliance), and also will support other types of compliance, such as ISO 9000, PCI, industry-specific regulations, SLAs, trading partner requirements and compliance with internal policies. This function includes a specialized form of document management that enables the policy life cycle from creation to review, change and archiving of policies; the mapping of policies to mandates and business objectives in one direction, and risks and controls in another; and the distribution to and attestation by employees and business partners.
• Regulatory change management: Supports the ability to respond to changes in regulations. When a rule is changed or a new one emerges, it enables a business impact analysis and supports the management of the changes to related processes, controls, risk assessments, rule books and policies.
• Incident or case management: Is used to track the occurrence and resolution of incidents, completely documenting investigations into legal matters and regulated activities. These tools are typically intended for the support of specific types of investigations, including HR; environmental, health and safety (EH&S); money laundering; fraud; and forensics. They may also be used to manage the resolution of significant audit findings and risk and control failures.

The EGRC platform can be integrated with business applications such as the general ledger, business intelligence (BI), enterprise content management, controls automation, monitoring solutions (such as segregation of duties), IT technical controls (such as server configuration auditing) and continuous controls monitoring (CCM) for transactions. The EGRC platform also integrates with specialized GRCM solutions, such as EH&S compliance, IT GRC management, quality management and industry GRCM applications.
The GRC market is nine years old, and buyers have high expectations for the performance of GRC solutions against a wide variety of use cases. Differentiation today is about the ability to deliver against multiple use cases, and provide advanced risk management functionality, with analysis of the impact of risks on strategic objectives and business performance, domain expertise in multiple highly regulated industries, ease of use — including mobile capabilities — and configurability.

Magic Quadrant

Vendor Strengths and Cautions

CMO Compliance

CMO Compliance is headquartered in London, with offices in the U.K., the U.S. and Australia. CMO Compliance 8.0 was the current version of the EGRC platform at the time of vendor evaluation for this Magic Quadrant.

Strengths

• With a legacy in EH&S compliance, CMO Compliance also has strong EGRC capabilities for asset-intensive industries such as heavy manufacturing, oil and gas, transportation and logistics, and utilities.
• Its mobile capabilities surpass those of any other EGRC platform vendor, and enable a tablet user to access most functionality that would be available on a desktop — online and offline.
• CMO Compliance has strengths in integrated performance and risk management, and several customers reported using the platform for strategic planning and assessing the impact of risks on strategic business objectives, mapping key risk indicators (KRIs) to key performance indicators (KPIs), assessing risk-adjusted performance, and doing balanced scorecard reports.
• The vendor has above-average capability to support regulatory change management, including offering a customizable regulatory tracking and update service to customers. Incident management is also a strength, including investigations support.
• Customers consistently rate CMO Compliance as exceeding expectations in a broad range of use cases.
• CMO Compliance has good support in North America, Europe and the Asia/Pacific region, and is developing a stronger presence in South Africa.

Cautions

• Although banks and insurance firms that operate in remote areas may find the mobile and offline capabilities useful, CMO Compliance currently does not have the full breadth of financial services (FS) domain expertise to be competitive as a comprehensive EGRC solution for FS. It does, however, support FS customers with regulatory change management.
• While CMO Compliance has good support and sales capacity, it is growing rapidly. To keep up with this growth, it will need to not only increase its organic support capabilities, but also develop more extensive partnerships with consultancies and system integrators.
• As the company is transitioning from a small player to a more significant one, it needs to develop a more formal road map. Since GRC is a program and not a one-time implementation, prospective customers should press CMO Compliance to demonstrate how the road map will support their plans.

 

EMC (RSA)

RSA, The Security Division of EMC, is headquartered in the U.S. and has global sales and support. RSA Archer Platform 5.2 was the current version of the EGRC platform at the time of the evaluation.

