For: Security & Risk Professionals The Forrester Wave : Governance, Risk, And Compliance Platforms, Q1 2014 by Christopher McClean, Nick Hayes, and Renee Murphy, January 27, 2014 Key Takeaways It s No Longer Worth Trying To Define Distinct GRC Platform Submarkets Unlike in previous years in which Forrester published distinct enterprise GRC and IT GRC Forrester Waves, this report compared all of the top GRC platform vendors, regardless of their primary target markets. This reflects growing customer interest in consolidated platforms, and vendor successes that frequently span traditional boundaries. The Leaders Show The Greatest Ability To Support Diverse Use Cases EMC RSA, IBM, MetricStream, Nasdaq OMX BWise, and Rsam have all finished in the Leaders position before, and Enablon is new to the category. All six of these vendors have shown strong fundamental platform capabilities, and most importantly, the flexibility to help customers address changing market and business demands. The Strong Performers And Contenders Are Well Worth Considering On Shortlists Agiliance, CMO Compliance, LogicManager, Mega, Modulo, Protiviti, Resolver, SAI Global, SAP, Thomson Reuters, and Wynyard make up the long list of Strong Performers, all having leading capabilities and winning deals with specific focus areas. Likewise, SAS Institute and The Network are Contenders that should be strongly considered for certain use cases. Forrester Research, Inc., 60 Acorn Park Drive, Cambridge, MA 02140 USA Tel: +1 617.613.6000 Fax: +1 617.6100 www.forrester.com
January 27, 2014 The Forrester Wave : Governance, Risk, And Compliance Platforms, Q1 2014 A Detailed Evaluation Of The 19 Most Relevant GRC Software Vendors by Christopher McClean, Nick Hayes, and Renee Murphy with Stephanie Balaouras and Kelley Mak Why Read This Report Growing diversity in the governance, risk, and compliance (GRC) platform market is blurring the lines between historical subsegments, as organizations push their GRC programs into the far reaches of business processes and initiatives. In Forrester s 43-criteria evaluation of the most relevant 19 GRC vendors, we dug deep into their technologies and strategies to separate the Leaders from the Strong Performers and Contenders. Based on briefings, demos, customer surveys, interviews, and actual use of the products, this report presents a detailed and transparent assessment to help you select the GRC platform best able to meet your business needs. Table Of Contents 2 2 4 7 GRC Technology Decisions Are Getting More Difficult It s Not Worth Defining Submarkets For GRC Platforms Governance, Risk, And Compliance Platform Evaluation Overview Evaluation Analysis Notes & Resources Forrester conducted product evaluations in July 2013 and interviewed 18 vendor companies: CMO Compliance, Enablon, IBM OpenPages, LogicManager, Mega, MetricStream, Modulo, Nasdaq OMX BWise, Protiviti, Resolver, EMC RSA, Rsam, SAI Global, SAP, SAS Institute, The Network, Thomson Reuters, and Wynyard. 10 15 Vendor Profiles Supplemental Material Related Research Documents Assess Your GRC Program With Forrester s GRC Maturity Model October 2, 2013 The Forrester Wave : IT Governance, Risk, And Compliance Platforms, Q4 2011 December 1, 2011 The Forrester Wave: Enterprise Governance, Risk, And Compliance Platforms, Q4 2011 November 30, 2011 2014, Forrester Research, Inc. All rights reserved. Unauthorized reproduction is strictly prohibited. Information is based on best available resources. Opinions reflect judgment at the time and are subject to change. Forrester, Technographics, Forrester Wave, RoleView, TechRadar, and Total Economic Impact are trademarks of Forrester Research, Inc. All other trademarks are the property of their respective companies. To purchase reprints of this document, please email clientsupport@forrester.com. For additional information, go to www.forrester.com.
The Forrester Wave : Governance, Risk, And Compliance Platforms, Q1 2014 2 GRC Technology Decisions Are getting More Difficult For all the growth and maturity of the GRC platform market, it s a segment that still eludes clear definitions and boundaries. Risk and compliance professionals are discovering new ways to leverage these technologies for greater efficiency and control, but now they face hard choices about how far to take them; what use cases they can support, whether to consolidate multiple applications into a single platform, and how to successfully roll out their program to build business success. Organizations GRC Technology Environments Grow More Complex Forrester surveyed 66 GRC customer organizations for this report and found that almost half (44%) have more than one GRC platform. 1 For example, after a recent implementation that took more than a year, one financial services organization with tens of thousands of employees now has six GRC platforms in production, including one that the vendor no longer supports and another that the company plans to phase out. Similarly, a compliance manager for a large energy company also described an environment with at least four GRC platform implementations, two of which were separate instances of the same product. Both of these customers had great things to say about the value their GRC tools deliver a common sentiment among GRC customers however, the strategic and tactical decisions involved to ensure that the technology environment is efficient and effective are dizzying, to say the least. It s Not Worth Defining SubMarkets For GRC Platforms For the past decade, few GRC systems could address the various risk and compliance needs of all the different parts of even a medium-size enterprise. Instead, vendors targeted specific requirements of a single department or function typically IT, finance, or health and safety. Now however, vendors are shedding their past niche specialties to compete for bigger and broader deals, creating a complex marketplace of many diverse competitors. For this Forrester Wave research effort alone, Forrester considered over 50 vendors that all market GRC capabilities. But don t lump any vendor into this growing group based just on marketing language. A true GRC platform includes four basic functions: 1. A relational database stores GRC data and maps its context within the organization. Fundamental to GRC is the ability to understand the relationships between risks, controls, policies, requirements, assets, processes, and other objects. 2. A workflow engine facilitates GRC processes. This is how to make sure people know when and how to conduct assessments, audits, remediations, action plans, and other relevant tasks.
