The Forrester Wave GRC Platforms Q1 2014

Forrester Research, Inc., 60 Acorn Park Drive, Cambridge, MA 02140 USA

Tel: +1 617.613.6000 | Fax: +1 617.613.5000 | www.forrester.com

The Forrester Wave: Governance, Risk, And Compliance Platforms, Q1 2014by Christopher McClean, Nick Hayes, and Renee Murphy, January 27, 2014

For: Security & Risk Professionals

Key TaKeaways

Its No Longer worth Trying To Define Distinct GRC Platform submarketsUnlike in previous years in which Forrester published distinct enterprise GRC and IT GRC Forrester Waves, this report compared all of the top GRC platform vendors, regardless of their primary target markets. This reflects growing customer interest in consolidated platforms, and vendor successes that frequently span traditional boundaries.

The Leaders show The Greatest ability To support Diverse Use CasesEMC RSA, IBM, MetricStream, Nasdaq OMX BWise, and Rsam have all finished in the Leaders position before, and Enablon is new to the category. All six of these vendors have shown strong fundamental platform capabilities, and most importantly, the flexibility to help customers address changing market and business demands.

The strong Performers and Contenders are well worth Considering On shortlistsAgiliance, CMO Compliance, LogicManager, Mega, Modulo, Protiviti, Resolver, SAI Global, SAP, Thomson Reuters, and Wynyard make up the long list of Strong Performers, all having leading capabilities and winning deals with specific focus areas. Likewise, SAS Institute and The Network are Contenders that should be strongly considered for certain use cases.
www.forrester.com

2014, Forrester Research, Inc. All rights reserved. Unauthorized reproduction is strictly prohibited. Information is based on best available resources. Opinions reflect judgment at the time and are subject to change. Forrester, Technographics, Forrester Wave, RoleView, TechRadar, and Total Economic Impact are trademarks of Forrester Research, Inc. All other trademarks are the property of their respective companies. To purchase reprints of this document, please email [email protected]. For additional information, go to www.forrester.com.

For Security & riSk ProFeSSionalS

why ReaD ThIs RePORT

Growing diversity in the governance, risk, and compliance (GRC) platform market is blurring the lines between historical subsegments, as organizations push their GRC programs into the far reaches of business processes and initiatives. In Forresters 43-criteria evaluation of the most relevant 19 GRC vendors, we dug deep into their technologies and strategies to separate the Leaders from the Strong Performers and Contenders. Based on briefings, demos, customer surveys, interviews, and actual use of the products, this report presents a detailed and transparent assessment to help you select the GRC platform best able to meet your business needs.

table of contents

GRC Technology Decisions are Getting More Difficult

Its Not worth Defining submarkets For GRC Platforms

Governance, Risk, and Compliance Platform evaluation Overview

evaluation analysis

Vendor Profiles

supplemental Material

notes & resources

Forrester conducted product evaluations in July 2013 and interviewed 18 vendor companies: cMo compliance, enablon, iBM openPages, logicManager, Mega, MetricStream, Modulo, nasdaq oMX BWise, Protiviti, resolver, eMc rSa, rsam, Sai Global, SaP, SaS institute, the network, thomson reuters, and Wynyard.

related research Documents

assess your Grc Program With Forresters Grc Maturity Modeloctober 2, 2013

the Forrester Wave: it Governance, risk, and compliance Platforms, Q4 2011December 1, 2011

the Forrester Wave: enterprise Governance, risk, and compliance Platforms, Q4 2011november 30, 2011

The Forrester wave: Governance, Risk, and Compliance Platforms, Q1 2014a Detailed evaluation of the 19 Most relevant Grc Software Vendorsby christopher Mcclean, nick Hayes, and renee Murphywith Stephanie Balaouras and kelley Mak

2

15

7

2

10

4

January 27, 2014
www.forrester.comhttp://www.forrester.com/go?objectid=RES100082http://www.forrester.com/go?objectid=RES100082http://www.forrester.com/go?objectid=RES57691http://www.forrester.com/go?objectid=RES57691http://www.forrester.com/go?objectid=RES57692http://www.forrester.com/go?objectid=RES57692http://www.forrester.com/go?objectid=BIO1835http://www.forrester.com/go?objectid=BIO4584http://www.forrester.com/go?objectid=BIO6204http://www.forrester.com/go?objectid=BIO1123


the Forrester Wave: Governance, risk, and compliance Platforms, Q1 2014 2

2014, Forrester Research, Inc. Reproduction Prohibited January 27, 2014

GRC TeChNOLOGy DeCIsIONs aRe GeTTING MORe DIFFICULT

For all the growth and maturity of the GRC platform market, its a segment that still eludes clear definitions and boundaries. Risk and compliance professionals are discovering new ways to leverage these technologies for greater efficiency and control, but now they face hard choices about how far to take them; what use cases they can support, whether to consolidate multiple applications into a single platform, and how to successfully roll out their program to build business success.

