Market Overview Grc Platforms

Making Leaders Successful Every Day

November 9, 2010

Market Overview: GRC Platformsby Chris McCleanfor Security & Risk Professionals

www.forrester.com

© 2010, Forrester Research, Inc. All rights reserved. Unauthorized reproduction is strictly prohibited. Information is based on best available resources. Opinions reflect judgment at the time and are subject to change. Forrester®, Technographics®, Forrester Wave, RoleView, TechRadar, and Total Economic Impact are trademarks of Forrester Research, Inc. All other trademarks are the property of their respective companies. To purchase reprints of this document, please email [email protected]. For additional information, go to www.forrester.com.

For Security & Risk Professionals

ExECutivE SuMMaRyFailure of corporations to comply with regulations and to manage risks puts customers, employees, communities, and shareholders at risk on a daily basis. Global backlash pressures risk and compliance professionals to improve the way their companies operate, and many turn to GRC technologies for support. The GRC platform vendor market, which stalled as SOX management deals diminished, is seeing dramatic growth once again, from a $635 million global market in 2009 to a nearly $749 million market in 2010. To sustain growth and see longer-term success, GRC technology vendors must give executives more value with risk and compliance content and analytics while integrating more closely with IT infrastructure to take advantage of existing data and applications. Ultimately, GRC efforts must focus on process improvement, loss mitigation, and strategic decision-support rather than reacting to short-term regulatory pressures and risk concerns.

tablE OF CONtENtSGRC Is First And Foremost A Framework For Improving Oversight And Efficiency

The GRC Vendor Landscape Continues Its Search For Clarity

The Landscape Of Vendors That Will Address GRC Needs Remains Vast

The Diversity In The GRC Market Is Due To Varying Customer Requirements

The GRC Market Is Poised For Another Major Boost

GRC Will Expand Vertically To The Top And Bottom Of The Organization

Detailed Consideration Of Top Vendors Is Necessary

WHat it MEaNS

The GRC Platform Market Relies Too Heavily On Short-Term Trends

NOtES & RESOuRCESForrester interviewed 32 GRC vendors and 26 GRC customer references in addition to the information gained through ongoing GRC industry research, inquiries, and consulting engagements.

Related Research Documents“Caveat Emptor: the best and Worst GRC Platform Customer Experiences”October 26, 2009

“the Forrester Wave™: Enterprise Governance, Risk, and Compliance Platforms, Q3 2009”July 1, 2009

“the GRC technology Puzzle: Getting all the Pieces to Fit”February 3, 2009

November 9, 2010

Market Overview: GRC Platformsan Overwhelmingly Diverse Market Struggles For Definition, While Few leaders Emergeby Chris McCleanwith Jonathan Penn, Khalid Kark, alissa Dill, and lindsey Coit

2

2

4

8

13

9

13

18

mailto:[email protected]

www.forrester.com

www.forrester.com

http://www.forrester.com/go?docid=55074&src=57318pdf






© 2010, Forrester Research, inc. Reproduction ProhibitedNovember 9, 2010

Market Overview: GRC Platforms For Security & Risk Professionals

2

GRC IS FIRST AND FOREMOST A FRAMEWORk FOR IMPROVING OVERSIGHT AND EFFICIENCy

Corporate governance, risk management, and compliance management are internal functions set up to control the way in which an organization operates. The phrase “governance, risk, and compliance” (GRC) refers to the framework by which these three functions share information and processes in order to gain efficiency, improve oversight, and support improved performance within a set of established boundaries.

While all GRC initiatives are different, most include efforts to catalog relevant risks and compliance requirements and the controls associated with them. GRC initiatives also include the processes established to assess risks and controls, track noncompliance, remediate deficiencies, and report on performance.

GRC is most often narrowly associated with the management of financial and IT controls; however, the framework described here may take many forms. Companies have taken a GRC approach to better manage risks and compliance requirements related to their environmental practices, manufacturing processes, supply chain partners, HR policies, health and safety controls, or a combination of all of these. Broad initiatives such as enterprise risk management and corporate compliance management are becoming more common starting points for GRC efforts as well. The more complicated the program, the more likely it is to need GRC software to support it.

