The Enterprise Governance, Risk and Compliance (EGRC) market has been evolving steadily since it emerged eight years ago. It has now matured to such a point that, according to Gartner’s recent Enterprise GRC Magic Quadrant, the key differentiators are the delivery of advanced risk management functionality. Running straightforward GRC components is no longer enough to make the cut.

Gartner’s GRC Magic Quadrant

This contrasts with earlier GRC platforms where differentiation was about the provision of basic core functions like audit management, compliance management, or risk and policy management.

The result, Gartner says in its "Magic Quadrant for Enterprise Governance, Risk and Compliance Platforms 2012", is that the market is reaching such a level of sophistication that next year it probably won’t produce a Magic Quadrant at all, but rather a MarketScope.

MarketScope reports help users understand how the status of an emerging or mature market aligns with their own state of maturity and future plans, rather than providing comparisons between vendors and products.

The level of maturity in this market probably also explains why there are now nine different companies in the Leaders quadrant, six in the Visionaries quadrant, and handful of vendors across the Challengers and Niche players quadrants.

The Leaders Quadrant includes: EMC-RSA, IBM, MetricStream, Nasdaq-BWise, Oracle, SAP, SAS, Software AG and Thomson Reuters.

In this first look at Gartner's MQ we will look at what’s driving the market. Later in the week, we will look at the Leaders and what it is they are doing that is pushing them to the top of the pile.

The Evolution of EGRC

According to the report's authors French Caldwell and John Wheeler, the principal focus in the EGRC market is on enterprise risk management, with many vendors looking to the next phase in the market evolution. This next phase will include adding or integrating with business analytics, and scorecarding capabilities.

Generally speaking, the market can be divided into two separate functionality sets: GRC management products to oversee risk management and compliance programs, and, secondly, GRC products for the automation and monitoring of controls.

In both cases, some of that functionality is inherent in EGRC platforms. In the current market, most enterprises are investing in platforms that do a little of everything, instead of platforms that cover a single area like finance, IT or legal.

Where more sophisticated functionality is required, enterprises are integrating point solutions to satisfy GRC needs, rather than buying platforms that cover specific areas of business.

By investing in single platforms with integration when needed, users get a holistic view of the entire enterprise's risk and compliance exposure, as well as views of geographies, business entities and enterprise needs.

EGRC Risk Management

The principal purpose of the EGRC platform is to automate the work associated with the documentation and reporting of risk management and compliance activities. The key functions are:

  • Risk management: Offers enterprises documentation, workflow, assessment and analysis, reporting, visualization and remediation of risks.
  • Audit management: Manages audits related to work, time management and reporting.
  • Compliance and policy management: Documentation, workflow, reporting and visualization of controls objectives, controls and associated risks among others.
  • Regulatory change management: Enables business and risk analysis of changes to regulations as well as impact on business.

EGRC platforms are able to do this across the enterprise through integration with legacy systems like business intelligence, content management, controls automation, monitoring solutions and IT technical controls.

The principal driving force for this market is the need for enterprises to improve their oversight into the corporate governance of financial reports, as well as ERM and related activities. There has also been a move in recent years to consolidate other GRC activities into a common platform.


The result is that EGRC platforms must be able to solve all the enterprise's immediate GRC issues in relations to corporate governance, as well as provide the possibility of integrating a large sea of operational, IT, legal and financial GRC tasks.