The Forrester Wave : Governance, Risk, And Compliance Platforms, Q1 2014 3 3. Content management capabilities store critical documentation. These features allow organizations to create, review, update, distribute, and archive records such as policies and audit findings. 4. Reporting capabilities create understanding and drive decisions. Analysis of vast GRC information is necessary for business decision-makers, auditors, regulators, and boards of directors. Use Cases Are Extremely Diverse, And That Diversity Will Only Increase Rapidly evolving business and regulatory environments constantly introduce new customer scenarios and requirements for GRC platforms. In some cases, it s heavily regulated financial firms reacting to new rules in the Dodd-Frank Act, sometimes it s manufacturing and retail firms working to improve their third-party risk management processes, and other times it s contractors managing controls and processes for major events like the Olympics or the FIFA World Cup, or a Smart Grid deployment. Any aspect of the organization that has performance objectives, by definition, has risks to the achievement of those objectives. For complex or especially important aspects of the organization, managing all of these risks is nearly impossible without technology, which means companies will continue to see the value that GRC platforms can bring to everything they do. If You Have A Specific Use Case, Adjust The Wave Weightings To Your Needs The Forrester Wave model is an incredibly flexible tool, enabling you to customize how much each of the 43 criteria influence the vendor rankings, which gives you a more targeted list of vendors to consider based on your specific requirements. While the Leaders in the Wave will usually remain high on the list regardless of what you change, some vendors will rise significantly with different weightings. To show you how this works, Forrester created a few additional sets of weightings based on some common initial GRC implementations: Corporate compliance, environmental compliance, and social responsibility. Forrester developed these weightings for scenarios where the main use of the GRC platform will be to manage policies, develop an effective training and awareness, and extend the scope of the program to cover environmental health and safety. Using Forrester s suggested weighting revisions, you will see several vendors rise significantly higher on your list: CMO Compliance, Protiviti, SAI Global, and The Network (in alphabetical order). See the endnote for the detailed weightings suggestions. 2 IT GRC and third-party risk management. Use these suggested weightings if the primary function of the GRC platform will be to manage IT risks and compliance requirements both internally and across the supply chain. With these revised weightings, the vendors that rise significantly higher on your list include Agiliance, IBM, Modulo, and Protiviti (in alphabetical order). See the endnote for the detailed weightings suggestions. 3
The Forrester Wave : Governance, Risk, And Compliance Platforms, Q1 2014 4 Financial controls and operational risk. For GRC professionals working for organizations in the financial services industry or with a heavy emphasis on financial controls and operational risk, Forrester recommends customizing the criteria using weightings that focus on risk management, control monitoring and enforcement, and audit management. Emphasizing these criteria with Forrester s suggested weighting revisions, the vendors that rise most significantly on your list are IBM, Mega, Protiviti, and Resolver (in alphabetical order). See the endnote for the detailed weightings suggestions. 4 GRC Vendors And Platforms Are Improving In Maturity, But Several Issues Persist Customers are generally satisfied with the GRC platform they chose, often due more to the positive relationships they have with their vendor rather than the specific technical capabilities. Two-thirds (66%) of GRC customers rated the overall vendor relationship with the highest levels of satisfaction (9 or 10 on a 0-10 scale), whereas only 32% gave the same marks for the product s end user experience, and an even smaller portion (28%) were very satisfied with the dashboard and analytics capabilities. Customers see the business value, but the technical functionality, ease of use, and reliability of the platform are areas where most GRC vendors still fall short. 5 Governance, Risk, And Compliance Platform Evaluation Overview To assess the state of the governance, risk, and compliance platform market, Forrester evaluated the strengths and weaknesses of the top software vendors. The Evaluation Highlighted Product Capabilities, Vendor Strategy, And Market Reach Based on extensive market research, an assessment of customer needs, ongoing work helping our clients develop strong GRC programs, and constant engagement with GRC vendors and practitioners, we developed a comprehensive set of 43 evaluation criteria to compare and contrast the most relevant vendors. These criteria fit into three categories: Current offering. The vertical axis of the Forrester Wave graphic reflects the strength of each vendor s product offering, including its capabilities to deliver content management, risk and control management, workflow management, GRC management and analytics, audit management, GRC breadth and depth, domain-specific support, and underlying technical functionality. Strategy. The horizontal axis measures the viability and execution of each vendor s strategy, which includes the company vision and strategy, product vision and strategy, support for GRC roles, and feedback from customer references. Market presence. The size of each vendor s bubble on the Forrester Wave graphic represents each vendor s presence in the GRC market, based on its financial viability, customer base, GRC staff, and global presence.
