Magic Quadrant for Enterprise Governance, Risk and Compliance Platforms

Transcription

1 Seite 1 von 13 Magic Quadrant for Enterprise Governance, Risk and Compliance Platforms 24 September 2013 ID:G Analyst(s): French Caldwell, John A. Wheeler VIEW SUMMARY The enterprise GRC platform market has matured to a strategic focus on enterprise risk management and business performance. The next market phase includes integrated performance and risk management, industry- and function-specific applications, and mobility. Market Definition/Description This document was revised on 26 September The document you are viewing is the corrected version. For more information, see the Corrections page on gartner.com. The enterprise governance, risk and compliance (EGRC) platform marketplace is maturing, and the experience of the users of EGRC platform solutions is deepening and getting broader. Taking into account this maturity and the increasing professional expertise of governance, risk and compliance (GRC) users, this year's Magic Quadrant analysis placed much more emphasis on reference customer feedback and market expectations. Gartner also has based the product evaluation criteria more on the ability of the vendors to address key use cases than on features and functions. As a result of these changes, the Magic Quadrant ratings better reflect the expectations that buyers in the market have, as well as vendor performance in meeting a globally diverse and growing market. These modified criteria have resulted in significant shifts in the positions of many vendors compared with the 2012 Magic Quadrant. GRC as a marketplace can be broadly divided between GRC management (GRCM) products for the oversight and operation of risk management and compliance programs, and other GRC products for the automation and monitoring of controls. For a comprehensive description of the GRC marketplace, see "A Comparison Model for the GRC Marketplace, 2011 to 2013." Instead of acquiring separate solutions for finance, IT and other business units, many enterprises choose a single EGRC platform. When a single solution is not feasible, they may still integrate data from the many point and functional solutions to provide a GRC system of record for a single version of the truth. Reporting and managing through an enterprise GRC platform can give executives, auditors and managers a holistic view of the enterprise's risk and compliance postures, as well as views sorted by requirement, entity and geography. As the EGRC platform market continues to mature, most vendors are seeking to meet these new demands through an integrated platform with core modules for risk management, compliance and policy management, audit management, and regulatory change management; customers can grow into the solution through the phased implementation of interoperable modules. As the platform is more clearly defined, several vendors are beginning to develop industry- and function-specific applications that are overlaid on one or more of the core modules of the platform. Examples of these applications include privacy, anti-bribery compliance, business continuity management (BCM), PCI compliance, conflict minerals, Basel II, Solvency II, third-party risk management and many others. The primary purpose of the EGRC platform is to automate much of the work associated with the documentation and reporting of risk management and compliance activities that are most closely associated with corporate governance and strategic business objectives. The primary end users include internal auditors and the audit committee, risk and compliance managers, legal professionals, and accountable business process owners. The key functions of importance to these groups are: Risk management: Supports risk management professionals with the documentation, workflow, assessment and analysis in terms of business impact, reporting, visualization and remediation of risks. Supports business planners and analysts with analysis of risk-adjusted performance. The risk management component is generalized and can be applied to several risk management use cases, such as IT risk management and operational risk management; however, it may collect data from specialized risk analytics such as credit risk management and market risk management tools to provide a consolidated view of ERM. Many industry-specific risk management requirements may not be supported. For example, many banks require highly specialized capabilities for Basel II compliance. Only a few EGRC platform vendors support the operational risk management (ORM) needs of banking with advanced risk analytics. Instead, most vendors prefer to integrate the platform with specialized analytics solutions from other vendors. Audit management: Supports internal auditors in developing the long-range audit plan, planning and executing individual audits, scheduling audit-related tasks, and managing work papers, time management and reporting. Compliance and policy management: Supports compliance professionals with the documentation, workflow, reporting and visualization of controls objectives, controls and associated risks, surveys and self-assessments, attestation, testing, and remediation. At a minimum, compliance management will include financial reporting compliance (Sarbanes-Oxley [SOX] compliance), and also will support other types of compliance, such as ISO 9000, PCI, industry-specific regulations, SLAs, trading partner requirements and compliance with internal policies. This function includes a specialized form of document management that enables the policy life cycle from creation to review, change and archiving of policies; the mapping of policies to mandates and business objectives in one direction, and risks and controls in another; and the distribution to and attestation by employees and business partners. Regulatory change management: Supports the ability to respond to changes in regulations. When a rule is changed or a new one emerges, it enables a business impact analysis and supports EVALUATION CRITERIA DEFINITIONS Ability to Execute Product/Service: Core goods and services offered by the vendor for the defined market. This includes current product/service capabilities, quality, feature sets, skills and so on, whether offered natively or through OEM agreements/partnerships as defined in the market definition and detailed in the subcriteria. Overall Viability: Viability includes an assessment of the overall organization's financial health, the financial and practical success of the business unit, and the likelihood that the individual business unit will continue investing in the product, will continue offering the product and will advance the state of the art within the organization's portfolio of products. Sales Execution/Pricing: The vendor's capabilities in all presales activities and the structure that supports them. This includes deal management, pricing and negotiation, presales support, and the overall effectiveness of the sales channel. Market Responsiveness/Record: Ability to respond, change direction, be flexible and achieve competitive success as opportunities develop, competitors act, customer needs evolve and market dynamics change. This criterion also considers the vendor's history of responsiveness. Marketing Execution: The clarity, quality, creativity and efficacy of programs designed to deliver the organization's message to influence the market, promote the brand and business, increase awareness of the products, and establish a positive identification with the product/brand and organization in the minds of buyers. This "mind share" can be driven by a combination of publicity, promotional initiatives, thought leadership, word of mouth and sales activities. Customer Experience: Relationships, products and services/programs that enable clients to be successful with the products evaluated. Specifically, this includes the ways customers receive technical support or account support. This can also include ancillary tools, customer support programs (and the quality thereof), availability of user groups, service-level agreements and so on. Operations: The ability of the organization to meet its goals and commitments. Factors include the quality of the organizational structure, including skills, experiences, programs, systems and other vehicles that enable the organization to operate effectively and efficiently on an ongoing basis. Completeness of Vision Market Understanding: Ability of the vendor to understand buyers' wants and needs and to translate those into products and services. Vendors that show the highest degree of vision listen to and understand buyers' wants and needs, and can shape or enhance those with their added vision. Marketing Strategy: A clear, differentiated set of messages consistently communicated throughout the organization and externalized through the website, advertising, customer programs and positioning statements. Sales Strategy: The strategy for selling products that uses the appropriate network of direct and indirect sales, marketing, service, and communication affiliates that extend the scope and depth of market reach, skills, expertise, technologies, services and the customer base. Offering (Product) Strategy: The vendor's approach to product development and delivery that emphasizes differentiation, functionality, methodology and feature sets as they map to current and future requirements. Business Model: The soundness and logic of the vendor's underlying business proposition. Vertical/Industry Strategy: The vendor's strategy to direct resources, skills and offerings to meet the specific needs of individual market segments, including vertical markets. Innovation: Direct, related, complementary and synergistic layouts of resources, expertise or capital for investment, consolidation, defensive or pre-emptive purposes.

