Gartner MQ for Enterprise GRC: EMC, IBM, SAP, Software AG Among Leaders

6 minute read
David Roe avatar

Last week we saw in Gartner’s Magic Quadrant for Enterprise Governance, Risk and Compliance (EGRC) that the rise of social computing and the use of the enormous datasets that it throws up, means that big data and the ability to take meaning from big data is set to transform the market over the next 3 years. It also shows that there are a large number of vendors that are ready for the challenges that this poses.

Magic Quadrant Criteria

That said, there are already 16 vendors that have made it into the Quadrant who met all the inclusion criteria. Those criteria include:

  • The ability to deliver the following 3 functions: Compliance management, risk management and regulatory change management.
  • Had at least US$ 12 million in revenues for the calendar year 2012 for EGRC software, with at least 100 customers using live implementations of the software.
  • Customers in 2, or more, verticals
  • A multi-regional presence with5 or more reference in at least two of the following major regions: North America, Latin America, EMEA or Asia/Pacific.

Leaders' Quadrant

While the list of requirements are not as extensive as some Magic Quadrants, the criteria are still difficult to fulfill. To make it into the Leaders’ Quadrant is tougher again.

Leaders, Gartner says, must have well defined market strategies and the products to match. Along with basic functionality, they must also be able to provide technology that integrates with business intelligence and advanced business performance management applications, as well as industry specific capabilities for risk management and compliance support.

This year’s Leaders in alphabetical order are: EMC, IBM, MetricStream, Nasdaq OMX (BWise) SAP, Software AG, Thomson Reuters.


With sales and support distributed globally, EMC is headquartered in the US. Its current EGRC platform is Archer Platform v5.2.

  • Strengths: It has an extremely loyal user base in the IT GRC market, which has opened doors for it across the entire enterprise. It has excellent support, Gartner says, and has developed focused solutions over existing workflow and content modules to address industry-specific requirements. It has a wide range of use cases, with many reference customers indicating that it exceeded expectations.
  • Cautions: Although RSA says it needs zero custom codes, most users say considerable customization is needed to get started. With 10 primary modules and a growing number of focused solutions the price of deployments escalates quickly, especially as most enterprises will need at least 3 modules. Some references said support was slow to respond.


IBM bought OpenPages in 2010 as an EGRC solution, which it used to add security to its business analytics applications.

  • Strengths: It offers strong support across financial services institutions and has been built up with the addition of Algo First for content loss. It is built on Cognos, which gives it a strong analytics base, while integration with SPSS and Algorithics offers strong risk and performance management. Enterprises can buy a license for the whole platform, which enables them pick the modules they require.
  • Cautions: OpenPages has focused its growth strategy on large financial services deals, which because they are not all that frequent, has impacted growth. Only one reference customer reported using the integration possibilities with other IBM products.Several customers have also reported long implementation times.


MetricStream’s current EGRC platform is at v6. It has a global presence with offices the US, Europe, Asia and the Middle East.

Learning Opportunities

  • Strengths: It offers a broad-based EGRC platform to a wide range of customers and verticals. It has made a conscious effort to avoid complicated customizations through a standard application studio on which it can build numerous replicable applications. Its global support continues to grow and is being used by a number of customers for integrated performance and risk management.
  • Cautions:  MetricStream's transitioning from a relatively small vendor to a major player has had some growing pains with four clients outlining implementation problems. That said, once the implementations have been complete, most customers have said they were happy with it. Even with its Application Studio, customers report that they still need to customize it.

Nasdaq OMX (BWise)

Nasdaq OMX bought BWise in the middle of last year. The version that was assessed for the purposes of this research was v4.1. BWise has offices across the globe.

  • Strengths: The acquisition of BWise was part of Nasdaq OMX’s strategy to grow its corporate solutions group. It has a specific strategy of minimizing customizations and offers out-of-the box solutions as often as possible. It has a deep understanding of the GRC market, especially in the financial services vertical and its roadmap reflects that. Its strengths are risk management and analytics.
  • Cautions: Despite its policy of avoiding customization, several customers have reported that significant customization is now required. Despite traction in the financial services vertical, BWise has gained limited traction outside of that vertical. Its growth, as a result, is not keeping up with competitors.


SAP’s GRC platform is now in v10.0 and consists of SAP Process Control (PC) and SAP Risk Management (RM) together.

  • Strengths: Integration of these two SAP applications is one of the key strengths here with the integrated application capable of the continuous monitoring of risk in ERP applications. Adoption of the platform is growing significantly, reflecting improvements over the past two years. Changing in pricing strategies puts purchasing costs in line with those of competitors.
  • Cautions: Reference customers report that it is difficult to configure and that it is difficult to scale it up for larger, or distributed organizations. While it has changed its pricing to something that reflects the pricing of its competitors, if it becomes Hana-centric, it could become too expensive for many enterprises.

Software AG

Gartner assessed Aris Risk & Compliance Manager 4.1, which is Software AG’s EGRC platform and is now at version 9.

  • Strengths: It is most relevant for those using Aris business process tools, or for those that are looking to develop their business process management capabilities along with GRC software. It has combined webMethods with Aris, which gives it complex-event processing and in-memory computing.It has a strong process focus, which means it is able to deliver strong risk management capabilities.
  • Cautions: Although it has some advanced capabilities, it has room for improvements, according to some of Gartner’s customer references. It does not have a differentiated vertical industry strategy, while prospective customers should have employees who are trained in Aris.

Thomson Reuters

Accelus GRC 4.4 was the current version of its EGRC platform at the time of Gartner’s evaluation.

  • Strength: Thomson Reuters offers a number of different solutions under the Accelus brand covering the full range of EGRC functionality. Since it bought Avanon, Accelus Risk Manager has improved significantly, offering advanced risk management capabilities. It has a strong focus in manufacturing and financial services.
  • Cautions: It has a strategy that includes a lot more acquisitions, which means that integration will become increasingly more difficult. There has been mixed feedback on how far it meets expectations among customer references.

That’s this year’s Leaders. Keep in mind, however, that Gartner recommends that prospective buyers should be looking across the entire Quadrant.