The Forrester Wave : Governance, Risk, And Compliance Platforms, Q1 2014 5 Vendors In This Wave Have Broad Capabilities, Market Presence, And Relevance Forrester included 19 vendors in the assessment: Agiliance, CMO Compliance, EMC RSA, Enablon, IBM, LogicManager, Mega, MetricStream, Modulo, Nasdaq OMX BWise, Protiviti, Resolver, Rsam, SAI Global, SAP, SAS Institute, The Network, Thomson Reuters, and Wynyard. Each of these vendors has (see Figure 1): Capabilities to support a wide range of GRC use cases. Every vendor in the Forrester Wave has a substantial enough breadth of capabilities to address the needs of governance, risk management, and compliance professionals across multiple industries, domains, and use cases. Substantial market presence. All vendors evaluated in this Forrester Wave had at least 100 customer organizations and earned more than $10 million in GRC revenue during 2012. Relevance to the market. Inclusion in this Forrester Wave means that the vendor actively competes in the GRC market, showing up in competitive situations and discussions among Forrester clients. Of the 19 vendors invited to participate in our evaluation, Agiliance was the only vendor that declined the invitation. However, considering the company s past participation and continued effort to position itself as a GRC platform vendor, Forrester chose to include it in the evaluation as a nonparticipant.
The Forrester Wave : Governance, Risk, And Compliance Platforms, Q1 2014 6 Figure 1 Evaluated Vendors: Product Information And Selection Criteria Vendor Product evaluated Product version evaluated Product release date CMO International CMO Compliance 8 February 2013 EMC RSA RSA Archer GRC RSA Archer GRC Platform 5.4 June 19, 2013 Enablon Enablon Risk Management Suite Enablon 6 R5 June 2013 IBM IBM OpenPages GRC Platform 6.2.1 May 19, 2013 LogicManager LogicManager LogicManager 13 June 2013 Mega International Mega GRC Solutions V1R1 June 2013 MetricStream MetricStream GRC Platform 6.1 September 2012 Modulo Modulo Risk Manager Version 8.2 July 1, 2013 Nasdaq OMX BWise Nasdaq OMX BWise 4.1.4 June 2013 Protiviti Governance Portal 4 October 2012 Resolver GRC Cloud 7.1 June 2013 Rsam Rsam GRC Platform Version 8 May 2013 SAI Global Compliance 360 2013.1 March 2013 SAP SAP Risk Management, SAP Process Control version 10.1 July 2013 SAS SAS(r) Enterprise GRC 6.1 Q2 2013 The Network The Integrated GRC Suite 2013.6 June 28, 2013 Thomson Reuters Accelus Enterprise GRC Accelus Risk Manager Version 4.4 Version 4.7 April 2012 October 2012 Wynyard Group Wynyard Risk Management 8.3 March 2013 106501 Source: Forrester Research, Inc.
The Forrester Wave : Governance, Risk, And Compliance Platforms, Q1 2014 7 Figure 1 Evaluated Vendors: Product Information And Selection Criteria (Cont.) Vendor selection criteria Capabilities to support a wide range of GRC use cases. Every vendor in the Forrester Wave has a substantial enough breadth of capabilities to address the needs of governance, risk management, and compliance professionals across multiple industries, domains, and use cases. Substantial market presence. All vendors evaluated in this Forrester Wave had at least 100 customer organizations and earned more than $10 million in GRC revenue during 2012. Relevance to the market. Inclusion in this Forrester Wave means that the vendor actively competes in the GRC market, showing up in competitive situations and discussions among Forrester clients. 106501 Source: Forrester Research, Inc. Evaluation Analysis The evaluation uncovered a market in which (see Figure 2): The Leaders all show great flexibility and ability to support different GRC domains. EMC RSA, Enablon, IBM, MetricStream, Nasdaq OMX BWise, and Rsam earned a spot in the Leaders category by focusing on their breadth of capabilities and flexibility to address new and changing requirements. A common Leader characteristic is the ability to successfully support a wide range of different GRC domains and functions. Strong Performers are relevant for many important use cases. Agiliance, CMO Compliance, LogicManager, Mega, Modulo, Protiviti, Resolver, SAI Global, SAP, Thomson Reuters, and Wynyard may not have the same breadth of capabilities as the Leaders, but they rightfully win business over the Leaders on a fairly regular basis. For many customer needs or specific scopes of implementation, vendors in this category are the best choice to solve many key GRC challenges. The Contenders will give other GRC vendors strong competition in their areas of specialty. SAS Institute and The Network both have certain capabilities unmatched by the other vendors in this evaluation and will continue to win deals in the GRC space. They still have work to do to build out their breadth of capabilities enough to be considered comprehensive GRC platforms, but if they continue with their current level of commitment, they ll be important vendors in the market. This evaluation of the GRC platform market is intended to be a starting point only. We encourage clients to view detailed product evaluations and adapt criteria weightings to fit their individual needs through the Forrester Wave Excel-based vendor comparison tool.
