ForresterWave Enterprise GRC Platforms Q4 2011

8/2/2019 ForresterWave Enterprise GRC Platforms Q4 2011

1/16

Making Leaders Successul Every Day

Nemer 30, 2011

The Frrester Wae: EnterprseGernance, Rsk, AndCmpance Patfrms, Q4 2011 Chrs McCean

fr Secrt & Rsk Prfessnas
http://www.forrester.com/


2/16

2011 Forrester Research, Inc. All rights reserved. Forrester, Forrester Wave, RoleView, Technographics, TechRankings, and Total EconomicImpact are trademarks o Forrester Research, Inc. All other trademarks are the property o their respective owners. Reproduction or sharing o thiscontent in any orm without prior written permission is strictly prohibited. To purchase reprints o this document, please email [email protected]. For additional reproduction and usage inormation, see Forresters Citation Policy located at www.orrester.com. Inormation is

based on best available resources. Opinions refect judgment at the time and are subject to change.

Fr Secrt & Rsk Prfessnas

ExECuTivE SuMMARy

Innovation among top enterprise GRC platorm vendors has kept up an impressive pace as vendors aim

to stay one step ahead o their customers own advancements in governance, risk, and compliance (GRC)

programs. O the 13 companies in Forresters 59-criteria evaluation o enterprise GRC vendors, BWise,

MetricStream, IBM OpenPages, and RSA Archer emerge as Leaders because o their strong vision o GRC

value and ability to evolve quickly to address customers changing needs. A large pack o StrongPerormers ollows this group some right on their tail with highly competitive products and leading

capabilities in certain key areas. Tese include Mega, Tomson Reuters, Methodware, Compliance 360,

Protiviti, SAP, ARC Logics, and SAS. Enablon is the lone vendor in the Contender category, with

technical capabilities and vision enough to win deals against much more seasoned GRC competitors.

TAblE oF CoNT ENTSCstomers Stretc Te Fnctons O GRC And

Vadate Te Patorm Approac

Enterprse GRC Patorm Evaaton Overve

Evaaton AnassVendor Profes

Noteort Specasts

Sppementa Matera

NoTES & RESouRCES

Frrester cndcted prdct eaatns n Jne

2011 and nterewed 13 endr cmpanes: ARC

lgcs, bWse, Cmpance 360, Enan, Mega,

Methdware, MetrcStream, ibM openPages,

Prtt, RSA Archer, SAP, SAS, and Thmsn

Reters.

Reated Researc Docments

Ten Prrtes Fr yr Crrent And Ftre

Cmpance Prgram

J 19, 2011

Tpc oerew: Gernance, Rsk, And

Cmpance

March 14, 2011

Market oerew: GRC PatfrmsNemer 9, 2010

The Frrester Wae: Enterprse Gernance,

Rsk, And Cmpance Patfrms, Q3 2009

J 1, 2009

Nemer 30, 2011

The Frrester Wae: Enterprse Gernance, Rsk,And Cmpance Patfrms, Q4 2011As leaders, bWse, MetrcStream, ibM openPages, And RSA Archer Cntne TPsh The Enepe

b Crs McCean

wth Stephane baaras and Nchas M. Haes

2

3

69

13

13
http://www.forrester.com/go?docid=60184&src=57692pdfhttp://www.forrester.com/go?docid=60184&src=57692pdfhttp://www.forrester.com/go?docid=57690&src=57692pdfhttp://www.forrester.com/go?docid=57690&src=57692pdfhttp://www.forrester.com/go?docid=57318&src=57692pdfhttp://www.forrester.com/go?docid=47911&src=57692pdfhttp://www.forrester.com/go?docid=47911&src=57692pdfhttp://www.forrester.com/go?docid=47911&src=57692pdfhttp://www.forrester.com/go?docid=47911&src=57692pdfhttp://www.forrester.com/go?docid=57318&src=57692pdfhttp://www.forrester.com/go?docid=57690&src=57692pdfhttp://www.forrester.com/go?docid=57690&src=57692pdfhttp://www.forrester.com/go?docid=60184&src=57692pdfhttp://www.forrester.com/go?docid=60184&src=57692pdfhttp://www.forrester.com/