THE GRC VENDOR LANDSCAPE CONTINuES ITS SEARCH FOR CLARITy

With so many vendors bearing such little resemblance to each other, the market for GRC software defies logic. Vendors from diverse backgrounds began coming head-to-head with each other to compete for lucrative Sarbanes-Oxley compliance deals eight years ago, but as that market tapered off, the vendors have started to diverge once again. Of the roughly 20 most competitive GRC vendors, the specialized nature of their core competencies means that each vendor has only three to four primary competitors that they come up against on a regular basis.1

All GRC Platform Products Offer The Same Fundamental Capabilities

Overly creative marketing professionals have stamped the GRC label on a wide range of product types, making it difficult to compile the shortlist of vendors for RFPs, let alone make fair comparisons among them. While it’s reasonable to expect differences from one company to the next, the technology vendors that Forrester classifies as GRC platform providers all have at least:

· A relational database, for cataloging and mapping GRC data. This is critical for understanding the relationships between risks, controls, requirements, processes, and other similar data and having the ability to aggregate, correlate, and analyze this data quickly and efficiently.

© 2010, Forrester Research, inc. Reproduction Prohibited November 9, 2010


3

· Process management, for coordinating GRC efforts. GRC requires participation from individuals who review and contribute to functions such as risk and control assessments, audits, policy development, policy review, attestations, incident response, remediation, and reporting. GRC platforms enable users to establish workflow rules, email alerts, and escalations to make sure processes are carried out consistently.

· Content management, for tracking and managing information relevant to GRC. Policies, control test evidence, audit findings, incident reports, and other information must be well managed. More sophisticated GRC programs will make use of advanced capabilities such as change controls, access controls, and audit logs as well.

· Business intelligence, for synthesizing the information into a coherent picture. Pulling data from the relational database and content systems — and in many cases other sources of information — enables risk and compliance professionals, executives, and frontline business staff to understand the status of the GRC efforts and the potential implications of their decisions. GRC tools are unique in that these business intelligence capabilities include complex risk analytics and specialized reporting functions specifically designed for compliance.

GRC Platforms Are The Centerpiece Of A Complex Ecosystem

Coordinating the content, processes, and reporting is the job of GRC platforms, but the content and processes themselves may flow through a large number of other systems, including those supporting financial, human resources, information security, and vendor management functions. Seeing the difficulty customers have keeping up with risk and compliance requirements, vendors in these related market segments are extending their capabilities to offer more support for GRC.2 This means that:

· IT control vendors are strengthening capabilities to synthesize risk and compliance data. McAfee Risk and Compliance Manager, Symantec Control Compliance Suite, and BMC IT Controls Management are a few examples of products evolving strong capabilities to aggregate existing data in support of risk and compliance initiatives. Meanwhile, EMC’s RSA security division acquired GRC vendor Archer Technologies in early 2010 to help its customers coordinate risk and compliance efforts.

· Business control vendors are branching out beyond access and configuration controls. Oracle and SAP have both expanded their GRC suites to offer broad risk and compliance management functionality beyond their core focus on access controls management. Meanwhile, continuous controls monitoring (CCM) vendor Approva has developed additional capabilities to help customers enforce change controls and configuration controls, and GRC platform vendor BWise introduced its own CCM capabilities in 2009.



4

· Regulatory information providers are acquiring technology vendors to extend their offerings. Thomson Reuters announced a new GRC business unit in September 2010 that includes Paisley, Westlaw Business, and newly acquired Complinet. Months earlier, Wolters Kluwer unveiled its new ARC Logics brand, consisting of acquired technologies from Sword for operational risk management, AXENTIS for compliance management and broad GRC, and TeamMate for audit management. To this group, ARC Logics will add a financial risk management offering gained by acquiring FRSGlobal. Also notable in this space are the several GRC platform vendor partnerships with LexisNexis as well as a string of acquisitions made by risk and compliance publisher SAI Global.

· Whistleblower vendors are extending well beyond event notification. EthicsPoint and The Network, known for helping customers identify and manage ethical violations and other risk events, now offer more comprehensive GRC capabilities, such as policy management, case management, and advanced reporting and analytics.

· Business intelligence vendors are linking risk and compliance to performance. While still in early stages of integration and adoption, several large technology firms are advancing risk and compliance analytics into the realm of corporate performance. SAP moved early by connecting its GRC suite with its BusinessObjects reporting tools. Other announcements include SAS’s official entry into the GRC market in June 2010, IBM’s September 2010 acquisition of OpenPages into its analytics business, and Oracle’s efforts to improve business intelligence and collaboration capabilities across applications through its GRC Intelligence and Fusion Applications.