The Forrester Wave : Governance, Risk, And Compliance Platforms, Q1 2014 8 Figure 2 Forrester Wave : Governance, Risk, And Compliance Platforms, Q1 14 Strong Current offering Risky Strong Bets Contenders Performers Leaders Protiviti Mega Resolver The Network MetricStream Nasdaq OMX BWise IBM Modulo Agiliance CMO Compliance SAI Global SAS Institute Rsam Enablon SAP Wynyard Thomson Reuters LogicManager EMC RSA Go online to download the Forrester Wave tool for more detailed product evaluations, feature comparisons, and customizable rankings. Weak Market presence Full vendor participation Incomplete vendor participation Weak Strategy Strong Source: Forrester Research, Inc.
The Forrester Wave : Governance, Risk, And Compliance Platforms, Q1 2014 9 Figure 2 Forrester Wave : Governance, Risk, And Compliance Platforms, Q1 14 (Cont.) Forrester s Weighting Agiliance CMO Compliance EMC RSA Enablon IBM LogicManager Mega MetricStream Modulo Nasdaq OMX BWise CURRENT OFFERING Content management Risk and control management Workflow management GRC management and analytics Audit management GRC breadth and depth Domain-specific support Technical functionality 50% 10% 10% 0% 20% 3.30 4.20 1.35 4.05 3.18 2.70 2.40 4.09 4.25 4.60 3.65 4.25 3.98 3.75 4.20 4.35 4.25 3.91 4.60 4.35 3.80 2.68 1.75 3.20 3.05 1.60 3.25 3.69 4.80 2.80 2.80 4.79 4.75 4.65 4.70 3.45 2.75 4.20 2.40 3.80 4.34 4.75 4.70 4.65 3.80 4.75 STRATEGY Company vision and strategy Product vision and strategy Support for GRC roles Customer references MARKET PRESENCE Financial viability Customer base GRC staff size Global presence 50% 40% 20% 10% 30% 0% 35% 35% 2.81 2.30 3.40 3.05 1.74 1.50 1.75 3.25 4.20 3.05 1.95 1.50 1.50 4.06 4.70 3.75 4.43 3.57 3.30 2.60 4.10 4.40 2.88 3.39 3.60 4.05 2.60 3.51 2.25 3.42 2.30 4.20 3.40 4.40 2.38 1.50 1.00 2.45 2.30 2.20 2.40 2.64 2.75 4.15 3.60 4.40 3.30 3.40 3.06 2.20 2.75 3.80 3.41 3.25 4.36 3.80 All scores are based on a scale of 0 (weak) to 5 (strong). 106501 Source: Forrester Research, Inc.
The Forrester Wave : Governance, Risk, And Compliance Platforms, Q1 2014 10 Figure 2 Forrester Wave : Governance, Risk, And Compliance Platforms, Q1 14 (Cont.) Forrester s Weighting Protiviti Resolver Rsam SAI Global SAP SAS Institute The Network Thomson Reuters Wynyard CURRENT OFFERING Content management Risk and control management Workflow management GRC management and analytics Audit management GRC breadth and depth Domain-specific support Technical functionality 50% 10% 10% 0% 20% 3.45 4.60 4.30 3.56 3.20 4.23 3.75 3.60 3.80 2.85 3.60 2.40 2.10 3.48 1.75 4.30 3.40 3.80 2.90 2.69 1.25 3.60 2.70 2.40 2.40 2.11 1.50 0.50 0.70 0.60 2.75 3.11 2.75 3.30 2.65 3.31 3.05 STRATEGY Company vision and strategy Product vision and strategy Support for GRC roles Customer references MARKET PRESENCE Financial viability Customer base GRC staff size Global presence 50% 40% 20% 10% 30% 0% 35% 35% 2.56 3.30 1.80 1.60 2.14 1.25 2.40 2.30 4.20 3.40 1.00 1.50 3.90 4.40 3.40 2.09 2.25 3.18 2.60 2.70 2.91 2.25 3.45 3.60 4.28 2.07 2.30 2.40 2.80 1.30 2.40 1.50 2.63 1.70 4.20 2.70 2.54 3.75 1.50 3.38 3.95 2.60 4.05 3.67 3.30 4.20 3.05 2.81 2.75 All scores are based on a scale of 0 (weak) to 5 (strong). 106501 Source: Forrester Research, Inc. Vendor Profiles Leaders MetricStream is growing quickly and demonstrating impressive product enhancements. MetricStream s vision is to embed GRC in the day-to-day functions of all employees, and its strategy reflects this broad vision by targeting a wide range of industries, users, and use cases. MetricStream offers great capabilities in content management, risk and control management, workflow management, GRC management and analytics, and GRC breadth and depth. The MetricStream GRC platform provides high-level building blocks with reusable code libraries for customers, partners, or MetricStream staff to design and configure applications in line with specific GRC needs. The company s fast growth is a disruptive force in the market, and its continued success will count on its ability to maintain customer satisfaction amid that growth.
