It’s taken a couple of weeks to get it, but Gartner’s Magic Quadrant for the GRC space is finally out. Leaving aside the list of vendors that made it into the "'Leaders' quadrant," Gartner says that over the course of this year, the market shifted from a tactical focus on regulatory compliance to a wider focus on enterprise risk management.

The Magic Quadrant, which came out in the middle of the month but which has only been publicized now, contains the usual caveat from Gartner that it only represents a snapshot of the market at the moment and that, while the Leaders Quadrant is important, for companies looking at GRC software, all quadrants should be considered.

The Enterprise GRC Market

A number of specific trends have been noted over the past year in the GRC market. Many companies, in light of recent developments in areas such as finance. are looking for better corporate governance and compliance, with many of those looking to consolidate all their GRC functions onto one platform.

GRC is defined in this case as “the automation of the management, measurement, remediation and reporting of controls and risks against objectives, in accordance with rules, regulations, standards, policies and business decisions.”

Companies are looking at this through the perspective of one standard such as Sarbanes-Oxley (SOX) compliance, or across regulations applied to specific industries.

Other considerations are creeping in, too, such as audit management, IT governance or policy management, which many enterprises are looking at incorporating into the single-platform GRC approach in the future.

ERGC Trends

Gartner says it is monitoring the possible convergence of IT GRC and Enterprise GRC (EGRC) to see how closely they converge, but as of this year, the convergence has not happened yet. Divergence between the two areas remains a fact of life at the moment, based on differences in management and reporting requirements for top-down vs. bottom-up approaches.

While top-down approaches tend to be dominated by business executive requirements, bottom-up approaches have been dominated by IT requirements typically led by IT, or information security operations.

Convergence, Gartner says, will happen when enterprises stop buying multiple tools for multiple tasks and agree to buy a product that can deal with both approaches.

As a result, Gartner has identified the following trends in the market:

  • Demand for software that can offer Sarbanes-Oxley compliance, not just in the US, but also similar compliance for similar regulations outside of the US
  • A professional client base that wants GRC analytics aligned with enterprise objectives
  • Software to manage the increasingly regulatory environment, particularly in relation to anti-corruption and bribery measures
  • Software that will offer transparency in decision making
  • Regulatory content services and change management
  • Market consolidation with larger vendors becoming dominant

Inclusion in this year’s Quadrant required enterprises to meet the following criteria:

  • Ability to offer four primary GRC functions including: Audit management, compliance management, risk management and policy management
  • Credible market presence that resulted in at least US$ 11 million in annual revenue for the calendar year 2010 from GRC software and 50 customers

So who were the leaders?


BWise (news, site) is here because of its mature EGRC platform to which it continues to add functionality, as well as a large customer base and substantial revenues. Gartner says it is the only vendor besides the large ERP vendors to offer an organic CCM solution that integrates with its EGRC platform.

  • Strengths: BWise has a solid understanding of the integrated risk and performance management market, with a roadmap that includes improvement in audit management and quantitative risk analysis. Its industry strategy is focused on financial services, while it is challenging the large ERP vendors by adding CCM to its platform.
  • Cautions: Citing policy management and integration with external reports tools as areas for improvement, reference customers reported that functionality “met expectations.” Outside of Europe and North America, direct sales are limited.


MetricStream (news, site) demonstrated the MetricStream GRC Platform, version 6.0, which was released in March 2010. MetricStream offers a competitive offering with all the core functionality and several advanced capabilities as well. MetricStream continues to improve its capabilities in that market. It is continuing execution against an aggressive roadmap.

  • Strengths: MetricStream has a good grasp of the integrated risk management and business performance software and targets organizations that are trying to meet multiple GRC objectives. It has an ongoing focus on improving usability and navigation, as well as business process integration, targeting highly regulated vertical markets. Customers said that it met and even exceeded their expectations.
  • Cautions: Most of its direct presence is focused in the US and India, although it has recently established a small presence in Europe. It supports Oracle Database only, and clients have said they would like to see better workflow capabilities. Reference clients said out-of-the-box reporting capabilities could be improved.

OpenPages (IBM)

OpenPages was bought by IBM (news, site) in Q4 2010 and added to its business analytics division. It released OpenPages 6.0 in January, but had started deeper integration with the Cognos stack before that. As a result, risk analytics are a core part of its product.

  • Strengths: Has a strong understanding of emerging integrated GRC and business performance management markets. There are no significant gaps in its product strategy, Gartner says, and has particular strengths in audit management, risk management and policy management. It has historically targeted the banking, insurance, energy and utilities markets with specific industry capabilities. It is also starting to target the healthcare market.
  • Cautions: At the moment, it is still limited largely to the US and Europe, although IBM is gearing up for a sales push elsewhere. Integration into the IBM software stack is expected to take up development resources that might be used otherwise to enhance its products. There are also concerns that it will be less aggressive in pursuing non-analytics based initiatives.


Oracle (news, site) released its GRC Suite 8.6 in October. It has vast technology portfolios that span applications, middleware and hardware, with Oracle placing strong emphasis on the integration of its GRC platform with other Oracle assets like Hyperion.

  • Strengths: Oracle promotes the ability to integrate its GRC platform with Hyperion. The company has recognized that GRC is a collection of activities bound together in a common framework and offers customers a "crawl, walk, run" approach to its products, with new functionalities added for clients as they develop. It also has a wide geographical footprint.
  • Cautions: Referenced customers said they need improved integration of the GRC suite with external reporting and office productivity tools. All were satisfied, but many cited areas for improvement at a frequency far higher than other vendors' references, citing areas such as reporting, risk content, quantitative risk assessment and audit management as examples.


SAP (news, site) offers GRC as part of SAP BusinessObjects GRC portfolio. With SAP GRC 10, SAP has resolved issues with integration of its core products under its GRC umbrella, and also delivered improved audit management and policy management. In this Quadrant, SAP has moved from Visionaries last time out to Leaders this time.

  • Strengths: Has a clear understanding of where the GRC market is going and has aligned its product direction to meet basic compliance and risk assessment requirements. Its strategy includes the integration of CCM and a partner strategy to enable a wide array of GRC capabilities. It has integrated risk management and performance management solutions, and has developed a rearchitected EGRC platform.
  • Cautions: Customers may have to buy licenses for multiple core GRC products to get advanced functionality. Because it does not support scoping and prioritization of the audit universe well, audit management functionality is not scalable for a large internal audit organization.

Thomson Reuters

Thomson Reuters (news, site) released Enterprise GRC version 4.2 in October 2010, which is part of the Thomson Reuters Accelus Suite. It also offers Enterprise GRC in a SaaS version called GRC on Demand, and an audit-management-only version called AutoAudit. The Enterprise GRC platform has all the core functions and has strengths in audit management.

  • Strengths: Thomson Reuters has been successful with its SaaS delivery model and uses its strength as a content provider to differentiate its products. It has a strong focus on legal GRC buyers who are looking at compliance. It also has the highest percentage of revenue invested in R&D of any EGRC platform vendor.
  • Cautions: It is not clear where the integration with GRC and business is in its strategy, and while it has developed a more cohesive strategy, it needs to focus on ease of integration of its other GRC-related offerings.

There’s a lot more in the report here that is worth looking at.