The Enterprise Governance, Risk and Compliance (EGRC) market has been evolving steadily since it emerged eight years ago. It has now matured to such a point that, according to Gartner’s recent Enterprise GRC Magic Quadrant, the key differentiators are the delivery of advanced risk management functionality. Running straightforward GRC components is no longer enough to make the cut.
Gartner’s GRC Magic Quadrant
This contrasts with earlier GRC platforms where differentiation was about the provision of basic core functions like audit management, compliance management, or risk and policy management.
The result, Gartner says in its "Magic Quadrant for Enterprise Governance, Risk and Compliance Platforms 2012", is that the market is reaching such a level of sophistication that next year it probably won’t produce a Magic Quadrant at all, but rather a MarketScope.
MarketScope reports help users understand how the status of an emerging or mature market aligns with their own state of maturity and future plans, rather than providing comparisons between vendors and products.
The level of maturity in this market probably also explains why there are now nine different companies in the Leaders quadrant, six in the Visionaries quadrant, and handful of vendors across the Challengers and Niche players quadrants.
The Leaders Quadrant includes: EMC-RSA, IBM, MetricStream, Nasdaq-BWise, Oracle, SAP, SAS, Software AG and Thomson Reuters.
In this first look at Gartner's MQ we will look at what’s driving the market. Later in the week, we will look at the Leaders and what it is they are doing that is pushing them to the top of the pile.
The Evolution of EGRC
According to the report's authors French Caldwell and John Wheeler, the principal focus in the EGRC market is on enterprise risk management, with many vendors looking to the next phase in the market evolution. This next phase will include adding or integrating with business analytics, and scorecarding capabilities.
Generally speaking, the market can be divided into two separate functionality sets: GRC management products to oversee risk management and compliance programs, and, secondly, GRC products for the automation and monitoring of controls.
In both cases, some of that functionality is inherent in EGRC platforms. In the current market, most enterprises are investing in platforms that do a little of everything, instead of platforms that cover a single area like finance, IT or legal.
Where more sophisticated functionality is required, enterprises are integrating point solutions to satisfy GRC needs, rather than buying platforms that cover specific areas of business.
By investing in single platforms with integration when needed, users get a holistic view of the entire enterprise's risk and compliance exposure, as well as views of geographies, business entities and enterprise needs.
EGRC Risk Management
The principal purpose of the EGRC platform is to automate the work associated with the documentation and reporting of risk management and compliance activities. The key functions are:
- Risk management: Offers enterprises documentation, workflow, assessment and analysis, reporting, visualization and remediation of risks.
- Audit management: Manages audits related to work, time management and reporting.
- Compliance and policy management: Documentation, workflow, reporting and visualization of controls objectives, controls and associated risks among others.
- Regulatory change management: Enables business and risk analysis of changes to regulations as well as impact on business.
EGRC platforms are able to do this across the enterprise through integration with legacy systems like business intelligence, content management, controls automation, monitoring solutions and IT technical controls.
The principal driving force for this market is the need for enterprises to improve their oversight into the corporate governance of financial reports, as well as ERM and related activities. There has also been a move in recent years to consolidate other GRC activities into a common platform.
The result is that EGRC platforms must be able to solve all the enterprise's immediate GRC issues in relations to corporate governance, as well as provide the possibility of integrating a large sea of operational, IT, legal and financial GRC tasks.
Gartner defines GRC as follows:
… the automation of the management, measurement, remediation and reporting of controls and risks against objectives, in accordance with rules, regulations, standards, policies and business decisions…”
Many enterprises look at GRC investments to fulfill a specific industry regulation like compliance. When they do decide to invest they often have other issues in mind on top of the principal one.
For this survey, Gartner studied 211 EGRC users and found that use was divided into four principal categories
- Audit Management (45 percent)
- Enterprise Risk Management (ERM) (40 percent)
- Operational Risk Management (40 percent)
- IT risk management (25 percent).
Within these groups, enterprises are also looking for solutions that offer more controls automation, including reporting from continuous controls monitoring (CCM) elements in ERP and other applications.
The result is a trend towards the convergence of CCM and ERP as well as a slower, but equally noticeable trend towards the convergence of IT GRCM and EGRC platforms. Some vendors have also started to add content and capabilities to meet industry-specific operation GRC needs.
Even with the drive to satisfy as many GRC needs as possible, EGRC vendors will still focus on cross-industry requirements -- with the result that many industry-specific solutions will remain viable, a market that Gartner refers to as Operational GRC.
EGRC platforms are built for organizations that take an enterprise approach to GRC. This means that they are looking to apply GRC across all business units -- including the IT organization -- and all from the same platform.
Most offer some IT governance automation functions, especially the ability to document, survey and report IT risks and controls, but some do lack IT-specific content. Gartner advises enterprises looking for specific IT GRC to be careful what they invest in, since most EGRC platforms balance financial, operations and IT requirements at the expense of IT governance.
The divergence between the two needs is the result of two different sets of approaches. On one hand, there are top-down approaches that focus on ERM and address business executive requirements. The flip-side is the bottom-up approaches that that are typically led by IT and security teams.
Enterprises continue to buy tools that cover both approaches, but real convergence will only take place once enterprises stop buying separate tools to address diverging requirements.
In this respect BWise, MetricStream and IBM's OpenPages are EGRC platform vendors that have added IT GRCM capabilities. RSA, The Security Division of EMC is also an EGRC platform vendor, but it started in the IT GRCM market.
Ten Key Trends Affecting the EGRC Platform Market
Within those loosely defined areas there are 10 trends that vendors need to be aware of:
- Increasing regulatory equipments is pushing demands on internal audit organizations.
- The fall-out from the financial crisis is an increasing focus on bribery and anti-corruption regulatory requirements.
- Support for transparency in decision making by business leaders.
- Integration or risk and performance management through risk analytics.
- Regulatory content services to deal with the increasing number of regulatory requirements.
- Increased internal controls that go beyond the needs of regulatory requirements.
- Shift from small best-of-breed vendors to dominance by large, well-established vendors.
- Supplier risk management to ensure third-party vendors do no pose a risk.
- Social risk management creates the need for compliance with privacy and advertising regulations.
- Operational technology and critical infrastructure protections.
The last three trends are not really established yet, but with the rise of Big Data (and the associated regulatory issues) and the explosion of data in social networks will see many enterprises investing in risk analytics to tackle the problem.
These trends have the potential to change the GRC market significantly in the next three to five years. This will be compounded by enterprises' ongoing need to integrate with external data sources and applications, which will see GRC platforms fade in market positioning importance, but also enable the development of markets around GRC-related products.
In the next installment, we will look at the vendors that made it into the Leaders quadrant.