The Forrester Wave : Governance, Risk, And Compliance Platforms, Q1 2014 11 BWise once again shows strengths in all major criteria. A Nasdaq OMX company, BWise s strengths shone in content management, risk and control management, GRC management and analytics, audit management, and technical functionality. The BWise platform has impressive document management capabilities and offers integration with other relevant technologies such as Nasdaq s whistleblower, board management, transaction monitoring, and media monitoring products. As BWise continues to integrate with the Nasdaq OMX technology ecosystem, it will ultimately become a lot more focused on solving the biggest challenges related to corporate governance. At this point, however, BWise s strategy is very strong in support of all GRC roles and continues to earn exceptional customer satisfaction scores. EMC RSA continues its leadership, building on its already large customer base. Archer, owned by EMC RSA, continues to be one of the biggest brands in the GRC platform market, with a strong focus on financial services and growing emphasis on insurance, energy, and government. Archer addresses a wide range of GRC use cases, including policy, risk, compliance, audit, vendor, business continuity, and threat and incident management. It also offers an application builder to support clients and partners as they create applications to meet different GRC requirements. The company has invested heavily to expand the platform s already substantial breadth of capabilities with new Focused Solutions, and its growing customer base will assure that it remains a strong competitor in the GRC market for the foreseeable future. Rsam is showing strong innovation and success against bigger rivals. Relatively small compared with its top GRC platform competitors, Rsam has demonstrated strong commitment to product development and innovation. The Rsam platform is a robust tool with a large number of premapped risks and controls as well as terrific integration and workflow capabilities. It s a flexible, intuitive platform with a recently redesigned user interface. The company s ability to sustain this level of competition will depend on continued product innovation and its ability to strengthen market presence through partnerships or other investments. Enablon has quickly grown much more relevant in the GRC market. Enablon has a unique vision that incorporates support for customers strategy, risk, performance, and sustainability efforts, and the company considers its EHS management to be one of its main differentiators in the market. Enablon offers a number of unique GRC communication and collaboration capabilities, such as its Wizness platform, which provides users a social networking experience to improve their ability to share GRC best practices and technical advice. Enablon s go-tomarket strategy and product enhancements have led it beyond its historic EHS roots to address a much broader set of GRC use cases. IBM OpenPages has historic success in and a dedicated focus on financial services. With OpenPages, IBM still maintains one of the strongest brands in the GRC platform market, and there is vast potential for the OpenPages platform to integrate with other technologies and services throughout IBM. OpenPages supports a variety of third-party content and offers
The Forrester Wave : Governance, Risk, And Compliance Platforms, Q1 2014 12 integration with IBM s Algo FIRST loss database to supplement customers internal loss data. For advanced risk analysis, OpenPages integrates with IBM Algorithmics to provide analysis for credit, liquidity, and market risk. As these capabilities show, the company s primary focus continues to be operational risk in the financial services and insurance industries. While this has decreased OpenPages participation in competitive deals outside of financial services, the company is currently executing plans to extend its presence in other industries as well. In the meantime, IBM OpenPages still has clear competitive advantages that will help it maintain a strong position in the market. Strong Performers Wynyard is a company in transition, demonstrating leadership along the way. Formerly Methodware, Wynyard showed strength in its risk management capabilities and strong product vision and strategy. The company explains that it has a tight focus on intelligence-led risk solutions, which leverage the legacy Methodware platform and other Wynyard portfolio products, including threat intelligence, investigation capabilities, digital forensics, and financial crime solutions, to create a hard-to-copy, multi-faceted solution. Wynyard went public in June 2013 and continues to expand its strong global customer base. SAP leverages an enormous client base and product innovations to build its leadership. Focusing on the value of automation and cost reduction, SAP is particularly well-suited for GRC management and analytics requirements, offering strong risk quantification, continuous control monitoring, and risk and control management capabilities. SAP has continued to develop its GRC portfolio, primarily by integrating with business applications and aligning with other SAP technical initiatives, such as analytics, mobile support, and the SAP HANA database. SAP s success can be seen in its very large and growing customer base, and the company expects to continue investing in the growth of its GRC business. Modulo continues its transition into a tech vendor, impressing with innovative use cases. Modulo s vision, strategy, and execution show substantial ongoing investment as it continues to evolve from a services firm into more of a technology vendor. Although more than half of the company s revenue comes from services, it reported an outstanding 70% growth in its software business in 2013. And while the vast majority of its customers are headquartered in South America, the company is increasing its North America adoption with personnel investments and by extending its product to handle use cases well beyond its IT security roots. The solution has great GRC breadth and depth, offering strong integration capabilities and addressing vertical market needs through strategic consulting and business partners. Modulo also has some of the most diverse use cases in the market. Thomson Reuters has strong capabilities and continues to invest in its portfolio. Thomson Reuters demonstrates its commitment to GRC with investments and acquisitions to strengthen