Organizations GRC Technology environments Grow More Complex

Forrester surveyed 66 GRC customer organizations for this report and found that almost half (44%) have more than one GRC platform.1 For example, after a recent implementation that took more than a year, one financial services organization with tens of thousands of employees now has six GRC platforms in production, including one that the vendor no longer supports and another that the company plans to phase out. Similarly, a compliance manager for a large energy company also described an environment with at least four GRC platform implementations, two of which were separate instances of the same product.

Both of these customers had great things to say about the value their GRC tools deliver a common sentiment among GRC customers however, the strategic and tactical decisions involved to ensure that the technology environment is efficient and effective are dizzying, to say the least.

ITs NOT wORTh DeFINING sUbMaRKeTs FOR GRC PLaTFORMs

For the past decade, few GRC systems could address the various risk and compliance needs of all the different parts of even a medium-size enterprise. Instead, vendors targeted specific requirements of a single department or function typically IT, finance, or health and safety. Now however, vendors are shedding their past niche specialties to compete for bigger and broader deals, creating a complex marketplace of many diverse competitors. For this Forrester Wave research effort alone, Forrester considered over 50 vendors that all market GRC capabilities.

But dont lump any vendor into this growing group based just on marketing language. A true GRC platform includes four basic functions:

1. A relational database stores GRC data and maps its context within the organization. Fundamental to GRC is the ability to understand the relationships between risks, controls, policies, requirements, assets, processes, and other objects.

2. A workflow engine facilitates GRC processes. This is how to make sure people know when and how to conduct assessments, audits, remediations, action plans, and other relevant tasks.




3. Content management capabilities store critical documentation. These features allow organizations to create, review, update, distribute, and archive records such as policies and audit findings.

4. Reporting capabilities create understanding and drive decisions. Analysis of vast GRC information is necessary for business decision-makers, auditors, regulators, and boards of directors.

Use Cases are extremely Diverse, and That Diversity will Only Increase

Rapidly evolving business and regulatory environments constantly introduce new customer scenarios and requirements for GRC platforms. In some cases, its heavily regulated financial firms reacting to new rules in the Dodd-Frank Act, sometimes its manufacturing and retail firms working to improve their third-party risk management processes, and other times its contractors managing controls and processes for major events like the Olympics or the FIFA World Cup, or a Smart Grid deployment.

Any aspect of the organization that has performance objectives, by definition, has risks to the achievement of those objectives. For complex or especially important aspects of the organization, managing all of these risks is nearly impossible without technology, which means companies will continue to see the value that GRC platforms can bring to everything they do.

If you have a specific Use Case, adjust The wave weightings To your Needs

The Forrester Wave model is an incredibly flexible tool, enabling you to customize how much each of the 43 criteria influence the vendor rankings, which gives you a more targeted list of vendors to consider based on your specific requirements. While the Leaders in the Wave will usually remain high on the list regardless of what you change, some vendors will rise significantly with different weightings. To show you how this works, Forrester created a few additional sets of weightings based on some common initial GRC implementations:

Corporate compliance, environmental compliance, and social responsibility. Forrester developed these weightings for scenarios where the main use of the GRC platform will be to manage policies, develop an effective training and awareness, and extend the scope of the program to cover environmental health and safety. Using Forresters suggested weighting revisions, you will see several vendors rise significantly higher on your list: CMO Compliance, Protiviti, SAI Global, and The Network (in alphabetical order). See the endnote for the detailed weightings suggestions.2

IT GRC and third-party risk management. Use these suggested weightings if the primary function of the GRC platform will be to manage IT risks and compliance requirements both internally and across the supply chain. With these revised weightings, the vendors that rise significantly higher on your list include Agiliance, IBM, Modulo, and Protiviti (in alphabetical order). See the endnote for the detailed weightings suggestions.3




Financial controls and operational risk. For GRC professionals working for organizations in the financial services industry or with a heavy emphasis on financial controls and operational risk, Forrester recommends customizing the criteria using weightings that focus on risk management, control monitoring and enforcement, and audit management. Emphasizing these criteria with Forresters suggested weighting revisions, the vendors that rise most significantly on your list are IBM, Mega, Protiviti, and Resolver (in alphabetical order). See the endnote for the detailed weightings suggestions.4

GRC Vendors and Platforms are Improving In Maturity, but several Issues Persist

Customers are generally satisfied with the GRC platform they chose, often due more to the positive relationships they have with their vendor rather than the specific technical capabilities. Two-thirds (66%) of GRC customers rated the overall vendor relationship with the highest levels of satisfaction (9 or 10 on a 0-10 scale), whereas only 32% gave the same marks for the products end user experience, and an even smaller portion (28%) were very satisfied with the dashboard and analytics capabilities. Customers see the business value, but the technical functionality, ease of use, and reliability of the platform are areas where most GRC vendors still fall short.5

GOVeRNaNCe, RIsK, aND COMPLIaNCe PLaTFORM eVaLUaTION OVeRVIew

To assess the state of the governance, risk, and compliance platform market, Forrester evaluated the strengths and weaknesses of the top software vendors.

The evaluation highlighted Product Capabilities, Vendor strategy, and Market Reach

Based on extensive market research, an assessment of customer needs, ongoing work helping our clients develop strong GRC programs, and constant engagement with GRC vendors and practitioners, we developed a comprehensive set of 43 evaluation criteria to compare and contrast the most relevant vendors. These criteria fit into three categories:

Current offering. The vertical axis of the Forrester Wave graphic reflects the strength of each vendors product offering, including its capabilities to deliver content management, risk and control management, workflow management, GRC management and analytics, audit management, GRC breadth and depth, domain-specific support, and underlying technical functionality.

Strategy. The horizontal axis measures the viability and execution of each vendors strategy, which includes the company vision and strategy, product vision and strategy, support for GRC roles, and feedback from customer references.

Market presence. The size of each vendors bubble on the Forrester Wave graphic represents each vendors presence in the GRC market, based on its financial viability, customer base, GRC staff, and global presence.




Vendors In This wave have broad Capabilities, Market Presence, and Relevance

Forrester included 19 vendors in the assessment: Agiliance, CMO Compliance, EMC RSA, Enablon, IBM, LogicManager, Mega, MetricStream, Modulo, Nasdaq OMX BWise, Protiviti, Resolver, Rsam, SAI Global, SAP, SAS Institute, The Network, Thomson Reuters, and Wynyard. Each of these vendors has (see Figure 1):

Capabilities to support a wide range of GRC use cases. Every vendor in the Forrester Wave has a substantial enough breadth of capabilities to address the needs of governance, risk management, and compliance professionals across multiple industries, domains, and use cases.

Substantial market presence. All vendors evaluated in this Forrester Wave had at least 100 customer organizations and earned more than $10 million in GRC revenue during 2012.

Relevance to the market. Inclusion in this Forrester Wave means that the vendor actively competes in the GRC market, showing up in competitive situations and discussions among Forrester clients.

Of the 19 vendors invited to participate in our evaluation, Agiliance was the only vendor that declined the invitation. However, considering the companys past participation and continued effort to position itself as a GRC platform vendor, Forrester chose to include it in the evaluation as a nonparticipant.




Figure 1 Evaluated Vendors: Product Information And Selection Criteria

Source: Forrester Research, Inc.106501

Vendor

CMO International

EMC RSA

Enablon

IBM

LogicManager

Mega International

MetricStream

Modulo

Nasdaq OMX BWise

Protiviti

Resolver

Rsam

SAI Global

SAP

SAS

The Network

Thomson Reuters

Wynyard Group

Product evaluated

CMO Compliance

RSA Archer GRC

Enablon Risk Management Suite

IBM OpenPages GRC Platform

LogicManager

Mega GRC Solutions

MetricStream GRC Platform

Modulo Risk Manager

Nasdaq OMX BWise

Governance Portal

GRC Cloud

Rsam GRC Platform

Compliance 360

SAP Risk Management, SAP Process Control

SAS(r) Enterprise GRC

The Integrated GRC Suite

Accelus Enterprise GRCAccelus Risk Manager

Wynyard Risk Management

Productversion evaluated

8

RSA Archer GRC Platform 5.4

Enablon 6 R5

6.2.1

LogicManager 13

V1R1

6.1

Version 8.2

4.1.4

4

7.1

Version 8

2013.1

version 10.1

6.1

2013.6

Version 4.4Version 4.7

8.3

Productrelease date

February 2013

June 19, 2013

June 2013

May 19, 2013

June 2013

June 2013

September 2012

July 1, 2013

June 2013

October 2012

June 2013

May 2013

March 2013

July 2013

Q2 2013

June 28, 2013

April 2012October 2012

March 2013




Figure 1 Evaluated Vendors: Product Information And Selection Criteria (Cont.)

Source: Forrester Research, Inc.

Vendor selection criteria

Capabilities to support a wide range of GRC use cases. Every vendor in the Forrester Wave has a substantial enough breadth of capabilities to address the needs of governance, risk management, and compliance professionals across multiple industries, domains, and use cases.

Substantial market presence. All vendors evaluated in this Forrester Wave had at least 100 customer organizations and earned more than $10 million in GRC revenue during 2012.

Relevance to the market. Inclusion in this Forrester Wave means that the vendor actively competes in the GRC market, showing up in competitive situations and discussions among Forrester clients.

106501

eVaLUaTION aNaLysIs

The evaluation uncovered a market in which (see Figure 2):

The Leaders all show great flexibility and ability to support different GRC domains. EMC RSA, Enablon, IBM, MetricStream, Nasdaq OMX BWise, and Rsam earned a spot in the Leaders category by focusing on their breadth of capabilities and flexibility to address new and changing requirements. A common Leader characteristic is the ability to successfully support a wide range of different GRC domains and functions.

Strong Performers are relevant for many important use cases. Agiliance, CMO Compliance, LogicManager, Mega, Modulo, Protiviti, Resolver, SAI Global, SAP, Thomson Reuters, and Wynyard may not have the same breadth of capabilities as the Leaders, but they rightfully win business over the Leaders on a fairly regular basis. For many customer needs or specific scopes of implementation, vendors in this category are the best choice to solve many key GRC challenges.

The Contenders will give other GRC vendors strong competition in their areas of specialty. SAS Institute and The Network both have certain capabilities unmatched by the other vendors in this evaluation and will continue to win deals in the GRC space. They still have work to do to build out their breadth of capabilities enough to be considered comprehensive GRC platforms, but if they continue with their current level of commitment, theyll be important vendors in the market.

This evaluation of the GRC platform market is intended to be a starting point only. We encourage clients to view detailed product evaluations and adapt criteria weightings to fit their individual needs through the Forrester Wave Excel-based vendor comparison tool.




Figure 2 Forrester Wave: Governance, Risk, And Compliance Platforms, Q1 14


Go online to download

the Forrester Wave tool

for more detailed

product evaluations,

feature comparisons,

and customizable

rankings.

RiskyBets Contenders Leaders

StrongPerformers

StrategyWeak Strong

Currentoffering

Weak

Strong

Market presence

Full vendor participation

Incomplete vendor participation

SAS Institute

The Network

Mega

MetricStream

Resolver

SAI Global

Agiliance

Modulo

Protiviti

CMO Compliance Thomson Reuters

IBM

LogicManager

SAPEnablon

Wynyard

RsamEMC RSA

Nasdaq OMX BWise




Figure 2 Forrester Wave: Governance, Risk, And Compliance Platforms, Q1 14 (Cont.)


Agi

lianc

e

CM

O C

omp

lianc

e

EM

C R

SA

Ena

blo

n

IBM

Logi

cMan

ager

Meg

a

Met

ricS

trea

m

CURRENT OFFERING Content management Risk and control management Workow management GRC management and analytics Audit management GRC breadth and depth Domain-specic support Technical functionality

STRATEGY Company vision and strategy Product vision and strategy Support for GRC roles Customer references

MARKET PRESENCE Financial viability Customer base GRC staff size Global presence

3.303.004.203.003.501.353.000.004.05

2.812.303.403.053.00

1.741.501.752.002.00

Forr

este

rsW

eigh

ting

50%15%15%15%15%10%10%0%

20%

50%40%20%10%30%

0%35%35%15%15%

3.184.002.703.002.503.702.400.003.70

3.253.004.203.053.00

1.951.501.502.004.00

4.094.254.603.004.003.655.000.004.25

4.064.703.003.754.00

4.435.004.005.003.50

3.983.754.204.004.004.353.000.004.25

3.573.302.604.104.40

2.882.502.504.003.50

3.913.504.604.004.504.353.800.003.00

3.393.703.604.052.60

3.515.002.253.003.50

2.681.753.203.002.503.051.600.003.25

3.422.304.203.404.40

2.381.504.001.002.00

3.692.504.805.004.004.002.800.002.80

2.452.302.203.702.40

2.642.002.752.004.50

4.794.755.005.004.504.655.000.004.70

4.155.003.604.403.30

3.404.002.505.002.50

Mod

ulo

Nas

daq

OM

X B

Wis

e

3.452.754.204.003.002.403.800.003.70

3.063.002.202.753.80

3.413.503.254.003.00

4.344.754.703.004.504.653.800.004.75

4.364.003.805.005.00

4.505.004.005.004.00

All scores are based on a scale of 0 (weak) to 5 (strong).

106501




Figure 2 Forrester Wave: Governance, Risk, And Compliance Platforms, Q1 14 (Cont.)


Pro

tiviti

Res

olve

r

Rsa

m

SA

I Glo

bal

SA

P

SA

S In

stitu

te

The

Net

wor

k

CURRENT OFFERING Content management Risk and control management Workow management GRC management and analytics Audit management GRC breadth and depth Domain-specic support Technical functionality

STRATEGY Company vision and strategy Product vision and strategy Support for GRC roles Customer references

MARKET PRESENCE Financial viability Customer base GRC staff size Global presence

Forr

este

rsW

eigh

ting

50%15%15%15%15%10%10%0%

20%

50%40%20%10%30%

0%35%35%15%15%

3.453.504.603.003.004.303.000.003.00

2.563.301.804.001.60

2.142.501.252.003.50

3.563.004.505.002.503.703.000.003.20

2.402.304.203.401.00

2.001.502.502.002.00

4.233.755.005.004.503.703.600.003.80

3.903.704.403.404.00

2.092.002.252.002.00

2.853.503.603.002.503.002.400.002.10

3.183.702.603.702.70

2.913.502.253.003.00

3.481.754.304.004.503.403.800.002.90

3.454.002.003.703.60

4.284.504.503.004.50

2.691.253.603.003.502.702.400.002.40

2.072.302.402.801.30

2.403.001.502.003.50

2.114.501.503.000.500.700.600.002.75

2.631.704.203.002.70

2.542.003.752.001.50

Tho

mso

n R

eute

rs

Wyn

yard

3.112.753.304.002.504.003.000.002.65

3.384.003.003.952.60

4.054.504.503.003.00

3.312.504.004.003.503.003.000.003.05

3.673.304.203.054.00

2.812.502.752.004.50

All scores are based on a scale of 0 (weak) to 5 (strong).

106501

VeNDOR PROFILes

Leaders

MetricStream is growing quickly and demonstrating impressive product enhancements. MetricStreams vision is to embed GRC in the day-to-day functions of all employees, and its strategy reflects this broad vision by targeting a wide range of industries, users, and use cases. MetricStream offers great capabilities in content management, risk and control management, workflow management, GRC management and analytics, and GRC breadth and depth. The MetricStream GRC platform provides high-level building blocks with reusable code libraries for customers, partners, or MetricStream staff to design and configure applications in line with specific GRC needs. The companys fast growth is a disruptive force in the market, and its continued success will count on its ability to maintain customer satisfaction amid that growth.




BWise once again shows strengths in all major criteria. A Nasdaq OMX company, BWises strengths shone in content management, risk and control management, GRC management and analytics, audit management, and technical functionality. The BWise platform has impressive document management capabilities and offers integration with other relevant technologies such as Nasdaqs whistleblower, board management, transaction monitoring, and media monitoring products. As BWise continues to integrate with the Nasdaq OMX technology ecosystem, it will ultimately become a lot more focused on solving the biggest challenges related to corporate governance. At this point, however, BWises strategy is very strong in support of all GRC roles and continues to earn exceptional customer satisfaction scores.

EMC RSA continues its leadership, building on its already large customer base. Archer, owned by EMC RSA, continues to be one of the biggest brands in the GRC platform market, with a strong focus on financial services and growing emphasis on insurance, energy, and government. Archer addresses a wide range of GRC use cases, including policy, risk, compliance, audit, vendor, business continuity, and threat and incident management. It also offers an application builder to support clients and partners as they create applications to meet different GRC requirements. The company has invested heavily to expand the platforms already substantial breadth of capabilities with new Focused Solutions, and its growing customer base will assure that it remains a strong competitor in the GRC market for the foreseeable future.

Rsam is showing strong innovation and success against bigger rivals. Relatively small compared with its top GRC platform competitors, Rsam has demonstrated strong commitment to product development and innovation. The Rsam platform is a robust tool with a large number of premapped risks and controls as well as terrific integration and workflow capabilities. Its a flexible, intuitive platform with a recently redesigned user interface. The companys ability to sustain this level of competition will depend on continued product innovation and its ability to strengthen market presence through partnerships or other investments.

Enablon has quickly grown much more relevant in the GRC market. Enablon has a unique vision that incorporates support for customers strategy, risk, performance, and sustainability efforts, and the company considers its EHS management to be one of its main differentiators in the market. Enablon offers a number of unique GRC communication and collaboration capabilities, such as its Wizness platform, which provides users a social networking experience to improve their ability to share GRC best practices and technical advice. Enablons go-to-market strategy and product enhancements have led it beyond its historic EHS roots to address a much broader set of GRC use cases.

IBM OpenPages has historic success in and a dedicated focus on financial services. With OpenPages, IBM still maintains one of the strongest brands in the GRC platform market, and there is vast potential for the OpenPages platform to integrate with other technologies and services throughout IBM. OpenPages supports a variety of third-party content and offers




integration with IBMs Algo FIRST loss database to supplement customers internal loss data. For advanced risk analysis, OpenPages integrates with IBM Algorithmics to provide analysis for credit, liquidity, and market risk. As these capabilities show, the companys primary focus continues to be operational risk in the financial services and insurance industries. While this has decreased OpenPages participation in competitive deals outside of financial services, the company is currently executing plans to extend its presence in other industries as well. In the meantime, IBM OpenPages still has clear competitive advantages that will help it maintain a strong position in the market.

strong Performers

Wynyard is a company in transition, demonstrating leadership along the way. Formerly Methodware, Wynyard showed strength in its risk management capabilities and strong product vision and strategy. The company explains that it has a tight focus on intelligence-led risk solutions, which leverage the legacy Methodware platform and other Wynyard portfolio products, including threat intelligence, investigation capabilities, digital forensics, and financial crime solutions, to create a hard-to-copy, multi-faceted solution. Wynyard went public in June 2013 and continues to expand its strong global customer base.

SAP leverages an enormous client base and product innovations to build its leadership. Focusing on the value of automation and cost reduction, SAP is particularly well-suited for GRC management and analytics requirements, offering strong risk quantification, continuous control monitoring, and risk and control management capabilities. SAP has continued to develop its GRC portfolio, primarily by integrating with business applications and aligning with other SAP technical initiatives, such as analytics, mobile support, and the SAP HANA database. SAPs success can be seen in its very large and growing customer base, and the company expects to continue investing in the growth of its GRC business.

Modulo continues its transition into a tech vendor, impressing with innovative use cases. Modulos vision, strategy, and execution show substantial ongoing investment as it continues to evolve from a services firm into more of a technology vendor. Although more than half of the companys revenue comes from services, it reported an outstanding 70% growth in its software business in 2013. And while the vast majority of its customers are headquartered in South America, the company is increasing its North America adoption with personnel investments and by extending its product to handle use cases well beyond its IT security roots. The solution has great GRC breadth and depth, offering strong integration capabilities and addressing vertical market needs through strategic consulting and business partners. Modulo also has some of the most diverse use cases in the market.

Thomson Reuters has strong capabilities and continues to invest in its portfolio. Thomson Reuters demonstrates its commitment to GRC with investments and acquisitions to strengthen




its portfolio of offerings. The product has a good depth of functionality across the board with especially strong audit management capabilities. While the integrations among its various acquired products are taking time and yielding only incremental benefits, Thomson Reuters is ultimately putting together an impressive set of product capabilities and services that will make it an important force in the GRC platform market.

CMO Compliance has a global presence and strong product strategy. CMO Compliance is focused on asset-intensive industries like oil and gas, energy, government, healthcare, and contractors, and its ability to target different industries is primarily based on its content partners and product flexibility. The companys offerings are tailored for regulatory compliance, enterprise risk management, environmental health and safety, quality management, and audit. Few competitors share the companys level of product vision and strategy or global presence. The company serves its target industries with more focus on environmental, health, and safety than most other vendors in this report, but still competes heavily with many of them.

Mega solves complex challenges by merging its GRC and enterprise architecture solutions. Megas unique vision is to help customers achieve operational excellence with the combined capabilities of its enterprise architecture and GRC technologies. Mega has showcased its superb risk and control management, GRC management, and audit management capabilities. The company has shown ongoing product improvements and innovation, with a heavy focus on the financial services industry. Megas ability to compete as a top vendor in the long term will depend largely on whether the market accepts the companys unique vision.

Agiliance has a heavy focus on IT risk management, with relevant IT security capabilities. Agiliance primarily markets to IT security and IT risk management organizations, with its strongest capabilities being risk management, reporting and analytics, and integration. The company touts its key differentiators as offering quick time-to-value, scalability, and ability to connect its platform with other IT and security products. Agiliance is a frequent participant and winner in various industry award competitions; however, it seems to have fallen behind its closest competitors in product advancements and competition in large GRC deals. Still fairly small compared with most Leaders and other Strong Performers, Agiliances future success will depend largely on how well its large IT partners leverage their relationship and how well its solutions live up to its claims of fast time-to-value.

LogicManager focuses on ERM, competing on price, ease, and flexibility. LogicManager is still a relatively small vendor, with a clear vision to address enterprise risk management and related functions from the top down and bottom up, as well as a goal to deliver solutions that are easy and fast to implement. LogicManager aims to make its GRC platform flexible enough so customers do not need to customize through professional services, except in rare instances. While not having the strongest offering across the board, third-party partnerships allow users to fulfill additional capabilities. LogicManagers competitive advantages are largely based on




its approach to ERM, its range of content partners, its comparatively lower price, and the professional services offered standard as part of the software license.

SAI Global extends to new verticals by leveraging more internal assets. SAI Globals GRC business has a legacy of strong performance targeting the healthcare and insurance industries, with specialized content and purpose-built solutions. The Compliance 360 platform has solid capabilities in content management and risk and control management, with growing proficiency across a variety of verticals. While SAI Global will continue to be a force in the general compliance market, the companys ability to continue competing in the GRC platform market depends on its ability to leverage partnerships with organizations like ErmsCo, to configure the product to address a wider range of industries and use cases, and to leverage more value from other SAI Global assets.

Protiviti, known for consulting, offers a product that competes on its own merit. Protiviti is most relevant in the GRC market because of the combination of its technical offerings and its breadth of consulting capabilities; however, the companys GRC platform is a worthy competitor in its own right. The company has shown ongoing improvement in product capabilities, vertical solutions, and content developed internally and with partners. Protivitis ability to compete relies primarily on its ability to target implementations that suit its strengths in audit, policy and control management, and consulting expertise.

Resolver goes to market with a cohesive strategy on top of its merged GRC capabilities. Formed by the merger of BPS and Resolver in January 2010, Resolver brings together the formers strength in supporting GRC processes in financial services with the latters pedigree in risk management implementations for utility and natural resource companies. Somewhat smaller than many of its closer competitors, Resolver offers a unified solution with the flexibility to be configured to meet unique organizational needs. Resolvers strength is in its powerful workflow management and audit management capabilities. While having a broad vertical strategy, steady growth, and a focus on ease-of-use product offerings, Resolver will have to execute extremely well to maintain and grow its competitive position.

Contenders

SAS offers a state-of-the-art analytics engine, but governance and compliance fall short. One of the core differentiating capabilities of SAS GRC is its ability to measure and quantify risk, and the company primarily competes in deals that have a heavy emphasis on risk analytics or requirements to aggregate both financial and operational risk. The company is developing a noticeable presence in the GRC market despite still being a relatively new entrant, and there is a visible commitment to introducing additional products related to GRC. SAS will maintain competitive advantages in these deals but still needs work to compete for broad enterprise GRC deals.




The Network offers an impressive compliance solution, but little else. The Network is a new entrant into the GRC space, and its go-to-market strategy is to address compliance challenges relevant to a wide range of organizations, with flexibility to support industry-specific compliance initiatives when necessary. While lacking some key GRC platform components, The Networks core GRC capabilities focus on its full content management functionality and workflow management. The company will need to start building out more of its risk and analytics capabilities to contend as a comprehensive GRC solution, but in the meantime, it will still challenge GRC platform competitors in a large number of deals.

sUPPLeMeNTaL MaTeRIaL

Online Resource

The online version of Figure 2 is an Excel-based vendor comparison tool that provides detailed product evaluations and customizable rankings.

Data sources Used In This Forrester wave

Forrester used a combination of four data sources to assess the strengths and weaknesses of each solution:

Vendor surveys. Forrester surveyed vendors on their capabilities as they relate to the evaluation criteria. Following the analysis of the completed vendor surveys, we compiled the results to supplement our analysis.

Product demos. We asked vendors to conduct demonstrations of their products functionality. We used findings from these product demos to validate details of each vendors product capabilities.

Product sandbox environments. We asked vendor to provide us with an environment where we could evaluate different aspects of the application ourselves. The vendors created user profiles with sample organizational data and made the environments available to us for a limited window of time as part of our evaluation process.

Customer reference calls. To validate product and vendor qualifications, Forrester also conducted reference surveys and calls with 3 of each vendors current customers.

The Forrester wave Methodology

We conduct primary research to develop a list of vendors that meet our criteria to be evaluated in this market. From that initial pool of vendors, we then narrow our final list. We choose these




vendors based on: 1) product fit; 2) customer success; and 3) Forrester client demand. We eliminate vendors that have limited customer references and products that dont fit the scope of our evaluation.

After examining past research, user need assessments, and vendor and expert interviews, we develop the initial evaluation criteria. To evaluate the vendors and their products against our set of criteria, we gather details of product qualifications through a combination of sandbox evaluations, questionnaires, demos, and/or discussions with client references. We send evaluations to the vendors for their review, and we adjust the evaluations to provide the most accurate view of vendor offerings and strategies.

We set default weightings to reflect our analysis of the needs of large user companies and/or other scenarios as outlined in the Forrester Wave document and then score the vendors based on a clearly defined scale. These default weightings are intended only as a starting point, and we encourage readers to adapt the weightings to fit their individual needs through the Excel-based tool. The final scores generate the graphical depiction of the market based on current offering, strategy, and market presence. Forrester intends to update vendor evaluations regularly as product capabilities and vendor strategies evolve. For more information on the methodology that every Forrester Wave follows, go to http://www.forrester.com/marketing/policies/forrester-wave-methodology.html.

Integrity Policy

All of Forresters research, including Forrester Waves, is conducted according to our Integrity Policy. For more information, go to http://www.forrester.com/marketing/policies/integrity-policy.html.

Methodology

Forrester field its Q3 2013 Global Governance, Risk, And Compliance Platforms Forrester Wave Customer Reference Online Survey to 66 individuals who are current clients of the vendors included in our Forrester Wave evaluation. Each vendor was asked to supply a minimum of 3 customers. For quality assurance, panelists are required to provide contact information and answer basic questions about their firms usage of the product, revenue, and budgets.

Forrester fielded the survey from July 2013 to August 2013. Respondent incentives included a copy of the published research.




eNDNOTes1 Source: Q3 2013 Global Governance, Risk, And Compliance Platforms Forrester Wave Customer

Reference Online Survey.

2 First, change the Current Offering to 80% and Strategy to 20%. Then change the criteria weightings as follows: Content management (50%), Document management (34%), Content distribution and communication (33%), Employee input (33%), Risk and control management, and all subcriteria (0%), Workflow management (0%), GRC management and analytics (5%), Risk quantification and analysis (0%), Dashboard capabilities and reporting (100%), Audit management and all subcriteria (0%), GRC breadth and depth and all subcriteria (0%), Domain-specific support (25%), CSR and environmental risk management (20%), Corporate compliance management and training (80%), Technical functionality (20%), Integration capabilities (5%), Organizational context (5%), Collaboration and communication support (25%), End user experience (45%), Access management (0%), Language support (25%), Company vision and strategy (10%), Vertical strategy (30%), Sustainability of competitive advantages (70%), Product vision and strategy (20%), Implementation and maintenance costs (40%), Delivery models (20%), Product version support and custom code (40%), Support GRC roles (40%), Ability to support governance roles (20%), Ability to support risk management roles (0%), Ability to support compliance roles (80%).

3 First, change the Current Offering to 80% and Strategy to 20%. Then change the criteria weightings as follows: Content management (5%), Document management (80%), Content distribution and communication (20%), Employee input (0%), Risk and control management (15%), risk and control mapping (65%), Risk and control measurement (10%), Manual assessment capabilities (5%), Control monitoring and enforcement (20%), Workflow management (5%), GRC management and analytics (15%), Risk quantification and analysis (30%), Dashboard capabilities and reporting (70%), Audit management (5%), Audit data integration (60%), Work paper management (35%), Audit resource and project management (5%), GRC breadth and depth (10%), Flexibility to address use cases (50%), Overall breadth and depth of GRC domain support (50%), Domain-specific support (25%), IT GRC (60%), Financial controls management (0%), Third-party risk management (40%), CSR and environmental risk management (0%), Corporate compliance management and training (0%), Technical functionality (20%), Integration capabilities (60%), Organizational context (10%), Collaboration and communication support (5%), End user experience (5%), Access management (0%), Language support (20%), Company vision and strategy (40%), Vertical strategy (30%), Sustainability of competitive advantages (70%), Product vision and strategy (20%), Implementation and maintenance costs (40%), Delivery models (20%), Product version support and custom code (40%), Support GRC roles (10%), Ability to support governance roles (30%), Ability to support risk management roles (35%), Ability to support compliance roles (35%).

4 First, change the Current Offering to 80% and Strategy to 20%. Then change the criteria weightings as follows: Content management (10%), Document management (40%), Content distribution and communication (40%), Employee input (20%), Risk and control management (10%), risk and control mapping (30%), Risk and control measurement (30%), Manual assessment capabilities (30%), Control monitoring and enforcement (10%), Workflow management (10%), GRC management and analytics (10%), Risk quantification and analysis (50%), Dashboard capabilities and reporting (50%), Audit management




(5%), Audit data integration (35%), Work paper management (35%), Audit resource and project management (30%), GRC breadth and depth (5%), Flexibility to address use cases (100%), Overall breadth and depth of GRC domain support (0%), Domain-specific support (30%), IT GRC (0%), Financial controls management (100%), Third-party risk management (0%), CSR and environmental risk management (0%), Corporate compliance management and training (0%), Technical functionality (20%), Integration capabilities (20%), Organizational context (30%), Collaboration and communication support (10%), End user experience (30%), Access management (0%), Language support (10%), Company vision and strategy (30%), Vertical strategy (0%), Sustainability of competitive advantages (100%), Product vision and strategy (25%), Implementation and maintenance costs (40%), Delivery models (20%), Product version support and custom code (40%), Support GRC roles (10%), