Now in its 9th year, the Garter MQ for Enterprise Governance, Risk and Compliance Platforms is one of the most dynamic there is. While enterprises always expected a wide range of capabilities across these platforms to monitor risk and business performance, the rise of social computing and the datasets that this throws up, means that big data is also entering the mix and is set to transform the market over the next 3 years.

EGRC Magic Quadrant 2012 v 2013

Before looking at the Quadrant in a little bit more detail, there are a couple of points worth noting in relation to last year’s MQ that should be kept in mind.

The first is that last year Gartner speculated that it might not produce a Magic Quadrant this year at all, but rather produce a MarketScope, such is the maturity of the market.

MarketScope reports help users understand how the status of an emerging, or mature, market aligns with their own state of maturity and plans, rather than providing comparisons between vendors and products.

Clearly, the evolution of this year’s market has not proceeded at the pace that Gartner anticipated as it still saw value in producing a Magic Quadrant this year.

Gartner does not go into any detail as to why, but it may be that the convergence of big data, social computing and GRC is reshaping the market in such a way that a comparative look is still worthwhile.

The other thing to note this year is that instead of 9 vendors in the Leaders’ Quadrant, there are only 7. This year’s Leaders include, in alphabetical order: EMC, IBM, MetricStream, Nasdaq OMX (BWise) SAP, Software AG, Thomson Reuters.

You will notice that Oracle has been dropped entirely as it did not provide information, or customer references, for reasons that Gartner didn’t share, or doesn’t know. SAS moved into the Visionaries Quadrant, which in a market that looks set to change quite substantially in the immediate future, is probably a good place to be.

This is especially true if you consider that one of the criteria for inclusion in the Visionaries’ Quadrant is the availability of an aggressive roadmap that includes non-regulatory compliance and business performance needs.

The EGRC Market

The Enterprise Governance, Risk and Compliance (EGRC) market is a mature market that is still evolving rapidly as enterprise needs change. To reflect that change, Gartner says it has shifted the focus of its analysis towards the feedback it received from reference customers about their needs and expectations.

This is a subtle, but significant, shift away from the normal practice of assessing the relative merits of different functionalities, and provides an MQ that reflects the ability of vendors to address key use cases as well as vendor performance in meeting market challenges.


The result, Gartner says, is an MQ that better reflects the needs and expectations of buyers. It is also a Magic Quadrant that contains significant shifts in vendor positioning since last year.

Overall, there are two sets of products in the GRC marketplace that often crossover, but are quite distinct. They are:

  • GRC Management (GRCM): These are products for the oversight and operation of risk management and compliance programs.
  • EGRC: For the automation and monitoring of systems across the entire enterprise -- not just IT -- offering a holistic view of GRC issues across the enterprise globally.

As the EGRC market evolves most vendors are meeting customer demand by the provision of an integrated platform with core modules for risk management, compliance and policy management, audit management, and regulatory change management.

These can then be built out by the addition of interoperable modules. Gartner also points out that as products develop, some vendors are starting to provide functionality for industry and function-specific applications that are overlaid onto the platforms as core modules.

EGRC Functionality

Keeping this in mind, the key EGRC function is to automate the processes associated with documentation and risk management. Key functions include:

  • Risk management: Supports risk management professionals with the documentation, workflow, assessment and analysis of the business impact of risks.
  • Audit management: Supports internal auditors in developing long-range audit plans, planning and execution of individual audits.
  • Compliance and policy management: Supports compliance with documentation, workflow, reporting and visualization of controls and associated risks.
  • Regulatory change management: The ability to respond to changes in the rules and regulations.
  • Incident or case management: Used to track the occurrence and resolution of incidents.

As well as this, EGRC platforms are integrated with other business applications like business intelligence, enterprise content management, controls automation, and other specialized GRC management applications like IT GRC applications.

GRC Market Development

So what is happening in the market? The first thing to be said about the GRC market is that buyers have very high expectations of EGRC solutions with differentiation around the ability to manage multiple use cases.

It has developed out of the need of many different parts of the enterprise to improve corporate governance oversights around compliance, ERM and related audits. Many enterprises are also looking to integrate all their GRC needs associated with corporate governance onto a single platform.

While GRCM covers the management and reporting of risks against set objectives in accordance with set rules or standards, EGRC extends beyond that to policy management, IT governance, remediation and policy management.

Earlier this year, Gartner says a survey of EGRC platform users showed the 6 most important areas to be:

  • Enterprise or operational risk management (61%)
  • Audit management (53%)
  • IT risk management (34%)
  • Case or incident management (32%)
  • Policy management (30%)
  • Integrated performance and risk management (29%).

Gartner underlines the fact that compliance use cases were not mentioned in the top 6 areas. However, as the number of use cases increase, most EGRC vendors are adding pre-packaged capabilities or applications to meet different compliance, or regulatory regimes currently in force.

EGRC Emerging Trends

At the moment, ERGC platforms serve organizations that take an enterprise approach to compliance and risk management and that want all their GRCM, including IT governance automation, on the same platform. As a result, most EGRC vendors also offer IT governance automation functions, however modest.

For organizations that are primarily concerned about IT governance, Gartner points out that most EGRC platforms stretch across financial, operational and IT functions and sacrifice IT departments to do so. Buyers looking for deeper IT governance would probably be better off with GRCM applications.

Meanwhile, the EGRC platform is evolving around several trends:

  • Growing regulatory demands are putting new demands on internal audit organizations, including ERM (Electronic Records Management) oversights and business performance audits.
  • A growing regulatory focus on corruption and bribery in light of the 2008 financial crisis.
  • Risk analytics for easier and better enterprise risk management.
  • Change management to help manage the growing number of emerging regulatory regimes.
  • Market consolidation with a shift form smaller, best-of-breed players to a market dominated by large, established vendors.
  • Third-party risk management to ensure third-parties do not compromise enterprise security
  • Management of social business risks that covers everything from marketing strategies to privacy regulations.
  • Critical infrastructure protection

The result is a combination of data and infrastructure risk management. Inherent in the management of social risk is the emergence of big data and big data management in the GRC space, as more information needs to be assessed and analyzed.

This is particularly true of third-party monitoring and operational technology needs and as the number of use cases develop, platforms will have to integrate with more external data sources. The result will be the integration of many more applications on top of platforms, making the platforms the enabler of new task and, as a result, new markets.

On Monday, we will take a look at vendors that are leading this market.