Anecdotal evidence suggests that the GRC space has been undergoing some change over the past year. With the publication of Gartner’s GRC Magic Quadrant report this week that evidence has been confirmed - GRC technologies are converging.
- Those that provide oversight into the operation of risk management and compliance programs
- And those that provide GRC products for the automation and monitoring of IT systems controls.
This is the result, Gartner says, of a move from GRC platforms with a tactical focus on regulatory compliance to platforms focused on enterprise risk management.
Many vendors, the report says, are now looking towards the next phase of GRC platform development, which includes adding or integrating with business performance management software with score carding capabilities.
GRC Market in 2010
The primary purpose of an EGRC platform, Gartner says, is to automate much of the work associated with the documentation and reporting of the risk management and compliance activities associated with corporate governance and business objectives.
GRC functionality is being driven by the need of organization to improve their oversight of corporate governance including financial reports, risk management and related audits.
This represents a change in the situation where enterprises were investing in software to comply with a single set of standards – Sarbanes-Oxley for example – to a situation where they are investing to improve enterprise oversights by consolidation all GRC auditing functions onto a single platform.
Previously, Gartner says, many had invested in single solutions to deal with one specific aspect of GRC, only to move into other activities such as audit management, IT governance and remediation management.
The result is the emergence of enterprise resource management as the principal driver for GRC with the financial crisis adding to the proliferation of concerns over corporate governance, and transparency.
IT and GRC
Within that convergence one of the trends that should be noted is the convergence of enterprise GRC, with its focus on financials, governance, and compliance auditing, with IT GRC, which provides automated functions and IT risk controls.
Most enterprises are looking for platforms that need an enterprise-wide approach to risk management and want all their business units including IT organizations on the same GRC platform.
Most offer IT governance automation functions with minimum offerings including document, survey and reporting of IT risk and controls. However some lack IT specific content.
Gartner said it is monitoring the potential convergence of IT GRCM and EGRC platforms to a point where the difference between the two has disappeared, but as of this year, this still has not happened yet.
The GRC Market
Finally, market demand is getting stronger as more regulations are introduced. At the moment demand is highest in the US where regulations are strictest, but countries like Canada, Japan and some EU countries are also getting stricter and demand is growing as a result.
Consolidation also picked up in 2009 and continued this year. In September IBM announced the OpenPages takeover, in early 2010 EMC-RSA took over Archeran and BPS and Resolver merged to form BPM Resolver.
Pailsy was acquired by Thomas Reuters in early 2009 along with three other acquisitions in the month of July that year. While none have had immediate impact on current customers it can be problematic for a company that is challenging when both have GRC software.
The Leaders Quadrant
In all this three vendors made it into the top spot as ‘Leaders’ in the GRC Magic Quadrant. In alphabetical order they are:
Version 4.1 SP-1 was release in May this year as a mature GRC platform that BWise continues to add more capabilities for a very large customer base and relatively high revenues. It offers organic continuing monitoring solutions that integrates with its EGRC platform
It has a strong business process orientation as well as an understanding of the market for integration with a road map focused on audit management and quantitative risk analysis. It is also adding e-learning capabilities, which will boost compliance support with ethics and anti-corruption rules.
Well placed for the financial services sector, it is also positioning itself to take on other verticals like government, transport and energy. It has also expanded from its home in the Netherlands to establish a large presence in North America and the UK.
Its audit management planning and scheduling are limited, although that gap is expected to close this year. It also has limited support outside North America and Europe, and showed flat revenue growth in 2009.
Released in March this year, the most recent version of MetricStream's platform – v6.0 - is a highly competitive offering that offers all the core functionality as well as a number of advanced capabilities. It has had high customer growth over the past year and is continuing to pursue an aggressive roadmap.
It has orientated itself towards integrating risk management and business performance and targets enterprises that are trying to meet multiple GRC objectives. It has an ongoing focus on usability and improving navigation as well as integration with business process and IT controls.
It targets highly regulated verticals with a product that has no gaps in primary functionality with strong audit management and above-average workflow.
Has new customers in most geographies, but its direct presence is focused in the US and India. Supporting only Oracle database with some functionality not available out-of –the-box. However, Gartner says, customization is available very cheaply.
Open Pages (news, site) has developed a strong brand across many verticals with version 5.5.3 released in November 2009. It includes all the main functionality and good support for ERM, while following a well-planned road map. IBM’s announcement that it is buying OpenPages was taken into consideration in the evaluation.
It has a comprehensive approach to targeting multiple roles in the enterprise as well as a highly developed understanding of the covering GRV market. It has no significant gaps in its technology, which is aimed at the banking, insurance, energy and utilities markets with industry-specific capabilities.
It is focused at the moment on enhancing risk and performance reporting adding content and IT GRC support.
It only has direct presence in North America and Europe although it has partnerships and customers in other geographies. It only added a small number of new customers in 2009 although its focus on large implementations has maintained good sales growth.
There is a lot more in this report, including the top challengers in the market, and is well worth a look. If you want to read the report you can read it at Metric Stream if you register.