2 Seite 2 von 13 the management of the changes to related processes, controls, risk assessments, rule books and policies. Incident or case management: Is used to track the occurrence and resolution of incidents, completely documenting investigations into legal matters and regulated activities. These tools are typically intended for the support of specific types of investigations, including HR; environmental, health and safety (EH&S); money laundering; fraud; and forensics. They may also be used to manage the resolution of significant audit findings and risk and control failures. Geographic Strategy: The vendor's strategy to direct resources, skills and offerings to meet the specific needs of geographies outside the "home" or native geography, either directly or through partners, channels and subsidiaries as appropriate for that geography and market. The EGRC platform can be integrated with business applications such as the general ledger, business intelligence (BI), enterprise content management, controls automation, monitoring solutions (such as segregation of duties), IT technical controls (such as server configuration auditing) and continuous controls monitoring (CCM) for transactions. The EGRC platform also integrates with specialized GRCM solutions, such as EH&S compliance, IT GRC management, quality management and industry GRCM applications. The GRC market is nine years old, and buyers have high expectations for the performance of GRC solutions against a wide variety of use cases. Differentiation today is about the ability to deliver against multiple use cases, and provide advanced risk management functionality, with analysis of the impact of risks on strategic objectives and business performance, domain expertise in multiple highly regulated industries, ease of use including mobile capabilities and configurability. Magic Quadrant Figure 1. Magic Quadrant for Enterprise Governance, Risk and Compliance Platforms Source: Gartner (September 2013) Vendor and CMO Compliance CMO Compliance is headquartered in London, with offices in the U.K., the U.S. and Australia. CMO Compliance 8.0 was the current version of the EGRC platform at the time of vendor evaluation for this Magic Quadrant. With a legacy in EH&S compliance, CMO Compliance also has strong EGRC capabilities for assetintensive industries such as heavy manufacturing, oil and gas, transportation and logistics, and utilities. Its mobile capabilities surpass those of any other EGRC platform vendor, and enable a tablet user to access most functionality that would be available on a desktop online and offline. CMO Compliance has strengths in integrated performance and risk management, and several customers reported using the platform for strategic planning and assessing the impact of risks on strategic business objectives, mapping key risk indicators (KRIs) to key performance indicators (KPIs), assessing risk-adjusted performance, and doing balanced scorecard reports. The vendor has above-average capability to support regulatory change management, including offering a customizable regulatory tracking and update service to customers. Incident management is also a strength, including investigations support. Customers consistently rate CMO Compliance as exceeding expectations in a broad range of use cases.

3 Seite 3 von 13 CMO Compliance has good support in North America, Europe and the Asia/Pacific region, and is developing a stronger presence in South Africa. Although banks and insurance firms that operate in remote areas may find the mobile and offline capabilities useful, CMO Compliance currently does not have the full breadth of financial services (FS) domain expertise to be competitive as a comprehensive EGRC solution for FS. It does, however, support FS customers with regulatory change management. obtained from sources believed to be reliable. Gartner While CMO Compliance has good support and sales capacity, it is growing rapidly. To keep up with disclaims all warranties as to the accuracy, completeness this growth, it will need to not only increase its organic support capabilities, but also develop more or adequacy of such information and shall have no extensive partnerships with consultancies and system integrators. As the company is transitioning from a small player to a more significant one, it needs to develop Gartner s research organization and should not be a more formal road map. Since GRC is a program and not a one-time implementation, prospective construed as statements of fact. The opinions expressed customers should press CMO Compliance to demonstrate how the road map will support their plans. EMC (RSA) RSA, The Security Division of EMC, is headquartered in the U.S. and has global sales and support. RSA Archer Platform 5.2 was the current version of the EGRC platform at the time of the evaluation. RSA Archer has an extremely loyal customer base within the IT GRC market, and is included in the "MarketScope for IT Governance, Risk and Compliance Management." The lobbying effort of this base enables RSA to open doors within the rest of the enterprise. RSA provides excellent support and moderation for user communities, and has best-in-class capabilities for integrating users into the development process. About Gartner Careers Newsroom Policies Site This is a very flexible and comprehensive GRC offering. RSA has developed the concept of focused Index IT Glossary Contact Gartner solutions that overlay workflows and content on existing modules to address industry- or functionspecific requirements. For instance, RSA has rolled out a regulatory change management solution, and it is using focused solutions to add additional risk analytics capabilities. RSA is executing well against an extensive road map for focused solutions and enhancements to the core modules. Customer references report using RSA Archer in a very broad range of use cases. Several use cases were rated as exceeding expectations, and only a few were rated as failing to meet expectations. Almost all customers reported using RSA Archer for IT risk management (ITRM), reflecting the ongoing strength in IT GRC. Several customers reported using RSA Archer for integrated performance and risk management, including strategic planning and assessing the impact of risks on strategic business objectives, mapping KRIs to KPIs, and assessing the impact of risks on operational performance. RSA Archer maintains extensive content libraries, including standards and frameworks as well as regulations. It has dedicated staff to keep these libraries up-to-date. The pricing model uses annual licensing, and its components are open and transparent. Discounting is more common than it used to be. RSA Archer is also strong in BCM, and is included in the "Magic Quadrant for Business Continuity Management Planning Software." 2013 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. or its affiliates. This publication may not be reproduced or distributed in any form without Gartner s prior written permission. If you are authorized to access this publication, your use of it is subject to the Usage Guidelines for Gartner Services posted on gartner.com. The information contained in this publication has been liability for errors, omissions or inadequacies in such information. This publication consists of the opinions of herein are subject to change without notice. Although Gartner research may include a discussion of related legal issues, Gartner does not provide legal advice or services and its research should not be construed or used as such. Gartner is a public company, and its shareholders may include firms and funds that have financial interests in entities covered in Gartner research. Gartner s Board of Directors may include senior managers of these firms or funds. Gartner research is produced independently by its research organization without input or influence from these firms, funds or their managers. For further information on the independence and integrity of Gartner research, see Guiding Principles on Independence and Objectivity. Although RSA Archer promotes that zero custom code is needed to get started, most customers report significant customization in their implementations. One customer reference noted that it was moving away from customization because it interfered with the ability to take advantage of upgrades. With 10 primary modules, on-demand applications and a growing number of focused solutions, the price of RSA Archer escalates quickly. Most customers will find that regardless of their role or purpose, at least three modules will be needed, and focused solutions will add to that. Most module pricing includes one on-demand application license, but customers who want to build out their own targeted capabilities will buy more. Customers will find themselves paying for more annual licenses than with other vendors. On the other hand, it is not as if pricing is hidden the RSA Archer pricing model is open and transparent. Focused solutions are priced in three tiers Tier 1 is the most expensive due to the solution being more complex and having more support. For the second and third tiers, customers should not expect to receive the same level of ongoing improvements and upgrades. Several customer references noted that RSA Archer support was slow in responding to requests. Enablon Enablon is headquartered in Paris, with offices in France, the U.S., Canada, Spain, and the U.K. Enablon 6.0 was the current version of the EGRC platform at the time of the evaluation. Enablon has strong capabilities for asset-intensive industries such as heavy manufacturing, oil and gas, mining, and construction. It also has support for FS risk management and compliance. Enablon has demonstrated some of the best examples of linking business performance, risk management and compliance. Customers reported using the platform for several integrated performance and risk management use cases, including strategic planning and assessing the impact of risks on strategic business objectives, mapping KRIs to KPIs, and calculating risk adjusted performance. Linking sustainability performance to business performance is a strength, as are incident management including support for investigations and supplier management. Enablon provides a large number of prepackaged analytical methods that address risk management, sustainability, and business performance requirements. As the enterprise GRC platform market looks for solutions that support integrated performance and risk management, Enablon has been able to gain traction.