The Forrester Wave : Governance, Risk, And Compliance Platforms, Q1 2014 13 its portfolio of offerings. The product has a good depth of functionality across the board with especially strong audit management capabilities. While the integrations among its various acquired products are taking time and yielding only incremental benefits, Thomson Reuters is ultimately putting together an impressive set of product capabilities and services that will make it an important force in the GRC platform market. CMO Compliance has a global presence and strong product strategy. CMO Compliance is focused on asset-intensive industries like oil and gas, energy, government, healthcare, and contractors, and its ability to target different industries is primarily based on its content partners and product flexibility. The company s offerings are tailored for regulatory compliance, enterprise risk management, environmental health and safety, quality management, and audit. Few competitors share the company s level of product vision and strategy or global presence. The company serves its target industries with more focus on environmental, health, and safety than most other vendors in this report, but still competes heavily with many of them. Mega solves complex challenges by merging its GRC and enterprise architecture solutions. Mega s unique vision is to help customers achieve operational excellence with the combined capabilities of its enterprise architecture and GRC technologies. Mega has showcased its superb risk and control management, GRC management, and audit management capabilities. The company has shown ongoing product improvements and innovation, with a heavy focus on the financial services industry. Mega s ability to compete as a top vendor in the long term will depend largely on whether the market accepts the company s unique vision. Agiliance has a heavy focus on IT risk management, with relevant IT security capabilities. Agiliance primarily markets to IT security and IT risk management organizations, with its strongest capabilities being risk management, reporting and analytics, and integration. The company touts its key differentiators as offering quick time-to-value, scalability, and ability to connect its platform with other IT and security products. Agiliance is a frequent participant and winner in various industry award competitions; however, it seems to have fallen behind its closest competitors in product advancements and competition in large GRC deals. Still fairly small compared with most Leaders and other Strong Performers, Agiliance s future success will depend largely on how well its large IT partners leverage their relationship and how well its solutions live up to its claims of fast time-to-value. LogicManager focuses on ERM, competing on price, ease, and flexibility. LogicManager is still a relatively small vendor, with a clear vision to address enterprise risk management and related functions from the top down and bottom up, as well as a goal to deliver solutions that are easy and fast to implement. LogicManager aims to make its GRC platform flexible enough so customers do not need to customize through professional services, except in rare instances. While not having the strongest offering across the board, third-party partnerships allow users to fulfill additional capabilities. LogicManager s competitive advantages are largely based on
The Forrester Wave : Governance, Risk, And Compliance Platforms, Q1 2014 14 its approach to ERM, its range of content partners, its comparatively lower price, and the professional services offered standard as part of the software license. SAI Global extends to new verticals by leveraging more internal assets. SAI Global s GRC business has a legacy of strong performance targeting the healthcare and insurance industries, with specialized content and purpose-built solutions. The Compliance 360 platform has solid capabilities in content management and risk and control management, with growing proficiency across a variety of verticals. While SAI Global will continue to be a force in the general compliance market, the company s ability to continue competing in the GRC platform market depends on its ability to leverage partnerships with organizations like ErmsCo, to configure the product to address a wider range of industries and use cases, and to leverage more value from other SAI Global assets. Protiviti, known for consulting, offers a product that competes on its own merit. Protiviti is most relevant in the GRC market because of the combination of its technical offerings and its breadth of consulting capabilities; however, the company s GRC platform is a worthy competitor in its own right. The company has shown ongoing improvement in product capabilities, vertical solutions, and content developed internally and with partners. Protiviti s ability to compete relies primarily on its ability to target implementations that suit its strengths in audit, policy and control management, and consulting expertise. Resolver goes to market with a cohesive strategy on top of its merged GRC capabilities. Formed by the merger of BPS and Resolver in January 2010, Resolver brings together the former s strength in supporting GRC processes in financial services with the latter s pedigree in risk management implementations for utility and natural resource companies. Somewhat smaller than many of its closer competitors, Resolver offers a unified solution with the flexibility to be configured to meet unique organizational needs. Resolver s strength is in its powerful workflow management and audit management capabilities. While having a broad vertical strategy, steady growth, and a focus on ease-of-use product offerings, Resolver will have to execute extremely well to maintain and grow its competitive position. Contenders SAS offers a state-of-the-art analytics engine, but governance and compliance fall short. One of the core differentiating capabilities of SAS GRC is its ability to measure and quantify risk, and the company primarily competes in deals that have a heavy emphasis on risk analytics or requirements to aggregate both financial and operational risk. The company is developing a noticeable presence in the GRC market despite still being a relatively new entrant, and there is a visible commitment to introducing additional products related to GRC. SAS will maintain competitive advantages in these deals but still needs work to compete for broad enterprise GRC deals.