THE LANDSCAPE OF VENDORS THAT WILL ADDRESS GRC NEEDS REMAINS VAST

Notwithstanding the relevant technology vendors that are delivering stronger GRC capabilities, the market of vendors with a comprehensive set of core GRC capabilities is itself extremely broad and diverse. Those looking for a GRC solution benefit from this diversity and a high degree of vendor specialization. However, the dominance held by small, independent vendors has also kept investments in GRC research and development dispersed and economies of scale to a minimum.

Continued Consolidation Is Moving The GRC Market Forward . . .

Vendor acquisitions made SAP and Oracle the first large vendors to target the GRC market, although their previously limited focus on access and configuration controls automation kept them from competing head-to-head against the more flexible documentation- and workflow-focused pure-play vendors until recently. The next round of major acquisitions, led by Thomson Reuters and Wolters Kluwer — and to a lesser extent, SAI Global — promised to ultimately bring regulatory intelligence into GRC dashboards.3 More recently, the acquisitions of Archer by EMC and OpenPages by IBM give GRC a stronger potential role within IT infrastructure. It’s interesting



5

to note, however, that EMC’s initial priority for Archer is integration with its RSA security products, while IBM’s focal point for the OpenPages platform will be strengthening its analytics business.

Given the number of small, independent vendors still competing — profitably — for GRC implementation within the world’s top enterprises, further consolidation is a virtual certainty. Potential acquirers will be other tech industry giants like Oracle, SAP, HP, and Cisco, or other content providers, such as LexisNexis.

. . . But The Current Group Of GRC Platform Vendors Is Still Very Broad

A set of top competitors is starting to distance itself from the pack in the GRC market. These vendors are most likely to show up on buyer shortlists, most often named as competitors by other GRC vendors, and most frequently asked about by Forrester customers. But other, more specialized vendors often offer the most appropriate solutions for customers. Because there are so many legitimate ways to approach GRC, vendors can rightly claim to be focused on delivering capabilities across a very broad set of domains (see Figure 1). Being focused on specific domains within GRC does not necessarily mean a vendor has leading capabilities in that area, however, so further product analysis is essential.



6

Figure 1 GRC vendor Focus areas

Source: Forrester Research, Inc.57318

Core focusNo focus Relevant domain Some focus Substantial focus

Methodware

BWise

Cura Software

MEGA

ARC Logics

Archer

MetricStream

Modulo

Agiliance

Enablon

InformationGovernance

Aline

BPS Resolver

Brinqa

CMO COMPLIANCE

Compliance 360

Vendor

Financial controls mgm

t.

IT risk and compliance

Operational risk

(beyond IT and financial)

Environmental risk and com

pliance

Business continuity

Vendor risk/compliance

Employee health/safety

Quality mgm

t./product compliance

Corporate social responsibility

Audit mgm

t. (IT and/or financial)

Audit mgm

t. (other)

Financial risk mgm

t.

(credit risk, market risk, etc.)

Mitratech



7

Figure 1 GRC vendor Focus areas (Cont.)


Core focusNo focus Relevant domain Some focus Substantial focus

Protiviti

Thomson Reuters

OpenPages

Oracle

QUMAS

SAP

SAS

Pilgrim Software

Software AG

Strategic Thought

TruArx

Trintech

Neohapsis

RMSS

Rsam

Vendor

Financial controls mgm

t.

IT risk and compliance

Operational risk

(beyond IT and financial)

Environmental risk and com

pliance

Business continuity

Vendor risk/compliance

Employee health/safety

Quality mgm

t./product compliance

Corporate social responsibility

Audit mgm

t. (IT and/or financial)

Audit mgm

t. (other)

Financial risk mgm

t.

(credit risk, market risk, etc.)



8

THE DIVERSITy IN THE GRC MARkET IS DuE TO VARyING CuSTOMER REquIREMENTS

GRC vendors have demonstrated that they have the capabilities and drive to meet complex and sophisticated enterprise demands, but it has not been easy. As technologies become more mature, the programs they are being asked to support are becoming more mature as well. In detailed interviews with 26 GRC platform customers, Forrester found that:

· Customers seek flexibility, ease of use, good reporting, and vendor relationships. When asked to list the best and worst aspects of the GRC vendor they chose, customers focused on the same four aspects in both categories.

· Customers achieve coordination across many organizational functions. Top GRC vendors can point to many successful, horizontally broad customer implementations in terms of number of users and functions supported.

· Success metrics include efficiency, risk reduction, and strategic support. GRC customers that are measuring the success of their programs use metrics that fall into one of these three categories (see Figure 2).