4 Seite 4 von 13 Enablon maintains and moderates a strong user community, enabling customers to network and share. Enablon's product is typically implemented with little customization, and customers report that it meets or exceeds expectations in most use cases. If Enablon continues to execute well on its EGRC strategy and improves sales execution in regions beyond Europe, it could work its way into the Leaders quadrant. While clearly committed to the enterprise GRC market, Enablon's overall focus remains on its larger business of EH&S compliance. Many customers report that implementation takes a long time some of these were large, complex implementations. Half of the customer references noted that the software is not easy to configure. A few customers expressed dissatisfaction with ongoing support. Presence outside of North America and Europe is less than might be expected for a vendor focused on heavy asset industries. Prospective customers in other regions should press Enablon on how they will support them. Enablon is focusing more on investments in Australia and New Zealand and have a number of new customers there. IBM IBM, headquartered in the U.S., provides global sales and support. OpenPages GRC Platform 6.2 was the current version of the EGRC platform at the time of the evaluation. OpenPages is very strong in supporting the needs of financial services institutions, including support for operational risk management for Basel II/III and Solvency II, and that has been enhanced further with integration of the Algo First loss event content. OpenPages is built on Cognos, which gives it strong analytics and reporting functionality. Improvements in integration with Algorithmics for risk modeling and SPSS for business data analytics should offer strong capabilities for integrated performance and risk management. OpenPages demonstrated functional strengths in risk management and audit management. It also had a differentiating scenario analytics capability that easily can be used by a nonexpert. IBM Global Services has developed capabilities to implement OpenPages, which has strong partnerships with many large consultancies. For example, PwC, KPMG, Ernst & Young and Deloitte have large numbers of consultants trained on OpenPages. Rather than sell module by module, OpenPages licenses the entire platform, enabling users to pick and choose among all of its functional capabilities. For four years, OpenPages has focused its growth strategy on large FS deals. As large FS buyers are few and far between, the growth rate at OpenPages has not kept up with some of the other leaders. While OpenPages does have a large number of clients in other industries, including energy and utilities, healthcare, manufacturing, telecom and IT, it has not focused on growth in these areas. This is the primary reason IBM has moved down in the Leaders quadrant compared with other vendors. OpenPages will need to add further industry domain expertise and make its solutions easier to deploy in order to grow further into manufacturing and other industries, as well as into Tier 2 banking. Its strategy to broaden the base of industry coverage will rely on what it calls "standard solutions"; these will enable delivery of industry- and function-specific capabilities overlaid on the core OpenPages modules, which should help growth into other industries. Considering OpenPages' ability to integrate with other IBM analytics solutions, it was notable that only one customer reference reported a use case for integrated performance and risk management. OpenPages has not taken full advantage of the reach and breadth of IBM's sales force to expand sales across multiple industries and to midtier buyers, perhaps because of the strong focus on large FS deals. Several customers reported long implementation times, which is not unusual for large FS implementations. Mega Mega International is headquartered in Paris, with offices in France, the U.K., Italy, Germany, the U.S., Mexico, Morocco, Singapore and Japan, and affiliated distributors in several other countries. The Hopex platform 1.0 was the current version at the time of the evaluation. Mega continues to evolve its EGRC platform, with a strong concentration on business architecture. Mega's business architecture focus emanates from its roots as an enterprise architecture software provider and serves as a key differentiator for its EGRC product. Management has successfully executed a transition over the past three years from a service-oriented firm to one with a focus on software sales. In early 2013, Mega released a new platform called Hopex for its GRC and enterprise architecture solutions. The ability to model and analyze the impact of risks and controls on processes and key performance indicators is a strength for Mega. Hopex also has a much simpler user interface than earlier solutions. Mega has focused on the FS market, and has strong capabilities to support operational risk management, Basel II/III and Solvency II. Mega is also making inroads into manufacturing, where its architectural orientation is an asset. Its audit management solution is also strong. Customers report that the time to implement and time to value are relatively short. Mega has grown its presence in North America to equal that in Europe. It has also had significant growth in Asia/Pacific.