Strengths

• RSA Archer has an extremely loyal customer base within the IT GRC market, and is included in the "MarketScope for IT Governance, Risk and Compliance Management." The lobbying effort of this base enables RSA to open doors within the rest of the enterprise.
• RSA provides excellent support and moderation for user communities, and has best-in-class capabilities for integrating users into the development process.
• This is a very flexible and comprehensive GRC offering. RSA has developed the concept of focused solutions that overlay workflows and content on existing modules to address industry- or function-specific requirements. For instance, RSA has rolled out a regulatory change management solution, and it is using focused solutions to add additional risk analytics capabilities. RSA is executing well against an extensive road map for focused solutions and enhancements to the core modules.
• Customer references report using RSA Archer in a very broad range of use cases. Several use cases were rated as exceeding expectations, and only a few were rated as failing to meet expectations. Almost all customers reported using RSA Archer for IT risk management (ITRM), reflecting the ongoing strength in IT GRC.
• Several customers reported using RSA Archer for integrated performance and risk management, including strategic planning and assessing the impact of risks on strategic business objectives, mapping KRIs to KPIs, and assessing the impact of risks on operational performance.
• RSA Archer maintains extensive content libraries, including standards and frameworks as well as regulations. It has dedicated staff to keep these libraries up-to-date.
• The pricing model uses annual licensing, and its components are open and transparent. Discounting is more common than it used to be.
• RSA Archer is also strong in BCM, and is included in the "Magic Quadrant for Business Continuity Management Planning Software."

Cautions

• Although RSA Archer promotes that zero custom code is needed to get started, most customers report significant customization in their implementations. One customer reference noted that it was moving away from customization because it interfered with the ability to take advantage of upgrades.
• With 10 primary modules, on-demand applications and a growing number of focused solutions, the price of RSA Archer escalates quickly. Most customers will find that regardless of their role or purpose, at least three modules will be needed, and focused solutions will add to that. Most module pricing includes one on-demand application license, but customers who want to build out their own targeted capabilities will buy more. Customers will find themselves paying for more annual licenses than with other vendors. On the other hand, it is not as if pricing is hidden — the RSA Archer pricing model is open and transparent.
• Focused solutions are priced in three tiers — Tier 1 is the most expensive due to the solution being more complex and having more support. For the second and third tiers, customers should not expect to receive the same level of ongoing improvements and upgrades.
• Several customer references noted that RSA Archer support was slow in responding to requests. 

Enablon

Enablon is headquartered in Paris, with offices in France, the U.S., Canada, Spain, and the U.K. Enablon 6.0 was the current version of the EGRC platform at the time of the evaluation.

Strengths

• Enablon has strong capabilities for asset-intensive industries such as heavy manufacturing, oil and gas, mining, and construction. It also has support for FS risk management and compliance.
• Enablon has demonstrated some of the best examples of linking business performance, risk management and compliance. Customers reported using the platform for several integrated performance and risk management use cases, including strategic planning and assessing the impact of risks on strategic business objectives, mapping KRIs to KPIs, and calculating risk adjusted performance.
• Linking sustainability performance to business performance is a strength, as are incident management— including support for investigations — and supplier management.
• Enablon provides a large number of prepackaged analytical methods that address risk management, sustainability, and business performance requirements. As the enterprise GRC platform market looks for solutions that support integrated performance and risk management, Enablon has been able to gain traction.
• Enablon maintains and moderates a strong user community, enabling customers to network and share.
• Enablon's product is typically implemented with little customization, and customers report that it meets or exceeds expectations in most use cases.
• If Enablon continues to execute well on its EGRC strategy and improves sales execution in regions beyond Europe, it could work its way into the Leaders quadrant.

Cautions

• While clearly committed to the enterprise GRC market, Enablon's overall focus remains on its larger business of EH&S compliance.
• Many customers report that implementation takes a long time — some of these were large, complex implementations. Half of the customer references noted that the software is not easy to configure. A few customers expressed dissatisfaction with ongoing support.
• Presence outside of North America and Europe is less than might be expected for a vendor focused on heavy asset industries. Prospective customers in other regions should press Enablon on how they will support them. Enablon is focusing more on investments in Australia and New Zealand and have a number of new customers there.  

IBM

IBM, headquartered in the U.S., provides global sales and support. OpenPages GRC Platform 6.2 was the current version of the EGRC platform at the time of the evaluation.