3/16

2011, Frrester Research, inc. Reprdctn PrhtedNemer 30, 2011

The Frrester Wae: Enterprse Gernance, Rsk, And Cmpance Patfrms, Q4 2011


2

CuSTOMERS STRETCh ThE FuNCTiONS OF GRC AND VAliDATE ThE PlATFORM APPROACh

In early 2011, we elded an unexpected customer question: Will enterprise GRC soware

deployments ever be on par with ERP? While this was little more than amusing speculation, the

question reects the eectiveness with which GRC soware has extended its reach into customer

organizations and the extent o potential growth that remains. And while its unlikely that the

average GRC implementation will reach the scope and scale o the average ERP implementation any

time soon, several trends point to GRC sowares increasing importance and expanding corporate

presence:

1. GRC metrics are increasingly seen as key indicators o business perormance and stability.

At a steady pace, stakeholders including regulators, rating agencies, business partners, and

investors have been asking or more and more intimate details about the risk and compliance

posture o the companies with which they associate. Internally, dierent unctions within these

businesses are using risk and compliance data more oen to evaluate the status o third-partyrelationships, process quality, and other aspects o business or which perormance can be

measured. In a survey o 121 reerence customers supplied by vendors or this Forrester Wave

evaluation, respondents reported using their GRC system to track metrics such as project

tness, process efciency opportunities, and board approval o the direction o travel.

2. GRC customers are continuously nding new use cases or the soware they license. Users

o GRC soware are responsible or almost as much innovation as the GRC soware vendors

themselves. Applying standard capabilities such as risk and control documentation, policy

management, workow, and reporting, customers are molding their GRC platorms to support

a variety o relevant domains. Beyond the 18 core GRC unctions we asked about in our

survey, customer reerences reported supporting other unctions such as the management o

consultant activities, enterprise process catalogs, and afliate oversight.

3. GRC vendors are ocusing more on their underlying platorm technology. o meet the

increasingly diverse demands o GRC clients, vendors are actually beginning to shi away rom

packaged applications. Now theyre ocusing much more o their eorts on delivering platorms

that customers can recongure and adjust to meet their needs. For that reason, this Forrester

Wave evaluates capabilities such as workow exibility, user interace exibility, data model

extensibility, and ability to support new and changing market requirements.

Te GRC Vendor landscape is Acta Grong More DverseConsidering its nearing the decade mark in its evolution, the GRC market dees the logic o vendor

consolidation and unctional standardization that we might expect. Although there have been

signicant acquisitions, they have mainly taken the acquired vendor products in dierent directions:

more ocused on I inrastructure (e.g., RSA Archer), regulatory content (e.g., Tomson Reuters

Paisley), or business analytics (e.g., IBM OpenPages). In addition, vendors rom relevant market


4/16

2011, Frrester Research, inc. Reprdctn Prhted Nemer 30, 2011



3

segments such as environmental risk and compliance, hotline and case management, inormation

security, and business process management continue to reach or GRC market ootholds in order to

take advantage o still untapped potential.

iT GRC And Enterprse GRC Are Mc Coser Bt St Separate Markets

Forrester continues to eld inquiries rom organizations interested in adopting a single GRC

platorm to manage risk and compliance eorts related to I and enterprise domains. For many o

them, there are viable solutions vendors historically ocused on enterprise GRC are supporting

content like the Unied Compliance Framework and oering integration capabilities with security

and I management applications, while vendors historically ocused on the I GRC market are

oering more enterprise-relevant content and delivering more product exibility to support

enterprise GRC unctions.