The Forrester Wave : Governance, Risk, And Compliance Platforms, Q1 2014 15 The Network offers an impressive compliance solution, but little else. The Network is a new entrant into the GRC space, and its go-to-market strategy is to address compliance challenges relevant to a wide range of organizations, with flexibility to support industry-specific compliance initiatives when necessary. While lacking some key GRC platform components, The Network s core GRC capabilities focus on its full content management functionality and workflow management. The company will need to start building out more of its risk and analytics capabilities to contend as a comprehensive GRC solution, but in the meantime, it will still challenge GRC platform competitors in a large number of deals. Supplemental Material Online Resource The online version of Figure 2 is an Excel-based vendor comparison tool that provides detailed product evaluations and customizable rankings. Data Sources Used In This Forrester Wave Forrester used a combination of four data sources to assess the strengths and weaknesses of each solution: Vendor surveys. Forrester surveyed vendors on their capabilities as they relate to the evaluation criteria. Following the analysis of the completed vendor surveys, we compiled the results to supplement our analysis. Product demos. We asked vendors to conduct demonstrations of their product s functionality. We used findings from these product demos to validate details of each vendor s product capabilities. Product sandbox environments. We asked vendor to provide us with an environment where we could evaluate different aspects of the application ourselves. The vendors created user profiles with sample organizational data and made the environments available to us for a limited window of time as part of our evaluation process. Customer reference calls. To validate product and vendor qualifications, Forrester also conducted reference surveys and calls with 3 of each vendor s current customers. The Forrester Wave Methodology We conduct primary research to develop a list of vendors that meet our criteria to be evaluated in this market. From that initial pool of vendors, we then narrow our final list. We choose these
The Forrester Wave : Governance, Risk, And Compliance Platforms, Q1 2014 16 vendors based on: 1) product fit; 2) customer success; and 3) Forrester client demand. We eliminate vendors that have limited customer references and products that don t fit the scope of our evaluation. After examining past research, user need assessments, and vendor and expert interviews, we develop the initial evaluation criteria. To evaluate the vendors and their products against our set of criteria, we gather details of product qualifications through a combination of sandbox evaluations, questionnaires, demos, and/or discussions with client references. We send evaluations to the vendors for their review, and we adjust the evaluations to provide the most accurate view of vendor offerings and strategies. We set default weightings to reflect our analysis of the needs of large user companies and/or other scenarios as outlined in the Forrester Wave document and then score the vendors based on a clearly defined scale. These default weightings are intended only as a starting point, and we encourage readers to adapt the weightings to fit their individual needs through the Excel-based tool. The final scores generate the graphical depiction of the market based on current offering, strategy, and market presence. Forrester intends to update vendor evaluations regularly as product capabilities and vendor strategies evolve. For more information on the methodology that every Forrester Wave follows, go to http://www.forrester.com/marketing/policies/forrester-wavemethodology.html. Integrity Policy All of Forrester s research, including Forrester Waves, is conducted according to our Integrity Policy. For more information, go to http://www.forrester.com/marketing/policies/integrity-policy.html. Methodology Forrester field its Q3 2013 Global Governance, Risk, And Compliance Platforms Forrester Wave Customer Reference Online Survey to 66 individuals who are current clients of the vendors included in our Forrester Wave evaluation. Each vendor was asked to supply a minimum of 3 customers. For quality assurance, panelists are required to provide contact information and answer basic questions about their firms usage of the product, revenue, and budgets. Forrester fielded the survey from July 2013 to August 2013. Respondent incentives included a copy of the published research.