Strengths

• OpenPages is very strong in supporting the needs of financial services institutions, including support for operational risk management for Basel II/III and Solvency II, and that has been enhanced further with integration of the Algo First loss event content.
• OpenPages is built on Cognos, which gives it strong analytics and reporting functionality. Improvements in integration with Algorithmics for risk modeling and SPSS for business data analytics should offer strong capabilities for integrated performance and risk management.
• OpenPages demonstrated functional strengths in risk management and audit management. It also had a differentiating scenario analytics capability that easily can be used by a nonexpert.
• IBM Global Services has developed capabilities to implement OpenPages, which has strong partnerships with many large consultancies. For example, PwC, KPMG, Ernst & Young and Deloitte have large numbers of consultants trained on OpenPages.
• Rather than sell module by module, OpenPages licenses the entire platform, enabling users to pick and choose among all of its functional capabilities.

Cautions

• For four years, OpenPages has focused its growth strategy on large FS deals. As large FS buyers are few and far between, the growth rate at OpenPages has not kept up with some of the other leaders. While OpenPages does have a large number of clients in other industries, including energy and utilities, healthcare, manufacturing, telecom and IT, it has not focused on growth in these areas. This is the primary reason IBM has moved down in the Leaders quadrant compared with other vendors. OpenPages will need to add further industry domain expertise and make its solutions easier to deploy in order to grow further into manufacturing and other industries, as well as into Tier 2 banking. Its strategy to broaden the base of industry coverage will rely on what it calls "standard solutions"; these will enable delivery of industry- and function-specific capabilities overlaid on the core OpenPages modules, which should help growth into other industries.
• Considering OpenPages' ability to integrate with other IBM analytics solutions, it was notable that only one customer reference reported a use case for integrated performance and risk management.

• OpenPages has not taken full advantage of the reach and breadth of IBM's sales force to expand sales across multiple industries and to midtier buyers, perhaps because of the strong focus on large FS deals.
• Several customers reported long implementation times, which is not unusual for large FS implementations.

Mega

Mega International is headquartered in Paris, with offices in France, the U.K., Italy, Germany, the U.S., Mexico, Morocco, Singapore and Japan, and affiliated distributors in several other countries. The Hopex platform 1.0 was the current version at the time of the evaluation.

Strengths

• Mega continues to evolve its EGRC platform, with a strong concentration on business architecture. Mega's business architecture focus emanates from its roots as an enterprise architecture software provider and serves as a key differentiator for its EGRC product. Management has successfully executed a transition over the past three years from a service-oriented firm to one with a focus on software sales.
• In early 2013, Mega released a new platform called Hopex for its GRC and enterprise architecture solutions. The ability to model and analyze the impact of risks and controls on processes and key performance indicators is a strength for Mega. Hopex also has a much simpler user interface than earlier solutions.
• Mega has focused on the FS market, and has strong capabilities to support operational risk management, Basel II/III and Solvency II. Mega is also making inroads into manufacturing, where its architectural orientation is an asset. Its audit management solution is also strong.
• Customers report that the time to implement and time to value are relatively short.
• Mega has grown its presence in North America to equal that in Europe. It has also had significant growth in Asia/Pacific.

Cautions

• The marketing of Hopex focuses on the benefits of integrating GRC with enterprise architecture. This feature may intrigue enterprise architects. However, to propel its sales growth and enter the Leaders quadrant, Mega will need to develop marketing that targets senior business and risk management executives.
• Customers did not report using Mega broadly, but mostly on a narrow range of use cases. Mega needs a wider breadth of prepackaged solutions that can enable a greater range of use cases for its customers.
• Even though it has clear capabilities to support integrated performance and risk management, it is notable that only one customer reference reported a use case for that purpose. This is further evidence that Mega needs to develop the marketing and reach to senior business and risk management executives.
• Several customers reported significant customization was required, an issue that based on what was demonstrated to Gartner may be relieved with the Hopex platform. 

MetricStream

MetricStream, headquartered in Palo Alto, California, has offices in the U.S., Canada, the U.K., Switzerland, France, Italy, Australia, the United Arab Emirates (UAE) and India. MetricStream 6.0 was the current version of the EGRC platform at the time of the evaluation.