However, even as the vendors demonstrate better capabilities and more implementations, the vastmajority o vendor selection projects lean one direction or the other reecting the still substantial

gap that exists in most organizations between the I and enterprise GRC unctions. Based on

this distinction, Forrester conducted two simultaneous GRC platorm Wave evaluations: one or

enterprise and one or I.

Tere are minor modications in the criteria or these two Waves. For example, the enterprise GRC

Wave evaluates audit management instead o asset management capabilities, and many o the criteria

have more demanding score requirements to reect the greater maturity o that market.

ENTERPRiSE GRC PlATFORM EVAluATiON OVERViEwo assess the state o the enterprise GRC platorm market and determine how the vendors stack up

against each other, Forrester conducted a rigorous evaluation o top vendors in the space.

Te Evaaton Focsed On Breadt And Dept O Capabtes And Sondness O Strateg

Aer considering past research, user needs, requests or proposals, and vendor and expert input,

Forrester developed a comprehensive set o 59 evaluation criteria, which we grouped into three

high-level categories:

Current ofering. Each vendors position on the vertical axis o the Forrester Wave graphic

indicates the strength o its current GRC product oering. Te sets o capabilities evaluated inthis category are: content management, risk and control management, workow management,

GRC management and analytics, support or I GRC, support or audit management, GRC

domain support, technical unctionality, and client reerence scores.

Strategy. A vendors position on the horizontal axis indicates the strength o its GRC strategy,with specic criteria including company vision and strategy, product vision and strategy, and

support or governance, risk, and compliance proessionals.


5/16




4

Market presence. Te size o the vendors bubble on the chart indicates its market presence,which Forrester measured based on the companys nancial viability, customer base, sta size,

partnerships, and global presence.

Evaated Vendors Demonstrated Te largest Market Presence And Compettve Sccess

Forrester included 13 vendors in the assessment: ARC Logics, BWise, Compliance 360, Enablon,

IBM OpenPages, Mega, Methodware, MetricStream, Protiviti, RSA Archer, SAP, SAS, and Tomson

Reuters. Each o these vendors has (see Figure 1):

Broad GRC capabilities or enterprise risk and compliance proessionals. All vendors in thisevaluation have the capabilities to meet the broad requirements o enterprise governance, risk,

and compliance proessionals.

More than 150 licensed customers using the vendors GRC solution. All o the evaluatedvendors reported more than 150 GRC customers, provided examples o customers using

the platorm or multiple unctions o enterprise GRC, and submitted at least ve customer

reerences to participate in the Forrester Wave customer survey.

A signicant level o interest rom Forrester clients. All o the evaluated vendors haveestablished themselves as relevant GRC competitors, and they continue to show up in requests

or proposal, Forrester customers inquiries, and other competitive situations.


6/16




5

Fgre 1 Eaated vendrs: Prdct infrmatn And Seectn Crtera

Source: Forrester Research, Inc.

Vendor

ARC Logics

BWise

Compliance 360

Enablon

IBM OpenPages

Mega

Methodware

MetricStream

Protiviti

RSA Archer

SAP

SAS

Thomson Reuters

Product evaluated

ARC Logics

BWise

Compliance 360

Enablon GRC Suite

IBM OpenPages Platform

Mega Suite for GRC

ERA Kairos

MetricStream GRC Platform

Governance Portal

RSA Archer eGRC Platform

SAP BusinessObjects Process Control and SAPBusinessObjects Risk Management

SAS Enterprise GRC

Thomson Reuters Accelus Enterprise GRC

Product version

evaluated

R1-2011

v4.1.2

v20.11

v6.0

v6.01

v3.3

v8.0

v6.0

v3.10

v5.0.6

v10.0

v4.3

v4.3

Vendor selection criteria

Broad GRC capabilities for enterprise risk and compliance professionals. All vendors in thisevaluation have the capabilities to meet the broad requirements of enterprise governance, risk, andcompliance professionals.

More than 150 licensed customers using the vendors GRC solution. All of the evaluated vendorsreported more than 150 GRC customers, provided examples of customers using the platform for multiplefunctions of enterprise GRC, and submitted at least ve customer references to participate in the ForresterWave customer survey.

Signicant thought leadership and mindshare. All of the evaluated vendors have establishedthemselves as relevant GRC competitors, and they continue to show up in requests for proposal, Forrestercustomers inquiries, and other competitive situations.

March 2011

December 2010

April 2011

January 2011

January 2011

December 2010

March 2011

March 2010

April 2011

December 2010

December 2010

December 2010

June 2011

Version

release date


7/16




6

EVAluATiON ANAlySiS

Te evaluation uncovered a market in which (see Figure 2):

BWise, MetricStream, IBM OpenPages, and RSA Archer are Leaders. Tese vendors continueto push orward aggressively with product development and strong go-to-market strategies.

Tey demonstrate a strong vision o the value GRC oers to customer organizations, which is

helping them extend their platorms in unique ways not emulated by other leaders or other top

competitors in the GRC market.

Eight vendors are Strong Perormers. Tey are ARC Logics, Compliance 360, Mega,Methodware, Protiviti, SAP, SAS, and Tomson Reuters. Tese vendors represent an extremely

diverse mix o company size, background, and length o time competing in the GRC space. All

o them are relevant to a number o dierent GRC unctions, and in many cases, they are top

competitors in several key GRC areas.

Enablon is a Contender. Enablon is one o the newest competitors in the GRC platormmarket, but with a solid background in sustainability and environmental risk and compliance

management, the vendor has the core elements needed to be competitive in the GRC space.

Tis evaluation o the enterprise GRC platorm market is intended to be a starting point only. We

encourage readers to view detailed product evaluations and adapt the criteria weightings to t their

individual needs through the Forrester Wave Excel-based vendor comparison tool.


8/16




7

Fgre 2 Frrester Wae: Enterprse GRC Patfrms, Q4 11


Go online to download

the Forrester Wave tool

for more detailed product

evaluations, feature

comparisons, and

customizable rankings.

Risky

Bets Contenders Leaders

Strong

Performers

StrategyWeak Strong

Current

oering

Weak

Strong

Market presence

Mega

Methodware

Enablon

BWiseRSA Archer

SAPOpenPages

Thomson Reuters

SAS

ARC Logics

MetricStream

Protiviti

Compliance 360


9/16




8

Fgre 2 Frrester Wae: Enterprse GRC Patfrms, Q4 11 (Cnt.)


CURRENT OFFERING

Content management

Risk and control management

Workow management

GRC management and analytics

Support for IT risk and compliance

Support for audit management

GRC domain support

Technical functionalityCustomer references

STRATEGY

Company vision and strategy

Product vision and strategy

Support for GRC roles

MARKET PRESENCE

Financial viability

Customer base

Sta size

PartnershipsGlobal presence

Forresters

Weighting

50%

15%

15%

10%

15%

5%

5%

5%

10%20%

50%

35%

35%

30%

0%

30%

25%

15%

15%15%

ARCLogics

2.86

4.25

2.40

2.50

1.25

3.40

3.80

3.50

2.503.20

3.01

2.85

2.75

3.50

3.73

4.15

4.40

2.30

3.003.90

BWise

4.19

3.90

5.00

4.00

4.75

3.40

3.35

4.00

4.203.90

4.41

4.40

4.55

4.25

2.88

2.65

3.70

2.35

3.002.40

Compliance

360

3.21

3.45

2.55

2.50

2.75

2.20

3.60

4.00

3.404.10

3.40

3.55

3.60

3.00

2.02

2.15

2.30

1.65

3.000.70

Enablon

2.59

2.65

2.55

2.50

2.50

1.00

2.65

3.00

2.303.10

2.32

2.45

2.45

2.00

3.17

2.65

3.30

4.00

3.003.30

Mega

3.73

3.25

4.40

3.00

4.50

2.20

3.95

3.00

3.504.00

3.28

3.85

2.95

3.00

3.19

2.30

2.90

4.10

5.002.70

Methodware

2.99

2.35

3.00

3.50

4.00

1.00

2.65

2.50

2.703.30

3.84

4.25

4.15

3.00

3.23

2.70

3.20

2.30

5.003.50

All scores are based on a scale of 0 (weak) to 5 (strong).

IBMO

penPages

3.76

3.90

4.40

4.00

4.00

3.40

2.65

3.50

3.803.30

4.46

4.70

4.40

4.25

3.36

3.80

2.70

4.00

3.003.30


10/16




9

Fgre 2 Frrester Wae: Enterprse GRC Patfrms, Q4 11 (Cnt.)


CURRENT OFFERING

Content management

Risk and control management

Workow management

GRC management and analytics

Support for IT risk and compliance

Support for audit management

GRC domain support

Technical functionality

Customer references

STRATEGY

Company vision and strategy

Product vision and strategy

Support for GRC roles

MARKET PRESENCE

Financial viability

Customer base

Sta size

Partnerships

Global presence

Forresters

Weighting

50%

15%

15%

10%

15%

5%

5%

5%

10%

20%

50%

35%

35%

30%

0%

30%

25%

15%

15%

15%

Protiviti

3.19

3.00

3.00

3.00

3.50

2.20

4.65

3.50

2.10

3.70

3.29

3.45

3.15

3.25

2.74

2.70

2.00

3.10

3.00

3.40

RSAArche

r

3.85

3.95

3.30

4.50

2.50

5.00

2.90

5.00

4.70

4.10

3.83

4.55

3.40

3.50

4.26

5.00

4.20

4.70

5.00

1.70

SAP

3.15

2.80

3.60

2.50

4.25

3.00

2.75

2.00

2.30

3.40

3.17

3.60

3.10

2.75

4.07

3.45

3.80

4.70

5.00

4.20

SAS

2.75

2.80

3.60

2.00

4.25

1.20

1.00

2.00

2.20

2.60

2.60

1.85

3.00

3.00

3.43

3.70

2.30

4.30

3.00

4.30

Thomson

Reuters

3.33

2.80

3.65

3.50

3.50

2.20

4.65

3.00

3.30

3.30

3.58

3.30

3.70

3.75

3.85

3.80

4.70

4.00

3.00

3.20

All scores are based on a scale of 0 (weak) to 5 (strong).

MetricStre

am

4.13

4.40

4.40

5.00

3.00

5.00

4.30

4.50

4.50

3.60

4.25

4.45

4.25

4.00

3.34

3.15

2.90

4.65

3.00

3.50

VENDOR PROFilES

Te leaders Are Extendng Te Bondares O ho GRC Brngs Vae

BWise. BWise continues to demonstrate why it has consistently been one o the strongestvendors in the GRC market, displaying a robust platorm with a range o new product eatures

since our previous evaluation. BWise scored a 5.00 across all our risk and control management

subcriteria, displaying exible and customizable risk and control measurement eatures, the

ability or users to map business processes to relevant risk and compliance objects, and new

continuous control monitoring eatures that separate the product rom other traditional GRC

competitors. BWise nds itsel competing now against much larger companies that have entered

the GRC space through acquisition. Te Netherlands-based vendor still earned a top score or

its sustainability o competitive advantage, however, because its vision, ocus, and ability to

innovate are among the best in the industry.


11/16




10

MetricStream. MetricStreams breadth o capabilities and product exibility have helped itsolidiy its position as a GRC Leader. Te companys go-to-market strategy has always been

among the most aggressive in the GRC space, and this approach continues to pay o as it brings

aboard new clients representing a wide range o vertical and unctional needs. MetricStream

scored extremely well in the content management and risk and control management elds

o our evaluation, due to strong document management and collaboration eatures as well

as congurability in support o dierent risk methodologies. Te companys product road

map includes improvements to the platorms underlying unctionality, exibility, integration

capabilities, and content, and its go-to-market strategy includes several elements unique among

its top competitors.

IBM OpenPages. Te OpenPages platorm remains one o the most consistently strongenterprise GRC platorms on the market today. Te companys vision is to enable senior

management to make strategic risk and reward decisions to improve business perormanceand reduce exposure to risks and loss on investments. Te OpenPages platorms GRC

management and analytics eatures are just one example o where this mission will play out.

Te product continues to leverage IBM Cognos powerul reporting capabilities with report

templates and dashboards that users can congure and share in numerous platorms such as

mobile devices or embedded enterprise business applications. With the addition o IBMs other

analytics technologies, the platorm will oer increasingly more support or governance, risk,

and compliance executives. While it may take some time to ully integrate with other IBM

technology, OpenPages is in a strong position to maintain and grow its long-running leadership.

RSA Archer. Te acquisition by EMC RSA gave a strong boost to Archers already considerablemomentum. With solid technical unctionality and a satised customer base, Archer madethe leap into the Leaders category in this years evaluation. Te companys platorm is highly

congurable with an intuitive and easy-to-navigate interace, and its ability to acilitate

customer-led development sets it apart rom competitors. Te RSA acquisition gave Archer

greater access to a number o I security and data governance technologies, and while these

opportunities will likely lead to less overall ocus on enterprise GRC domains, the companys

ability to compete in the overall GRC market should continue to increase. Look or RSA Archer

to more heavily leverage the Archer Community to oster collaboration among customers and

employees, while it also works to enhance international and localized capabilities.

Te Strong Perormers So Great Fnctonat And impressve Cstomer Sccesses Mega. Mega continues its steady climb up the ladder toward the top echelon o GRC venders, just

slightly missing the Leader category in this evaluation. Te companys GRC has excellent risk and

control management capabilities, and its GRC management and analytics unctionality is among

the best. Megas vision o the market centers on the correlation between holistic GRC programs

and enterprise architecture (EA) maturity, and the company has made great strides integrating its

GRC platorm with its leading EA and business process analysis (BPA) technologies. Megas


12/16




11

success may depend on its ability to bring customers along with this vision, but early use cases

and customer eedback predict this will happen. Mega outlines a detailed product road map with

plans to strengthen risk quantication, assessment consolidation, and document management

capabilities, all o which are expected to improve the companys ability to compete.

Tomson Reuters. Tomson Reuters oers one o the premier audit management platorms inthe enterprise GRC market, and the companys GRC oerings continue to show good depth. A

perennial leader o the GRC market since beore the market had a name, some may be surprised

to see it all short o this category in this evaluation. Tis can largely be explained by Tomsons

current ocus on acquiring top risk and compliance vendors and joining them in what could

ultimately be combined content and unctionality oerings unmatched in the GRC market. Te

ability to integrate these oerings will determine how long beore it can achieve this potential.

Methodware. Although Methodware has been ocused primarily on small and medium-sizeenterprises as its target market up to this point, its currently shiing its strategy and technical

capabilities to target larger companies and contracts. With the rollout o the new ERA Kairos

platorm and its stable relationship with its parent company, Jade Soware, Methodware is

able to better serve its current client base while also enhancing the product to oer a scalable,

exible platorm or very large implementations. Partnerships remain a key to the vendor,

and its ar ahead o almost all competitors in the global diversity o its customers. In the near

uture, Methodware plans to ocus its R&D on user experience, perormance, and urther

enhancements to the platorms underlying unctionality.

Compliance 360. By successully targeting healthcare and insurance organizations, Compliance

360 has been a long-standing, protable player in the GRC space since 2004. AlthoughCompliance 360 doesnt oer the same breadth o capabilities as some o the other enterprise

GRC vendors, it is able to provide specic depth and unctionality in the elds important to

its clients, most notably content management. Compliance 360 earned the highest customer

satisaction scores in our evaluation, including top marks or vendor relationship. Te

companys product road map will ocus on enhanced audit management eatures and look to

implement more advanced analytics.

Protiviti. Protiviti oers a unique perspective in the enterprise GRC market with its strongconsulting background, delivering especially impressive technical capabilities in risk and control

management and audit management. Te company also continues to innovate and develop

new content-based oerings or its Governance Portal product, which is capable o addressing

a variety o GRC requirements or customers. Protiviti oers a dierentiating value to clients

through its combination o risk management expertise and an increasingly competitive GRC

platorm. Protiviti will continue to build on its core audit, risk, and control management

strengths while working on urther integration with external and internal systems, including

working with partners to deliver regulatory compliance content.


13/16




12

SAP. SAP emphasizes the value o automation and cost reduction to bring its growing GRCcapabilities to its large customer base and beyond. SAP has demonstrated strong commitment

to GRC, dedicating substantial resources to support sales, marketing, development, and

implementations. SAP oers sophisticated risk and compliance reporting and scenario

modeling eatures, and the companys BusinessObjects technology gives it a substantial

advantage. SAP plans to enhance the delivery o risk and compliance and adopt a broader set

o automated controls and analytics to remain true to its core vision o cost reduction through

automation. As long as SAPs commitment to GRC solutions remains steady, it should continue

to strengthen its ability to compete in the market.

ARC Logics. Wolters Kluwer has assembled a long list o GRC oerings into its ARC Logicsbusiness through a number o acquisitions. Among these acquired products, the business

currently markets its heavyweight eamMate suite o audit management products along with

Axentis, a SaaS GRC platorm boasting some o the largest implementations across verticals,including pharmaceuticals and healthcare. ARC Logics vision is to help clients maximize the

eectiveness and efciency o their audit, risk, and compliance programs. Its uture position in

the market will hinge on how well its able to integrate these and several other product vendor

acquisitions in order to complement Wolters Kluwers deep library o legal and regulatory

content and services.

SAS. SAS aims to enable customers to make better business decisions and reduce risks to helpstrengthen overall corporate value. Te companys advanced analytics are among the best in

the industry, giving customers risk modeling, scenario analysis, and other highly complex

capabilities unmatched by other GRC competitors. Te company has invested substantial

resources to build a GRC platorm that can integrate with a wide range o other SAS products,giving existing customers a wide range o additional oerings. As SAS is still an early entrant

into the enterprise GRC market, its too difcult to predict how well it will be able to compete

with some o the more seasoned players in the long term; however, the company has a solid

vision and strategy to take advantage o uture opportunities.

Te Contender has Te Capabtes And Fexbt To Caenge Seasoned Compettors

Enablon. Despite its relatively recent entrance into the GRC market, Enablon continues to gaintraction. Enablon has a strong background in sustainability and environmental management,

and the company is successully translating these capabilities to address broader GRC needs.

Although the company doesnt have a well-known brand in the enterprise GRC market yet,strong execution o its vision and strategy o enabling governance throughout customer

organizations will likely help Enablon extend its GRC market presence over the next ew years.


14/16




13

NOTEwORThy SPECiAliSTS

One o the most difcult aspects o the GRC Wave was to narrow the list o participating vendors.

Tere are dozens o other vendors with GRC platorm capabilities that are also relevant to the

space and may be worth consideration depending on customer requirements. Examples include

Active Risk ormerly Strategic Tought Group or sophisticated project and operational risk

programs, Cura Soware or enterprise risk and controls management, and Qumas or quality and

compliance management.1 Each o these vendors has ared well in previous Forrester GRC Waves

and are still important to the market. Oracle is also a relevant vendor with a suite o GRC products,

but once again the company declined to submit them or evaluation in the Forrester Wave.

SuPPlEMENTAl MATERiAl

Onne Resorce

Te online version o Figure 2 is an Excel-based vendor comparison tool that provides detailedproduct evaluations and customizable rankings.

Data Sorces used in Ts Forrester wave

Forrester used a combination o two data sources to assess the strengths and weaknesses o each

solution:

Vendor surveys. Forrester surveyed vendors on their capabilities as they relate to theevaluation criteria. Once we analyzed the completed vendor surveys, we compiled the results to

supplement our analysis.

Product demos. We asked vendors to conduct demonstrations o their products unctionality. Weused ndings rom these product demos to validate details o each vendors product capabilities.

Te Forrester wave Metodoog

We conduct primary research to develop a list o vendors that meet our criteria to be evaluated

in this market. From that initial pool o vendors, we then narrow our nal list. We choose these

vendors based on: 1) product t; 2) customer success; and 3) Forrester client demand. We eliminate

vendors that have limited customer reerences and products that dont t the scope o our evaluation.

Aer examining past research, user need assessments, and vendor and expert interviews, we develop

the initial evaluation criteria. o evaluate the vendors and their products against our set o criteria, we

gather details o product qualications through a combination o lab evaluations, questionnaires,

demos, and/or discussions with client reerences. We send evaluations to the vendors or their review,

and we adjust the evaluations to provide the most accurate view o vendor oerings and strategies.


15/16




14

We set deault weightings to reect our analysis o the needs o large user companies and/or

other scenarios as outlined in the Forrester Wave document and then score the vendors based

on a clearly dened scale. Tese deault weightings are intended only as a starting point, and we

encourage readers to adapt the weightings to t their individual needs through the Excel-basedtool. Te nal scores generate the graphical depiction o the market based on current oering,

strategy, and market presence. Forrester intends to update vendor evaluations regularly as product

capabilities and vendor strategies evolve.

ENDNOTES

1 With so many vendors bearing such little resemblance to each other, the market or GRC soware dees

logic. Vendors rom diverse backgrounds began coming head-to-head with each other to compete or

lucrative Sarbanes-Oxley compliance deals eight years ago, but as that market tapered o, the vendors have

started to diverge once again. O the roughly 20 most competitive GRC vendors, the specialized nature o

their core competencies means that each vendor has only three to our primary competitors that they come

up against on a regular basis. See the November 9, 2010, Market Overview: GRC Platorms report.
http://www.forrester.com/go?docid=57318&src=57692pdfhttp://www.forrester.com/go?docid=57318&src=57692pdf


16/16

Forrester Research, Inc. (Nasdaq: FORR)

is an independent research company

that provides pragmatic and orward-

thinking advice to global leaders in

business and technology. Forrester

works with proessionals in 19 key roles

at major companies providing

proprietary research, customer insight,

consulting, events, and peer-to-peerexecutive programs. For more than 28

years, Forrester has been making IT,

marketing, and technology industry

leaders successul every day. For more

inormation, visit www.orrester.com.

Headquarters

Forrester Research, Inc.

60 Acorn Park Drive

Cambridge, MA 02140 USA

Tel: +1 617.613.6000

Fax: +1 617.613.5000

Email: [email protected]

Nasdaq symbol: FORR

www.orrester.com

M a k n g l e a d e r s S c c e s s f E e r D a

For inormation on hard-copy or electronic reprints, please contact Client Support

at +1 866.367.7378, +1 617.613.5730, or [email protected].

We oer quantity discounts and special pricing or academic and nonprot institutions.

Research and Sales Ofces

Forrester has research centers and sales ofces in more than 27 cities

internationally, including Amsterdam, Netherlands; Beijing, China;

Cambridge, Mass.; Dallas, Texas; Dubai, United Arab Emirates; Frankurt,

Germany; London, UK; New Delhi, India; San Francisco, Cali.; Sydney,

Australia; Tel Aviv, Israel; and Toronto, Canada.

For the location o the Forrester ofce nearest you, please visit:

www.orrester.com/locations.
mailto:[email protected]:[email protected]://www.forrester.com/

Documents

ForresterWave Enterprise GRC Platforms Q4 2011