The Forrester Wave : Governance, Risk, And Compliance Platforms, Q1 2014 17 Endnotes 1 Source: Q3 2013 Global Governance, Risk, And Compliance Platforms Forrester Wave Customer Reference Online Survey. 2 First, change the Current Offering to 80% and Strategy to 20%. Then change the criteria weightings as follows: Content management (50%), Document management (34%), Content distribution and communication (33%), Employee input (33%), Risk and control management, and all subcriteria (0%), Workflow management (0%), GRC management and analytics (5%), Risk quantification and analysis (0%), Dashboard capabilities and reporting (100%), Audit management and all subcriteria (0%), GRC breadth and depth and all subcriteria (0%), Domain-specific support (25%), CSR and environmental risk management (20%), Corporate compliance management and training (80%), Technical functionality (20%), Integration capabilities (5%), Organizational context (5%), Collaboration and communication support (25%), End user experience (45%), Access management (0%), Language support (25%), Company vision and strategy (10%), Vertical strategy (30%), Sustainability of competitive advantages (70%), Product vision and strategy (20%), Implementation and maintenance costs (40%), Delivery models (20%), Product version support and custom code (40%), Support GRC roles (40%), Ability to support governance roles (20%), Ability to support risk management roles (0%), Ability to support compliance roles (80%). 3 First, change the Current Offering to 80% and Strategy to 20%. Then change the criteria weightings as follows: Content management (5%), Document management (80%), Content distribution and communication (20%), Employee input (0%), Risk and control management (), risk and control mapping (65%), Risk and control measurement (10%), Manual assessment capabilities (5%), Control monitoring and enforcement (20%), Workflow management (5%), GRC management and analytics (), Risk quantification and analysis (30%), Dashboard capabilities and reporting (70%), Audit management (5%), Audit data integration (60%), Work paper management (35%), Audit resource and project management (5%), GRC breadth and depth (10%), Flexibility to address use cases (50%), Overall breadth and depth of GRC domain support (50%), Domain-specific support (25%), IT GRC (60%), Financial controls management (0%), Third-party risk management (40%), CSR and environmental risk management (0%), Corporate compliance management and training (0%), Technical functionality (20%), Integration capabilities (60%), Organizational context (10%), Collaboration and communication support (5%), End user experience (5%), Access management (0%), Language support (20%), Company vision and strategy (40%), Vertical strategy (30%), Sustainability of competitive advantages (70%), Product vision and strategy (20%), Implementation and maintenance costs (40%), Delivery models (20%), Product version support and custom code (40%), Support GRC roles (10%), Ability to support governance roles (30%), Ability to support risk management roles (35%), Ability to support compliance roles (35%). 4 First, change the Current Offering to 80% and Strategy to 20%. Then change the criteria weightings as follows: Content management (10%), Document management (40%), Content distribution and communication (40%), Employee input (20%), Risk and control management (10%), risk and control mapping (30%), Risk and control measurement (30%), Manual assessment capabilities (30%), Control monitoring and enforcement (10%), Workflow management (10%), GRC management and analytics (10%), Risk quantification and analysis (50%), Dashboard capabilities and reporting (50%), Audit management
The Forrester Wave : Governance, Risk, And Compliance Platforms, Q1 2014 18 (5%), Audit data integration (35%), Work paper management (35%), Audit resource and project management (30%), GRC breadth and depth (5%), Flexibility to address use cases (100%), Overall breadth and depth of GRC domain support (0%), Domain-specific support (30%), IT GRC (0%), Financial controls management (100%), Third-party risk management (0%), CSR and environmental risk management (0%), Corporate compliance management and training (0%), Technical functionality (20%), Integration capabilities (20%), Organizational context (30%), Collaboration and communication support (10%), End user experience (30%), Access management (0%), Language support (10%), Company vision and strategy (30%), Vertical strategy (0%), Sustainability of competitive advantages (100%), Product vision and strategy (25%), Implementation and maintenance costs (40%), Delivery models (20%), Product version support and custom code (40%), Support GRC roles (10%), Ability to support governance roles (30%), Ability to support risk management roles (35%), Ability to support compliance roles (35%). 5 Source: Q3 2013 Global Governance, Risk, And Compliance Platforms Forrester Wave Customer Reference Online Survey.
About Forrester A global research and advisory firm, Forrester inspires leaders, informs better decisions, and helps the world s top companies turn the complexity of change into business advantage. Our researchbased insight and objective advice enable IT professionals to lead more successfully within IT and extend their impact beyond the traditional IT organization. Tailored to your individual role, our resources allow you to focus on important business issues margin, speed, growth first, technology second. for more information To find out how Forrester Research can help you be successful every day, please contact the office nearest you, or visit us at www.forrester.com. For a complete list of worldwide locations, visit www.forrester.com/about. Client support For information on hard-copy or electronic reprints, please contact Client Support at +1 866.367.7378, +1 617.613.5730, or clientsupport@forrester.com. We offer quantity discounts and special pricing for academic and nonprofit institutions. Forrester Focuses On Security & Risk Professionals To help your firm capitalize on new business opportunities safely, you must ensure proper governance oversight to manage risk while optimizing security processes and technologies for future flexibility. Forrester s subject-matter expertise and deep understanding of your role will help you create forward-thinking strategies; weigh opportunity against risk; justify decisions; and optimize your individual, team, and corporate performance. «Sean Rhodes, client persona representing Security & Risk Professionals Forrester Research (Nasdaq: FORR) is a global research and advisory firm serving professionals in 13 key roles across three distinct client segments. Our clients face progressively complex business and technology decisions every day. To help them understand, strategize, and act upon opportunities brought by change, Forrester provides proprietary research, consumer and business data, custom consulting, events and online communities, and peer-to-peer executive programs. We guide leaders in business technology, marketing and strategy, and the technology industry through independent fact-based insight, ensuring their business success today and tomorrow. 106501