Strengths

• MetricStream 6.0 offers a broad-based EGRC platform to a wide range of customers across a number of industry verticals. It continues to grow organically in multiple regions, and recently acquired Certus, another EGRC platform vendor.
• MetricStream takes a flexible approach that concentrates on providing customers with the specific capabilities that they are looking for. This strategy has enabled MetricStream to build a large client base across a number of industries.
• In its efforts to maintain a flexible approach for its customers and minimize customization, during the past two years, MetricStream has focused on a standard application studio on which it can build scores of replicable applications for specific industry and functional needs. It has opened its Application Studio and new Zaplet technology to partners, who can build third-party applications on the MetricStream platform. For customers, this means that MetricStream will have a portfolio of applications from itself and a partner ecosystem that will plug and play with the core platform.
• MetricStream's global support capabilities continue to grow, with sales and support capabilities in North America, Europe and Asia/Pacific. It also has brought a number of experienced risk management professionals onboard who can work with customers to align the solutions to their risk management and compliance programs, as well as provide advice on improving those programs.
• MetricStream is strongly competitive in the IT GRC management market and is included in the "MarketScope for IT Governance, Risk and Compliance Management." A differentiator is its vPanorama application, which enables collecting metrics on cloud-based assets. MetricStream is also strong in BCM and is included in the "Magic Quadrant for Business Continuity Management Planning Software."
• Several MetricStream customers reported using the platform for integrated performance and risk management, including mapping KRIs to KPIs, assessing the impact of risks on strategic objectives and implementing balanced scorecard reporting.
• MetricStream is experiencing rapid growth. Goldman Sachs and other investors injected a large amount of cash into the company in 2013 that will fund further growth and development.

Cautions

• MetricStream is transitioning from a relatively small software vendor to a major player in a growing market segment. It has had some growing pains. So far in 2013, four clients have told us of implementation issues, including gaps between what was demonstrated to the customer and what was readily available out of the box, enhancements that drive up costs beyond what was budgeted, difficulty in communicating with MetricStream implementers, unexpected rotations in the implementation team, and a perceived lack of expertise among the implementers. Most of these issues have occurred in large implementations, and customers typically express a greater degree of satisfaction once implementation is complete. MetricStream has established a process to track implementation issues, correct them, and improve its implementation processes. For now, however, customers with large implementations should be diligent and raise issues to the vendor at the earliest sign of a problem.
• MetricStream states that its Application Studio and Zaplet capabilities enable it to advance its capabilities without upgrading the core platform. In the meantime, customers still report that significant customization is needed. This customization work is performed by the largest support team of any EGRC platform vendor.

Nasdaq OMX (BWise)

Nasdaq OMX is headquartered in New York, with offices in the U.S., Canada, Australia, Brazil, South Africa, the UAE, and several countries in Europe and Asia. BWise 4.1 was the current version of Nasdaq OMX's EGRC platform at the time of the evaluation.

Strengths

• Nasdaq OMX acquired BWise in 2012 as part of its strategy to grow its Corporate Solutions group. While BWise should benefit in the long run from exposure to the broad Nasdaq OMX customer base, for now its industry strength is in financial services.
• BWise has an explicit strategy to minimize customization and offer customers an out-of-the-box solution as much as possible. A very flexible data model enables a high degree of configuration with minimal customization.
• BWise has a very good understanding of the market for GRC within financial services, and its road map reflects that. Looking forward, BWise's road map includes ongoing enhancements of advanced risk analytics; improved integration with Nasdaq Smarts, which is a compliance solution for securities regulators, exchanges and broker-dealers; and deployment of reputational risk management capabilities.
• Many BWise customers report that time to value — that is, the time from implementation until they are getting the value they expect from the product — is short. Time to implement is average.
• Overall, risk management and risk analytics are BWise strengths, including ERM, ORM and ITRM. Some BWise customers reported using the platform for integrated performance and risk management, including mapping KRIs to KPIs and assessing the impact of risks on strategic business objectives.
• BWise is competitive against pure-play IT GRC management vendors.

Cautions

• While BWise espouses architecture that requires minimal customization, several customers report that significant customization was required for their implementations. This is not surprising, since many of the implementations are in complex FS environments. Still, buyers should be aware that there is a gap between the marketing around "no customization required" and the reality at implementation.
• Since its acquisition by Nasdaq OMX, BWise has gained exposure to a broader market beyond FS. However, it has not yet achieved sufficient traction in other industries. Because large FS deals are becoming increasingly difficult to obtain these days with the market being fairly saturated, BWise's growth is not keeping up with many of the other leaders. In order to stay in the Leaders quadrant next year, BWise needs to focus more on Tier 2 banking, manufacturing and other industries.