Figure 2 Customer interview Highlights


GRC vendor feedback

Most frequentpraises

Most frequentcomplaints

1. Easy to use

2. Good vendor relationship

Implementationexamples

Financial servicesGRC platform supporting 1,500 users handling financial, IT& credit risk controls, operational risk, audit, and many areasof corporate compliance

PharmaceuticalSupporting tens of thousands of employees and businesspartners in compliance training, incident management,financial controls, and risk reporting

Retail Managing financial controls, operational risk, fraudprevention, and audit

Commonsuccess metrics

Greater efficiencyReduced audit time, reduced reporting time, fewer numberof controls, consolidation of many applications, and greateremployee productivity

Strategic support

Risk reduction Decrease in regulatory fines, reduction in risk exposure,reduction of losses, and faster remediation processes

3. Product flexibility

4. Good reporting

1. Issues with reports

2. Poor usability

3. Poor product flexibility

4. Insufficient vendor relationship/expertise

Breadth of GRC reach, reduction in unexpected loss events, frequency with which risk data is used in strategic planning, and increased corporate or functional performance metrics



9

THE GRC MARkET IS POISED FOR ANOTHER MAjOR BOOST

Forrester estimates that vendor market penetration has reached approximately 30% of the total number of enterprises and government organizations that represent the potential market for GRC platform technologies worldwide. However, this is just part of the equation. None of the organizations currently using a GRC platform have explored the full extent of its capabilities by rolling it out to all relevant risk and compliance domains. Full saturation in any one organization — let alone an entire market — will never happen, but there is still vast growth potential ahead.

Forrester estimates that the 2009 GRC platform vendor market was $635 million after three years of diminished growth. However, based on buying indicators and vendor projections, the market will reach approximately $749 million in 2010. By 2015, market penetration will increase to just over 50% of the addressable organizations, with the total GRC platform revenue reaching nearly 1.4 billion (see Figure 3).

Figure 3 GRC Platform vendors Revenue Projections


$0

$300

$600

$900

$1,200

$1,500

2006 2007 2008

Historical

2009 2010

Base: 32 vendors

2011 2012 2013

Projected

2014 2015

$537$585 $606 $635

$749

$899

$1,052

$1,178

$1,296$1,399

Revenue(US$ millions)

(numbers have been rounded)

Note: Vendors considered relevant for this market sizing are only those that market a GRC platform product specifically designed and deployed to manage GRC programs using the fundamental capabilities of a relationaldatabase, process management, content management, and business intelligence.



10

Growth Will Primarily Depend On Three Factors

In 2008, the global financial collapse took its toll on the GRC vendor market, but it will also play a significant role in its impending growth. The projected growth in 2010 to 2012 is in large part due to the massive financial and healthcare reforms passed by the US legislature in 2010. Similar changes occurring around the world will have similar effects, with Europe showing leadership with regulations such as Solvency II and Basel III. At the same time, newly focused attention on formal risk management practices across nearly all aspects of business also increases the need for technology solutions.

Continued GRC market growth will depend on three factors:

· Continued evolution in regulatory and industry compliance requirements. Governments around the world are not just introducing new regulations but are also reforming entire industries. The regulatory and process implications of these changes will take years to solidify, and as they do, those responsible for GRC initiatives will turn first to consulting partners, then to software vendors to help them implement the necessary changes. Third-party and industry standard requirements will be important factors as well.

· Increased penetration of GRC to reach into other business functions. Forrester found that 53% of IT security and risk decision-makers are either interested in or have specific plans for implementing solutions for IT GRC, with an additional 4% saying they currently have a GRC tool in-house and are planning to expand their implementation (see Figure 4). If GRC vendors find similar interest within HR, vendor management, health and safety, or other domains, the forecasted growth rates could be much higher.

· Tighter integration of GRC into business applications. We have all seen examples of applications that have caught us making mistakes while we work, and vendors will continue to look for ways to embed such controls into applications for risk and compliance purposes. In a similar way that the price of security features on your laptop (or car) is built into the list price, embedded GRC controls, analysis, and reporting may eventually push some factor of GRC spending into business applications and devices.



11

Figure 4 it GRC adoption


Not interested

Interested but no plans

Planning to implement in a year or more

Planning to implement in the next 12 months

Implemented, not expanding

Expanding/upgrading implementation

Don’t know

Base: 1,049 North American and European security decision-makers

Source: Forrsights Security Survey, Q3 2010

27%

39%

7%

7%

5%

4%

11%

“Which of the following best describes your firm’s plans to adopt governance, risk, and compliance (GRC)management technologies, such as those sold by Agiliance and Archer?”