5 Seite 5 von 13 The marketing of Hopex focuses on the benefits of integrating GRC with enterprise architecture. This feature may intrigue enterprise architects. However, to propel its sales growth and enter the Leaders quadrant, Mega will need to develop marketing that targets senior business and risk management executives. Customers did not report using Mega broadly, but mostly on a narrow range of use cases. Mega needs a wider breadth of prepackaged solutions that can enable a greater range of use cases for its customers. Even though it has clear capabilities to support integrated performance and risk management, it is notable that only one customer reference reported a use case for that purpose. This is further evidence that Mega needs to develop the marketing and reach to senior business and risk management executives. Several customers reported significant customization was required, an issue that based on what was demonstrated to Gartner may be relieved with the Hopex platform. MetricStream MetricStream, headquartered in Palo Alto, California, has offices in the U.S., Canada, the U.K., Switzerland, France, Italy, Australia, the United Arab Emirates (UAE) and India. MetricStream 6.0 was the current version of the EGRC platform at the time of the evaluation. MetricStream 6.0 offers a broad-based EGRC platform to a wide range of customers across a number of industry verticals. It continues to grow organically in multiple regions, and recently acquired Certus, another EGRC platform vendor. MetricStream takes a flexible approach that concentrates on providing customers with the specific capabilities that they are looking for. This strategy has enabled MetricStream to build a large client base across a number of industries. In its efforts to maintain a flexible approach for its customers and minimize customization, during the past two years, MetricStream has focused on a standard application studio on which it can build scores of replicable applications for specific industry and functional needs. It has opened its Application Studio and new Zaplet technology to partners, who can build third-party applications on the MetricStream platform. For customers, this means that MetricStream will have a portfolio of applications from itself and a partner ecosystem that will plug and play with the core platform. MetricStream's global support capabilities continue to grow, with sales and support capabilities in North America, Europe and Asia/Pacific. It also has brought a number of experienced risk management professionals onboard who can work with customers to align the solutions to their risk management and compliance programs, as well as provide advice on improving those programs. MetricStream is strongly competitive in the IT GRC management market and is included in the "MarketScope for IT Governance, Risk and Compliance Management." A differentiator is its vpanorama application, which enables collecting metrics on cloud-based assets. MetricStream is also strong in BCM and is included in the "Magic Quadrant for Business Continuity Management Planning Software." Several MetricStream customers reported using the platform for integrated performance and risk management, including mapping KRIs to KPIs, assessing the impact of risks on strategic objectives and implementing balanced scorecard reporting. MetricStream is experiencing rapid growth. Goldman Sachs and other investors injected a large amount of cash into the company in 2013 that will fund further growth and development. MetricStream is transitioning from a relatively small software vendor to a major player in a growing market segment. It has had some growing pains. So far in 2013, four clients have told us of implementation issues, including gaps between what was demonstrated to the customer and what was readily available out of the box, enhancements that drive up costs beyond what was budgeted, difficulty in communicating with MetricStream implementers, unexpected rotations in the implementation team, and a perceived lack of expertise among the implementers. Most of these issues have occurred in large implementations, and customers typically express a greater degree of satisfaction once implementation is complete. MetricStream has established a process to track implementation issues, correct them, and improve its implementation processes. For now, however, customers with large implementations should be diligent and raise issues to the vendor at the earliest sign of a problem. MetricStream states that its Application Studio and Zaplet capabilities enable it to advance its capabilities without upgrading the core platform. In the meantime, customers still report that significant customization is needed. This customization work is performed by the largest support team of any EGRC platform vendor. Nasdaq OMX (BWise) Nasdaq OMX is headquartered in New York, with offices in the U.S., Canada, Australia, Brazil, South Africa, the UAE, and several countries in Europe and Asia. BWise 4.1 was the current version of Nasdaq OMX's EGRC platform at the time of the evaluation. Nasdaq OMX acquired BWise in 2012 as part of its strategy to grow its Corporate Solutions group. While BWise should benefit in the long run from exposure to the broad Nasdaq OMX customer base, for now its industry strength is in financial services. BWise has an explicit strategy to minimize customization and offer customers an out-of-the-box solution as much as possible. A very flexible data model enables a high degree of configuration with minimal customization. BWise has a very good understanding of the market for GRC within financial services, and its road map reflects that. Looking forward, BWise's road map includes ongoing enhancements of advanced risk analytics; improved integration with Nasdaq Smarts, which is a compliance solution for securities regulators, exchanges and broker-dealers; and deployment of reputational risk management capabilities.

6 Seite 6 von 13 Many BWise customers report that time to value that is, the time from implementation until they are getting the value they expect from the product is short. Time to implement is average. Overall, risk management and risk analytics are BWise strengths, including ERM, ORM and ITRM. Some BWise customers reported using the platform for integrated performance and risk management, including mapping KRIs to KPIs and assessing the impact of risks on strategic business objectives. BWise is competitive against pure-play IT GRC management vendors. While BWise espouses architecture that requires minimal customization, several customers report that significant customization was required for their implementations. This is not surprising, since many of the implementations are in complex FS environments. Still, buyers should be aware that there is a gap between the marketing around "no customization required" and the reality at implementation. Since its acquisition by Nasdaq OMX, BWise has gained exposure to a broader market beyond FS. However, it has not yet achieved sufficient traction in other industries. Because large FS deals are becoming increasingly difficult to obtain these days with the market being fairly saturated, BWise's growth is not keeping up with many of the other leaders. In order to stay in the Leaders quadrant next year, BWise needs to focus more on Tier 2 banking, manufacturing and other industries. Protiviti Protiviti is a subsidiary of Robert Half International, which is headquartered in Menlo Park, California, with offices located globally. Protiviti Governance Portal 4.0 was the current version of its EGRC platform at the time of the evaluation. Protiviti possesses good capabilities for audit management, compliance and policy management, as well as regulatory change management, through its integration with Complinet. In addition, it has project management capability that is useful when rolling out new risk management and compliance programs, or when there is a need to implement major changes as a result of new regulatory requirements. Protiviti can add value to the development of GRC programs through its deep consulting expertise and access to additional subject matter experts through its parent, Robert Half. Protiviti is included in Gartner's "MarketScope for Global Risk Management Consulting Services." Protiviti continues to focus on the user experience, and ease of navigation is apparent in the latest version of its Governance Portal. Customers report that very little customization is needed to implement the product. Protiviti has a strong content strategy, with many of its customers supplementing the software with risk management and compliance frameworks, as well as regulatory content. Its road map shows plans for improvements in risk analytics, including integrated performance and risk management, and development of offline mobile capabilities. Some customers report using the platform for integrated performance and risk management, including strategic planning, assessing the impact of risks on strategic business objectives and mapping KRIs to KPIs. Some customer references rated Protiviti as not having met expectations for some use cases. However, in demonstrations, Protiviti showed product leadership in key areas such as integrated performance and risk management. Nevertheless, much of this demonstrated capability is not being translated into actual usage. While Protiviti has moved downward within the Challengers quadrant, it is difficult to assign a specific reason for this. None of its scores for the Ability to Execute criteria were very poor, but none were exceptional. In general, Protiviti's drop from last year is because of a significant change in weighting and description of criteria that puts a greater emphasis on customer evaluations of the product and market responsiveness, and also a shift in how Gartner evaluates the product, focusing more on the vendor's responsiveness to key use cases and less on features and functions. Resolver Resolver, which is headquartered in Toronto, Canada, has a global network of affiliates for sales and support. GRC Cloud 7.0 was the current version of its EGRC platform at the time of the evaluation. Resolver has begun to differentiate itself through innovation in the user experience and adding solutions for the midmarket, where there is growing demand. Resolver has made it easy for customers to create "wizards" that is, targeted workflows that enable infrequent users to navigate the solution without having to be thoroughly trained on it. Editable reports that enable users to access and enter data through the reporting interface, and a familiar spreadsheetlike data entry capability, are other innovations that make the solution more intuitive for its many infrequent users. Resolver also has a balloting product that enables collaboration and workshops in support of risk assessments. Some customers reporting using Resolver for strategic planning and to assess the impact of risks on strategic objectives. Customers had a very high degree of satisfaction with Resolver's ongoing support. Resolver has built an extensive partner and reseller network that has enabled it to grow globally. While Resolver was the first EGRC platform vendor to introduce a business performance management capability in its platform, initial uptake has been slow. Resolver is not promoting this capability as effectively as some other vendors.

7 Seite 7 von 13 Policy management capabilities need improvement. No customer references reported using Resolver for policy management use cases. The Resolver support staff is small, and though customers are very satisfied with support, as Resolver continues to grow it should invest more in direct sales and support in regions beyond North America. Data centers for the cloud solution are located in North America. Customers in other regions that are considering the cloud solution should validate performance. SAI Global Compliance SAI Global is headquartered in Sydney, with SAI Global Compliance headquartered in the U.S. SAI Global has offices in Australia, several countries in Asia, the U.S. and the U.K. Compliance was the current version of its GRC solution at the time of the evaluation. SAI Global Compliance offers a cloud-based GRC solution, and has a large presence in the healthcare and insurance markets. It has been growing significantly in manufacturing and has a small presence in FS. Customers report that SAI Global Compliance meets expectations for a very wide range of use cases. Its ethics compliance capabilities, including a learning management system and strong policy management, have enabled it to penetrate the growing anti-bribery compliance market more effectively than most other EGRC platform vendors. It has also added additional certification and attestation capabilities for gift tracking and conflict-of-interest disclosures. For healthcare organizations, its claims management module is a plus that is not available on other EGRC platforms. Other differentiators include incident management and strong regulatory change management. While having a broad range of capabilities, SAI Global Compliance remains very compliancefocused. To move into the Leaders quadrant, it needs to significantly improve its risk analytics. SAI Global Compliance claims that it requires minimal configuration and can be implemented quickly. Several customers reported though that implementation times were longer than six months. This is indicative of fairly complex implementations that may need more services to shorten the time to implement. Notably, once implemented, most customers reported that the time to get the value they expected from the solution was short. SAP SAP, headquartered in Walldorf, Germany, provides global sales and support. SAP GRC 10.0 was the current version of the EGRC platform solution at the time of the evaluation. SAP Process Control (PC) and SAP Risk Management (RM) together represent SAP's enterprise GRC platform solution. Integration capability is a key strength. SAP Access Control is on the same development schedule and technical platform as PC and RM, enabling seamless integration of SAP's three main GRC offerings. This integrated solution enables continuous monitoring for risks in ERP applications. SAP Global Trade Services and SAP's EH&S solutions also integrate easily with PC and RM for combined reporting, a significant benefit for supply-chain-intensive enterprises. In 2013, SAP released its first SAP Hana-specific GRC offering, Fraud Management, which can monitor transactional events and analyze for fraud in near real time. More Hana-based GRC capabilities are part of the road map. Adoption of SAP GRC solutions is growing significantly, which reflects the improvements made in the last two years to make the product more user-friendly, and especially changes in the pricing strategy to put purchasing costs more in line with those of competitors. SAP customers report that the solution is difficult to configure. The audit management capabilities are satisfactory for a midsize organization, but would not scale well to support a large, distributed one. While it would be logical that SAP, as a leading analytics vendor, would promote integrated performance and risk management a growing GRC use case only one customer reference reported using the platform that way. Although SAP has made its GRC pricing more competitive, looking forward, if the SAP GRC road map should become SAP Hana-centric, SAP GRC could become too expensive for many customers. SAS SAS, headquartered in Cary, North Carolina, has global sales and support. SAS Enterprise GRC 6.0 was the current version of its EGRC platform at the time of the evaluation. SAS Enterprise GRC effectively delivers all the core functionality of an enterprise GRC platform, and customers reported a broad range of use cases. SAS strengths are in risk analytics, including not just mapping KPIs and KRIs, which many competitors can do, but also advanced capabilities like calculating risk-adjusted business performance, which gives a forward looking view of performance that can support executive decision making. Customer references reported integrated performance and risk management use cases that included strategic planning and assessing the impact of risks on strategic business objectives, mapping KRIs to KPIs, and calculating risk-adjusted performance.

8 Seite 8 von 13 SAS also has strengths in more traditional advanced risk analytics to support ORM, Basel II/III and Solvency II. For customers looking for a quick start at Basel II, SAS offers an express version. SAS is aggressively identifying and operationalizing new use cases. Future enhancements include improved integration with SAS Performance Management and SAS Analytical Intelligence. Although it has a number of innovative and advanced capabilities, SAS customers reported that it is not meeting their expectation in a high number of use cases. SAS was the only vendor that no customer references rated as being above expectations on any use cases. This is the main factor behind its move from the Leaders quadrant to the Visionaries quadrant. SAS needs to make its GRC capabilities easier for the nonexpert user. The SAS solution is complex; many customers report that it is not easy for them to configure. Planned improvements in integration with other SAS offerings may help to reduce the level of effort on implementation. In the meantime, prospective customers should ensure they have a good project manager assigned to the implementation and that expectations not just for implementation but for time to value are established with SAS. Several customers reported lengthy times for implementation. After implementation, it took them six months to a year before they were getting the value they expected from the product. Software AG Software AG is headquartered in Darmstadt, Germany, and has global sales and support. Aris Risk & Compliance Manager 4.1 was the current version of the EGRC platform at the time of the evaluation. It is applied on the Aris platform, which at the time of evaluation was Aris 9. Software AG's Aris Risk & Compliance Manager is most relevant for customers that already are using Aris business process tools or for those who are also looking to develop their business process management capabilities in addition to GRC. Software AG has an innovative approach to the market, with a vision for increasing automation and business process integration with risk management. By integrating webmethods with Aris Risk & Compliance Manager, Software AG is combining complex-event processing and in-memory computing in an innovative way to handle big data analytics for risk monitoring and remediation. These capabilities are able to support several fraud management scenarios. Software AG includes ad hoc reporting capabilities via mashups that enable powerful dynamic dashboard configuration capabilities. Aris Connect, an enterprise social-media-based process improvement product, enables collaborative and team-based information sharing and risk assessments. With a strong process focus, Software AG is able to deliver integrated performance and risk management capabilities such as risk-based strategic planning and monitoring the impact of risk on business performance. Although Software AG has some innovative and advanced capabilities, based on demonstrations and on feedback from customer references, it has room for improvement, including making the solution more intuitive and easier to configure, offering more prepackaged capabilities, and improving audit management and regulatory change management. Software AG does not have a differentiated vertical industry strategy, but rather takes an approach of providing the core capabilities for enterprises in different industries to configure what they need. This approach to the market limits the availability of prepackaged industry or functionspecific capabilities. Prospective customers should have employees who are already trained in the Aris toolset, or should be looking to buy a business process management solution in addition to the GRC solution. Sword Group Sword Group, which is headquartered in London, has offices in the U.K., Ireland, France, Germany, Luxembourg, Belgium, the U.S., Canada, Australia, New Zealand, Hong Kong, India, South Africa, the UAE and Lebanon. Sword Achiever 5.2 was the current version of its EGRC platform at the time of the evaluation. Sword Group recently acquired Active Risk and has rebranded that offering as Sword Active Risk Manager (ARM), an ERM and project risk management application. ARM product capabilities were not evaluated as part of the Sword Group rating in this Magic Quadrant. Sword Achiever has begun to close the gap on product functionality, and has demonstrated much improved risk management, including analysis of KRI impacts on KPIs. Risk-based audit management was also effective, including an ability for automatic adjustment of audit frequency based on risk. Incident management was also a strength. Sword Group is a Microsoft Gold Certified Partner, and has very good integration with Microsoft Office solutions. Users can drill down from reports generated in Excel and Word to the source data in AchieverPlus. Sword Achiever focuses on the life science, healthcare, food and beverage, and utilities industries. Sword Group recently acquired Active Risk, which has strong project risk management capabilities and customers in asset-intensive industries such as construction, oil and gas, mining, heavy manufacturing, and government. The combination of Sword Achiever and Active Risk offers broader industry and geographic coverage, and the potential for improvements in risk analytics for the enterprise GRC platform. To compete more effectively, Sword Group needs to invest more in sales and support outside of Europe.

9 Seite 9 von 13 For several years, Sword Group's geographic strategy has been to extend beyond Europe, but it still does not have the presence in North America and Asia/Pacific to indicate that the strategy is working. The acquisition of Active Risk should help realize its geographic strategy. Sword Group's vertical industry strategy has been narrow, explicitly focusing on healthcare and life sciences, energy and utilities, and fast-moving consumer goods. The acquisition of Active Risk may help it move into heavy industry. More emphasis on financial services is needed. To move out of the Niche Players quadrant, Sword Group needs a more inclusive vision and more effective execution for its industry and geographic strategies. Thomson Reuters Thomson Reuters is headquartered in New York, with global sales and support. Accelus GRC 4.4 was the current version of its EGRC platform at the time of our vendor evaluation. Thomson Reuters is offering a number of GRC solutions under the Accelus brand. These include Accelus Compliance Manager, Accelus Risk Manager, Enterprise GRC for Internal Audit and Enterprise GRC for Internal Controls. The acquisition of Avanon, now Accelus Risk Manager, has significantly improved Thomson Reuters' ORM capabilities for financial services. Thomson Reuters also has demonstrated capabilities to link and assess the impact of KRIs and KPIs, as well as significant quantitative risk management capabilities. With the ability to provide regulatory alerts and recommended rule book changes from its content services, regulatory change management is a strength for Thomson Reuters. Thomson Reuters has a strong focus on FS and manufacturing. With a strategy that plans many further acquisitions, the ease of integration of its solutions will become even more important. Audit management has always been a key strength of Thomson Reuters; however, there was mixed feedback this year on how well it met the expectations of customer references. Wynyard Group Wynyard Group is headquartered in Auckland, New Zealand, with other offices in New Zealand, Australia, the U.S., Canada, the U.K. and the UAE. Wynyard Risk is the GRC platform offering formerly known as Methodware Kairos. In 2013, Jade Software spun off Wynyard Group, which went public with an initial public offering (IPO). Wynyard Group also has capabilities in investigation management that, when integrated with the EGRC platform, can provide a very advanced incident management capability. Wynyard's intelligence and financial crime capabilities have focused on law enforcement and FS buyers. With the increased corporation interest in financial crime prevention and investigatory capabilities, integration of these capabilities with the EGRC platform would enable Wynyard to take advantage of the growing market for anti-bribery and fraud management solutions. Wynyard is investing above the industry norm in R&D, and has an aggressive product road map. It is completing the migration of its products to a common.net architecture, which will enable tighter integration between them. Wynyard's industry focus is on financial services, government and utilities. Wynyard's legacy is in providing services and software to law enforcement for financial crime investigations. Its vision of combining those offerings with GRC is compelling but untested by anyone else in the marketplace. Wynyard Group is putting a lot of emphasis on financial crime, which raises questions about the overall strategy for EGRC. Vendors Added and Dropped We review and adjust our inclusion criteria for Magic Quadrants and MarketScopes as markets change. As a result of these adjustments, the mix of vendors in any Magic Quadrant or MarketScope may change over time. A vendor's appearance in a Magic Quadrant or MarketScope one year and not the next does not necessarily indicate that we have changed our opinion of that vendor. It may be a reflection of a change in the market and, therefore, changed evaluation criteria, or of a change of focus by that vendor. Added None Dropped Cura Technologies did not provide information or customer references. Oracle did not provide information or customer references.

10 Seite 10 von 13 Wolters Kluwer Financial Services only markets and sells to financial services organizations. Gartner changed the inclusion criteria to consider only vendors that are used cross-industry. Methodware was not dropped, but is now Wynyard Group, an IPO spinoff of Methodware's former parent, Jade Software. Inclusion and Exclusion Criteria Vendors included in the Magic Quadrant met these criteria: Ability to deliver at least the following three GRCM functions: compliance management, risk management and regulatory change management. Credible presence in the marketplace, which is defined as having at least $12 million in annual revenue for calendar year 2012 from EGRC platform software and related services, at least 100 customers with live implementations of the software, and customers able to be referenced for corporate-governance-related GRC activities, such as financial reporting compliance and ERM. Targets two or more industry verticals. Multiregion presence, which is defined as having at least five reference customers with live implementations in each of two or more geographic regions. At least one of the regions must be North America/Latin America or EMEA. Regions include North America, Latin America, EMEA and Asia/Pacific. Several IT GRCM vendors also have been crossing over into EGRC on an opportunistic basis. They often meet the basic risk management, compliance and policy management needs outside the IT department. Those IT GRCM vendors most often seen crossing over include Agiliance, Modulo and Rsam. It is possible that some may meet the revenue thresholds in the future and develop stronger enterprise strategies and architectures. However, at this point, their primary focus is on supporting IT security professionals with their GRC needs. Likewise, other highly specialized vendors have basic GRC functionality but are focused on specialized roles. These vendors may take the opportunity at times to tout their EGRC capabilities, but their primary focus is not on enterprisewide support. These include EH&S, quality management and standards compliance vendors, such as AssurX and BSI Group. Some eventually do cross over through expanding their products or by making an acquisition. MetricStream and Enablon are examples of the former, and SAI Global Compliance and Sword Group are examples of standards-compliance-oriented vendors entering the market through acquisition. Evaluation Criteria Ability to Execute Vendors are assessed on their ability and success in making their vision a market reality. The six Gartner criteria below were considered for Ability to Execute (see Table 1): Product/Service:Core goods and services offered by the provider that competes in/serves the defined market. This includes current product/service capabilities, quality, feature sets and skills, whether offered natively or through OEM agreements/partnerships as defined in the market definition and detailed in the subcriteria. Vendors are evaluated primarily on effective provisioning of the following functions audit management, compliance management, risk management and regulatory change management. Ability to support IT GRCM is also an element. Overall Viability:Includes an assessment of the overall organization's financial health, the financial and practical success of the business unit, and the likelihood of the business unit to continue to invest in the product, offer the product and advance the state of the art in the organization's portfolio of products. Evidence of ongoing investment in GRC, overall company revenue and revenue from the EGRC platform are determinants. Market Responsiveness and Track Record:Ability to respond, change direction, be flexible and achieve competitive success as opportunities develop, competitors act, customer needs evolve and market dynamics change. A key metric is sales performance in Sales Execution/Pricing:The technology providers' capabilities in all presales activities and the structure that supports them. This includes deal management, pricing and negotiation, presales support, and the overall effectiveness of the sales channel. For sales execution, a key metric is the growth of the EGRC platform customer base over the past three years; for pricing, key metrics are transparency and ease of calculation of the pricing model. Customer Experience:Relationships, products and services/programs that enable customers to be successful with the products are evaluated. Customers are asked a variety of questions to determine their experience with the vendor and the EGRC platform, including whether the product met, exceeded or failed to meet expectations; areas where the vendor should improve; and overall level of satisfaction with the vendor. Key metrics include overall satisfaction, breadth of use, ability to meet performance expectations for various use cases, and positive and negative comments from reference customers. Operations:The ability of the organization to meet its goals and commitments. Factors include the quality of the organizational structure including skills, experiences, programs, systems and other vehicles that enable the organization to operate effectively and efficiently on an ongoing basis. Key metrics are customer satisfaction with support and ongoing upgrades, customer professional education and training program satisfaction, and the availability of user conferences and other means for customers to improve their skills. The descriptions of the criteria and weightings have changed since Customer experience and operations were both redesigned to stress the emphasis on customer expectations for product performance and the ongoing relationship with the vendor. Reflecting the emphasis on products to have industry-and function-specific capabilities, product weighting was raised from medium to high. Since customers are expecting better product support for a broader range of use cases, the customer experience rating was raised from medium to high. Customers also are looking to vendors to provide ongoing support, user communities, professional development and ongoing training; thus, the operations weighting was changed from low to medium. The changes in weightings reflect changing market expectations, and several vendor positions show significant movement from the year before.

11 Seite 11 von 13 Table 1.Ability to Execute Evaluation Criteria Criteria Weight Product/Service Overall Viability Sales Execution/Pricing High Medium Medium Market Responsiveness/Record High Marketing Execution Customer Experience Operations Source: Gartner (September 2013) Not Rated High Medium Completeness of Vision Vendors are rated on their understanding of how market forces can be exploited to create value for customers and opportunity for themselves. The six criteria for Completeness of Vision below were considered significant for the EGRC platform market (see Table 2): Market Understanding:Ability of the provider to understand buyer needs and translate these needs into products and services. Vendors that show the highest degree of vision listen to and understand buyer wants and needs, and can shape or enhance those wants with their added vision. Vendors understand major regulatory, business and risk management drivers. Marketing Strategy:A clear, differentiated set of messages consistently communicated throughout the organization and externalized through the website, advertising, customer programs and positioning statements. EGRC platform vendors are evaluated on whether their strategy was clearly consistent and aligned with market direction. Offering (Product) Strategy:A provider's approach to product development and delivery that emphasizes differentiation, functionality, methodology and feature set as they map to current and future requirements. EGRC platform vendors are evaluated on their road maps to advance current capabilities and deliver new ones. Vertical/Industry Strategy:The provider's strategy to direct resources, skills and offerings to meet the specific needs of individual market segments, including vertical industries. EGRC platform vendors are evaluated on whether they have differentiated offerings for two or more highly regulated industries, evidence of delivery in those industries, and have content and capabilities for industry-specific needs. Innovation:Direct, related, complementary and synergistic layouts of resources, expertise or capital for investment, consolidation, and defensive or pre-emptive purposes. The primary metrics for EGRC vendors are R&D investment and significant noncore capabilities. Geographic Strategy:The provider's strategy to direct resources, skills and offerings to meet the specific needs of geographies outside its native geography directly or through partners, channels and subsidiaries as appropriate for that geography and market. The primary metrics are direct sales and support presence in multiple geographies, and reseller and services partner support. As with the Ability to Execute criteria, some of the weightings and descriptions have changed in the past year. As the market is at a significant turning point where customers are demanding more industry -and function-specific functionality, innovation now includes whether the vendor is delivering significant noncore capabilities. Since most vendors and customers have a good understanding of GRC, market understanding was changed from medium to low. As vendors move into a phase of the market where developing suites of interoperable applications is more important than the underlying platform, product strategy was changed from high to medium, and innovation was changed from medium to high. As demand picks up in regions beyond Europe and North America, geographic strategy was changed from low to medium. The changes in weightings reflect changing market expectations, and several vendor positions show changes from the year before, although these changes are not as dramatic as those on the Ability to Execute axis. Table 2.Completeness of Vision Evaluation Criteria Evaluation Criteria Weighting Market Understanding Marketing Strategy Sales Strategy Low Medium Not Rated Offering (Product) Strategy Medium Business Model Not Rated Vertical/Industry Strategy Medium Innovation High Geographic Strategy Source: Gartner (September 2013) Medium Quadrant Descriptions

12 Seite 12 von 13 Leaders The EGRC platform market is consolidating, and the vendors in this market have had time to develop their products and strategies. Customers are looking for Leaders to provide additional functionality, such as support for chief risk officers, integration with advanced BI and corporate performance management applications, business process modeling, more-flexible and ad hoc reporting, planning and resource management for internal audit, and industry-and function-specific capabilities for risk management and compliance beyond the core functions. They also expect support across multiple geographies. Challengers Challengers have proven viability, demonstrated market performance and shown the ability to exceed customer expectations on technical functionality. Challengers need to focus on their product road maps as well as their sales, marketing, geographic and vertical industry strategies to move into the Leaders quadrant. Visionaries Visionaries have a solid understanding of the market, as demonstrated by domain expertise and responsiveness to customer expectations. They are actively executing against an aggressive product road map that expands support to additional regulatory and nonregulatory compliance and risk management needs, including support for the integration of GRC with business performance. Niche Players Niche Players often have a unique approach to the market. Vendors could also be in the Niche Players quadrant because they have to improve the core platform functions and there market execution. Niche Players may also target a specific industry vertical or the needs of particular professionals. All vendors in the Niche Players quadrant are successful in the market with competitive solutions. Context This Magic Quadrant for EGRC platforms presents a global view of Gartner's assessment of the main software vendors that should be considered by organizations seeking a technology solution to support the oversight and operation of enterprisewide risk management and compliance programs, with the overall objective being improvements in corporate governance and the ability to achieve business objectives. Buyers should evaluate vendors in all four quadrants. The vendors from the Niche Players quadrant have the core functionality of an EGRC platform and, although having some product or product strategy challenges, offer good value for money, specialized industry capabilities or both. They bring some unique approaches to the market that can be of value to many companies. Several vendors in the Visionaries quadrant are driving innovation in the market through integration with business process modeling, CCM, risk analytics, targeted vertical industry solutions, and other advanced capabilities beyond the core functions required to be in the Magic Quadrant. Leaders are innovating with advanced capabilities, have large customer bases, have solid capabilities in the core platform functions audit management, compliance management, risk management and policy management and have executed across several industries, with support for multiple professional roles. Challengers have executed well, but lag the Leaders in advancing their range of advanced GRC capabilities for specific industries or professional roles, or they have a functional or architectural challenge that should be closed. The placement of the vendors and commentary in this Magic Quadrant are based on multiple sources. Customer perceptions of each vendor's strengths and challenges are derived from EGRC-related inquiries with Gartner, as well as an survey of vendor customers conducted from April 2013 through July The evaluations also have drawn from vendor briefings, a vendor-completed questionnaire about their EGRC platform strategies and operations, scripted product demonstration sessions with vendors, and other publicly available and proprietary financial, product and vendor information. Market Overview The EGRC platform market is derived from the need for many entities to improve the oversight of corporate governance including financial reporting compliance, ERM and related audits. Many organizations also want to consolidate other GRC activities into a common platform. Therefore, an EGRC platform must solve the immediate GRCM needs associated with corporate governance, and also enable an enterprise to pursue consolidation and integration of a diverse set of operational, IT, legal and finance GRC activities. GRCM is defined as the automation of the management, measurement, remediation and reporting of controls and risks against objectives, in accordance with rules, regulations, standards, policies and business decisions. Many enterprises typically consider a GRCM application to satisfy a specific requirement, such as Sarbanes-Oxley Act (SOX) compliance, an industry-specific regulation or ORM for a business process. However, enterprises often have other GRCM activities in mind, such as audit management, additional regulations (see "Hype Cycle for Regulations and Related Standards, 2012"), IT governance, remediation management and policy management, which they eventually may integrate into a more consolidated EGRC approach. In a 2013 Gartner survey of 174 EGRC platform users, the six leading uses were enterprise or operational risk management (61%), audit management (53%), IT risk management (34%), case or incident management (32%), policy management (30%), and integrated performance and risk management (29%). Notably, compliance use cases were not in the top six. As the number of use cases increases, most EGRC platform vendors are adding prepackage capabilities, or applications, that meet industry-specific operational GRC needs, such as Basel II/III, Solvency II, EH&S compliance and sustainability, Health Insurance Portability and Accountability Act (HIPAA) and

13 Seite 13 von 13 other healthcare compliance, Foreign Corrupt Privacy Act (FCPA) and other anti-bribery rules, thirdparty risk management, regulatory change management, Gramm-Leach-Bliley Act (GLBA), PCI, conflict minerals and other Dodd-Frank Act requirements, BCM, and NERC/FERC compliance. Overall, EGRC platform vendors are adding capabilities across a wide spectrum of financial, IT, operational and legal needs, thus giving customers an interoperable suite of capabilities from which to choose. IT GRCM Offerings of EGRC Platform Vendors EGRC platforms serve organizations that take an enterprise approach to compliance and risk management, and that want to have all business units including the IT organization on the same GRCM solution. Most vendors with EGRC platforms offer modest IT governance automation functions. At a minimum, EGRC vendors offer the capability to document, survey and report IT risks and controls, but some may lack IT-specific content. Some vendors also provide support for an IT asset repository, IT policy management and the automated collection of IT controls data. Organizations with a primary interest in IT-centric GRCM requirements should be aware that most EGRC platforms balance financial, operational and IT requirements at the expense of IT-centric depth. Gartner is monitoring the potential convergence of IT GRC and EGRC functions, such that this differentiation would become generally irrelevant to the market; however, this has not yet happened in In many cases, organizations are buying two separate tools, indicating that this difference is more substantial than just vendor marketing and different buying centers. This divergence is based on the differences in management and reporting requirements for top-down versus bottom-up approaches. Top-down requirements tend to be led by ERM teams addressing business executive requirements, as opposed to bottom-up requirements, which are typically led by IT teams. The vendors continue to add functions that overlap top-down and bottom-up requirements, but convergence will only happen when organizations stop buying multiple tools to address diverging requirements, and agree on one tool to address both approaches comprehensively. However, the IT- GRC market is bifurcating into security-operations-centric functions and traditional oversight, measurement and reporting functions (see "Technology Overview for IT GRC: Clarifying IT GRC to Match Technology to Need"). Key Trends Affecting the EGRC Platform Market The EGRC platform is evolving on the basis of several trends, which include: Increased demands on internal audit organizations as they cope with increasing regulatory requirements, ERM oversight and demands for more business performance audits An increasing regulatory focus on anti-corruption and bribery in the aftermath of the 2008 global financial crisis ERM to support transparency objectives of regulators and decision making by business leaders Risk analytics to support integration of risk management and performance management Regulatory content services and change management to deal with regulatory proliferation The SOX knock-on effect, as organizations find that auditors and regulators worldwide are raising the bar on internal controls, even when the law is not as stringent as U.S. SOX (for example, Law 262 in Italy) Consolidation, with a shift from dominance of the market by smaller best-of-breed players to one dominated by larger, well-established vendors Third-party risk management to ensure that third parties do not present unacceptable compliance and risk challenges Social risk management issues emerging from social marketing strategies and the need to ensure compliance with privacy and advertising regulations Operational technology and critical infrastructure protection, which increases the variety and volume of risk and controls data The latter three trends present a big data problem that will require a much greater investment in complex risk analytics, and could lead to a significant transformation of the GRC market during the next three years. Specifically, as GRC adapts to social, third-party monitoring and operational technology requirements, the volume of use cases will expand beyond what is reasonable to be included directly on the platform. With the proliferation of use cases, the platform will need to integrate with many more external data sources and applications, thus reversing what has been the evolution during the past six years to support most GRC use cases directly on the platform. Thus, the platform will fade in market positioning importance, but will remain foundational as an enabler for new GRC-related markets.