12

Growth In SaaS Deliveries And Global Expansion Will Be Nominal Over The Next Three years

As the GRC landscape evolved over the past five years, speculation arose that as a percentage of the total GRC market, software-as-a-service (SaaS) licensing will grow substantially and that global markets will recognize their enormous growth potential. Both of these predictions will be true, but the time frame will be much longer than many had expected. SaaS has grown modestly, to roughly 23% of the market, and overseas markets (beyond North America and Europe) have reached just 20% of overall GRC platform spending (see Figure 5). However, there are no strong indications that either of these numbers will see a dramatic rise over the next three years.

Figure 5 GRC Revenue Distribution


EMEA4%

Asia Pacific6%

Revenue distribution by geography

On-premises market68%

US55%

Europe24%

SaaS23%

Hosted10%

Other11%

Revenue distribution by delivery model



13

GRC WILL ExPAND VERTICALLy TO THE TOP AND BOTTOM OF THE ORGANIzATION

Acquisitions, research and development, and more sophisticated implementations are currently pulling GRC technologies in two different directions.

GRC Will Reach upward To Deliver Value At The Board And Executive Levels

This expansion means that:

· More advanced analytics will support risk-intelligent decisions. Sophisticated organizations will look for GRC technologies that can support scenario modeling, performance management, and predictive analytics to help them make better strategic decisions.

· More risk and compliance content will put efforts in their proper context. The number of regulations, standards, guidance resources, control procedures, and other sources of risk and compliance content is staggering. Vendors that can help customers make sure they are aware of their dynamic risk and compliance environment will have a distinct market advantage.

GRC Will Reach Downward To Connect With Applications, Data, And Infrastructure

This expansion means that:

· Deeper integration will take advantage of investments in information technology. Mature risk and compliance programs will be much more efficient if they can make use of existing data, processes, and applications. GRC vendors are working hard to build these integration points with financial, HR, vendor management, information security, and other applications, and will continue to do so to strengthen their value proposition.

· Automated controls will provide more safeguards against accidental or purposeful violations. While many aspects of compliance will always rely on people understanding their responsibilities and acting accordingly, a large number of currently manual risk and compliance controls will eventually be automated in the same way that certain access, antifraud, and security controls are automated today.

DETAILED CONSIDERATION OF TOP VENDORS IS NECESSARy

The vendor segmentation described earlier in this report will help distinguish the general focus areas of relevant GRC vendors. Most of these vendors, however, have highly unique approaches to GRC, and more detailed evaluation will be necessary:

· Agiliance is a leader in the IT GRC market. The company has a strong market presence in financial services, public sector, healthcare, and high-tech industries, primarily in the US. Marketing a mixture of on-premises and software-as-a-service delivery options, Agiliance highlights its integration capabilities and easy implementation as key advantages of the product.



14

· Aline is a SaaS GRC vendor with a focus on performance management. Aline built its GRC framework to incorporate elements of corporate performance management as well as risk and compliance. The company’s top verticals are banking, insurance, and life sciences, but as a relative newcomer targeting midmarket enterprises, Aline does not always compete directly with other GRC companies.

· ARC Logics brings together technologies covering several disparate elements of GRC. Built from AXENTIS, TeamMate, Sword, and now FRSGlobal, ARC Logics’ core marketing focus and largest install base is the financial services sector, with reach into other verticals, including life sciences and government, as well. As part of Wolters Kluwer, ARC Logics also has substantial regulatory content and expertise to offer its customers, and integration between its various products will produce a formidable GRC competitor.

· BPS Resolver combines two GRC companies known for their process and risk capabilities. Formed by the merger of BPS and Resolver in January 2010, this company brings together the former’s strength in supporting GRC processes in financial services with the latter’s pedigree in risk management implementations for utility and natural resource companies. Based in Toronto, BPS Resolver has strong presence in the US and Canada, with a smaller customer base in Europe as well.

· Brinqa is a recent newcomer, focusing on IT control test automation. One of the more recent competitors in the GRC landscape, Brinqa focuses on helping customers reduce manual control test efforts. Although the vendor’s market penetration is still relatively small, its biggest market is financial services, and a majority of its customers have chosen its SaaS delivery model.

· BWise is a top GRC vendor with strengths in all aspects of governance, risk, and compliance. Boasting one of the largest customer bases of any pure-play GRC vendor, BWise is especially strong in Europe but has reach into US and other global markets as well. The company highlights differentiators such as business process modeling (BPM) and continuous control monitoring capabilities as well as comprehensive functionality to meet the broad needs of governance, risk, and compliance professionals.

· CMO COMPLIANCE targets a variety of GRC needs with a focus on process performance. CMO COMPLIANCE counts quality management, health and safety, and environmental risk and compliance as core areas of focus. The company’s top verticals include the food industry, property management, and financial services, but as a relative newcomer to the GRC space, its market presence is not as substantial as top competitors’ in the space.

· Compliance 360 delivers SaaS-based GRC with a focus on convergence. Compliance 360’s market penetration is strongest in healthcare, with insurance and financial services top targets as well. As a key selling proposition, the company highlights its ability to facilitate coordination



15

between key functions such as compliance, risk management, and audit, and it was one of the first vendors to partner with regulatory content providers.

· Cura Software Solutions offers broad GRC capabilities and risk expertise. Cura reports a solid percentage of customers in the US, Middle East/Africa, and Asia Pacific as well as a presence in Europe and South America. The company highlights its product flexibility and risk expertise as differentiators, and customer feedback supports these claims.

· EMC/RSA’s Archer used strength in IT GRC to fuel strong growth across all GRC domains. A leading IT GRC vendor that helped define that market, Archer used its strong customer base and flexible platform to move into a wide range of enterprise GRC domains as well. Acquired by EMC’s RSA security division in January, 2010, the RSA Archer platform now has the potential to become even more closely aligned with IT security and infrastructure technologies.

· Enablon brings elements such as sustainability and environmental management to GRC. Enablon is a primarily on-premises GRC vendor with some examples of hosted and SaaS-based deployments. With a heavy focus on financial services, manufacturing, and retail, the company merges capabilities for environmental management and reporting into more traditional GRC domains like financial controls management.

· Information Governance is an emerging vendor in the IT GRC market. One of the smaller competitors in GRC, Information Governance highlights easy deployments and support of IT compliance and standards frameworks as the value propositions of its Proteus Enterprise product. With a mix of on-premises and hosted implementations, the company’s customer base is primarily in Europe, but its presence is growing in other regions as well.

· MEGA’s history as a top BPM vendor enhances its GRC position. MEGA is ranked among top vendors for its business process management capabilities, which have the potential to add substantial value to customers’ GRC implementations.4 Financial services and manufacturing firms are top targets for MEGA, which also boasts strong consulting capabilities.

· Methodware is a risk specialist with a strong global presence. Methodware has a long history of delivering risk management solutions and now offers more complete GRC capabilities to a huge customer base across Asia Pacific, Europe, the US, and the rest of the Americas.

· MetricStream offers a highly configurable platform with a focus on content. With a background in quality management, MetricStream has developed into a top GRC competitor with a flexible platform and broad capabilities. The company offers industry guidance and regulatory content through its ComplianceOnline portal and other authoritative sources, and its largest target markets are life sciences and health, financial services, and energy and utilities.



16

· Mitratech delivers GRC with a sound legal perspective. Mitratech targets the US market and counts insurance, finance, and government as its top industries. Its key differentiator is helping customers incorporate legal and case management as critical elements of a strong GRC program.

· Modulo has turned its extensive security consulting business into a solid GRC competitor. Building on deep information security consulting expertise and a heavy market presence in South America, Modulo is expanding its US and European market presence with a competitive IT GRC product that offers capabilities extending into enterprise GRC domains as well. The company’s target industries are diverse, with the top three being financial services, government, and telecommunications.

· Neohapsis has rebuilt a legacy GRC product gained through acquisition. Well-known for its information security expertise, Neohapsis acquired Certus in April 2008 and has rebuilt it to compete against top vendors for large, sophisticated GRC implementations. Neohapsis is primarily focused on the US market, with a diverse industry distribution including manufacturing, insurance, and technology customers.

· OpenPages is a top GRC vendor now part of IBM’s analytics business. OpenPages continues to be one of the leading GRC competitors, with a strong market presence in banking, insurance, and energy industries, among others. The company’s customers mainly reside in US and Europe, but with access to IBM sales, marketing, and support resources, it has the potential to quickly multiply the smaller customer base it has in other geographies.

· Oracle adds GRC capabilities to its massive customer base and existing applications portfolio. Getting into the GRC space through acquisitions, Oracle has built more complete capabilities to integrate GRC processes across different roles and functions as well. A frequent competitor because of its large market presence, one of Oracle’s most distinct advantages is the combination of automated controls with its GRC management capabilities.

· Pilgrim Software targets risk and compliance deals with a quality management slant. One of many quality management vendors that more recently moved into the GRC space, Pilgrim has a strong market focus in the life sciences industry and smaller presence in manufacturing and consumer goods as well. The majority of Pilgrim’s customers have on-premises implementations, but the company also reports growing interest in its SaaS delivery model.

· Protiviti carries its brand of risk consulting expertise into the GRC platform market. As a global consulting firm, Protiviti is well-known for its knowledge of risk, audit, compliance, and other relevant domains. The company’s GRC platform business has a broad global presence that is strongest in the US, Europe, and Asia Pacific, and key verticals include consumer goods, industrial products, and financial services.



17

· QUMAS is a compliance management specialist with a broad GRC partner strategy. Offering sophisticated capabilities to manage documents, policies, and process changes, QUMAS’s strengths include compliance and quality implementations. With a majority of customers in US or Europe, QUMAS works closely with partners such as Thomson Reuters and LexisNexis as key elements of its channel strategy.

· RMSS is a risk management specialist in the Asia Pacific region. The vast majority of RMSS customers resides in Asia Pacific, and its strongest industries are manufacturing, utilities, and transportation. It has a relatively even mix of on-premises, hosted, and SaaS customer deployments.

· Rsam is a top IT GRC vendor, focused on flexibility and ease of implementation. Rsam markets a highly configurable platform, with content and best practices workflow built especially for IT GRC implementations. Most of Rsam’s customers are US-based, with some UK presence as well, and the company targets a diverse set of verticals including healthcare, financial services, and government.

· SAP offers a broad set of applications as part of its BusinessObjects portfolio. The SAP BusinessObjects GRC Suite includes its Access Control, Global Trade Services, Process Control, and Risk Management products. Its success in the GRC space to date has largely been the result of its automated controls capabilities, but its GRC management capabilities and link to BusinessObjects’ analytical tools are important selling points as well.

· SAS is a new GRC competitor with a wealth of risk and analytical capabilities. SAS is one of the most recent additions to the GRC vendor landscape, but it has a head start delivering sophisticated risk management solutions to customers in the US, Europe, and elsewhere around the world. The financial services industry represents a majority of the company’s customers, and its key differentiators include data integration, controls automation, and performance management capabilities.

· Software AG offers integrated GRC capabilities built on its leading BPM products. With the ARIS technology it gained in its acquisition of IDS Scheer in July 2009, Software AG offers customers a process-centric approach to managing their risk and compliance programs. An up-and-coming competitor in the GRC space, the company highlights its consulting expertise and product flexibility as differentiators.

· Strategic Thought targets GRC deployments requiring sophisticated risk capabilities. Strategic Thought has an impressive pedigree in various domains of risk management and extensive capabilities related to risk quantification, calculations, and scenario analysis. The company primarily markets to aerospace/defense, manufacturing, and other industrial verticals.



18

· Thomson Reuters is a top GRC competitor with regulatory expertise and information. Thomson Reuters’ new GRC business unit combines Paisley’s leading audit and GRC products with the regulatory research capabilities of Westlaw Business, Westlaw Compliance, and the recently acquired Complinet. Customers come from a wide range of industries, including banking, insurance, and manufacturing, and they have chosen from both on-premises and SaaS delivery options.

· Trintech offers GRC capabilities closely tied with its financial process products. Trintech primarily targets finance professionals with a range of financial process product offerings, and it has expanded on the GRC capabilities it gained when it acquired Movaris in early 2008. Some of the company’s most important verticals are retail, financial services, and manufacturing, and its geographic presence is primarily in the US with some customers abroad as well.

· TruArx is a SaaS vendor heavily focused on the IT GRC market. TruArx has a large customer base, all of which is located in North America. It markets itself as an easily implemented and lower-cost alternative to competitors, and retail customers represent the largest percentage of its customer base.

W H a t i t M E a N S

THE GRC PLATFORM MARkET RELIES TOO HEAVILy ON SHORT-TERM TRENDS

Flexibility is a blessing and a curse for the GRC technology vendors. the agility that allows them to mold to customers’ internal structures and processes also has them perpetually looking for the next wave of regulatory activity or risk concerns. Most have evolved well beyond the ambulance-chasing mentality, but it’s still often a lingering part of their DNa.

For GRC to succeed over the long term and avoid the sharp ups and downs experienced over the past eight years, GRC vendors must continue to build the value proposition of their products — process improvements, loss mitigation, and strategic decision-support. this will help solidify the business case for GRC platforms, but more importantly, it will help companies see incremental value during what may be a long, difficult change management process. ultimately, GRC is a way for organizations to make sure that when they strive for maximum performance, they do so within established risk and compliance boundaries. GRC platforms must be the aggregator of risk and compliance data from across the business and the analytical tool that turns that data into smarter decision-making at all levels of the business.



19

ENDNOTES1 The enterprise governance, risk, and compliance (GRC) market is still relatively young, populated primarily

by small but solid pure-play vendors. Growing corporate concerns have raised market expectations, however, bringing new competition from startups as well as industry giants into an already-crowded space. Forrester evaluated 14 enterprise GRC platform vendors using 80 criteria. BWise, OpenPages, and Thomson Reuters earned the highest scores overall due to their comprehensive capabilities and strong market strategies. MetricStream and AXENTIS made impressive showings in the Leader category as well. The Strong Performers included Archer Technologies, Cura Software Solutions, and Strategic Thought Group near the top, followed by Protiviti, MEGA, and Methodware. Meanwhile, SAI Global, SAP, and Trintech finished as GRC Contenders. See the July 1, 2009, “The Forrester Wave™: Enterprise Governance, Risk, And Compliance Platforms, Q3 2009” report.

2 At a time when the global business community struggles to enhance internal controls and maintain long-term viability, improvements in governance, risk, and compliance (GRC) programs can be well worth the investment. Technology plays an integral role in the success of such programs by providing much-needed consistency, efficiency, and insight. But as software vendors target the growing GRC market, it becomes increasingly difficult to distinguish what they offer. Forrester’s GRC Technology Ecosystem provides a foundation for identifying how various GRC technologies fit into existing programs and the important roles they can play. See the February 3, 2009, “The GRC Technology Puzzle: Getting All The Pieces To Fit” report.

3 In the cyclical nature of increasing and decreasing industry regulations, we are clearly on an upswing. Regulators that have faced public scorn for lax oversight are reacting with newfound aggression, and most businesses will struggle to keep up in the near term. This distinct challenge has earned attention from service, content, and product vendors, all of whom are positioning themselves to be the resource of choice for regulatory intelligence. Although the market is complicated right now, the current evolution and progress will ultimately provide greater value to compliance professionals in the form of integrated product capabilities and more advanced analysis of regulatory impact and implementation best practices. See the August 19, 2010, “The Regulatory Intelligence Battlefield Heats Up” report.

4 In this second release of Forrester’s assessment of enterprise architecture and business process analysis (BPA) tools, Forrester assessed nine leading vendors in a 93-criteria evaluation. We found that IDS Scheer, Casewise, MEGA, Metastorm, and Troux Technologies lead the pack for general EA tool usage. For the more specific IT planning usage category, these Leaders are joined by the most powerful vendor in this specific category: alfabet. The Leaders are followed by IBM, a Strong Performer in all three categories; iGrafx, a Strong Performer in the business process analysis category and the general EA category; and Sybase, a Contender in all three categories. See the January 7, 2009, “The Forrester Wave™: Business Process Analysis, EA Tools, And IT Planning, Q1 2009” report.







Forrester Research, Inc. (Nasdaq: FORR)

is an independent research company

that provides pragmatic and forward-

thinking advice to global leaders in

business and technology. Forrester

works with professionals in 19 key roles

at major companies providing

proprietary research, customer insight,

consulting, events, and peer-to-peer

executive programs. For more than 27

years, Forrester has been making IT,

marketing, and technology industry

leaders successful every day. For more

information, visit www.forrester.com.

Headquarters

Forrester Research, Inc.

400 Technology Square

Cambridge, MA 02139 USA

Tel: +1 617.613.6000

Fax: +1 617.613.5000

Email: [email protected]

Nasdaq symbol: FORR

www.forrester.com

M a k i n g l e a d e r s S u c c e s s f u l E v e r y D a y

57318

For information on hard-copy or electronic reprints, please contact Client Support

at +1 866.367.7378, +1 617.613.5730, or [email protected].

We offer quantity discounts and special pricing for academic and nonprofit institutions.

For a complete list of worldwide locationsvisit www.forrester.com/about.

Research and Sales Offices

Forrester has research centers and sales offices in more than 27 cities

internationally, including Amsterdam; Cambridge, Mass.; Dallas; Dubai;

Foster City, Calif.; Frankfurt; London; Madrid; Sydney; Tel Aviv; and Toronto.

www.forrester.com

mailto:[email protected]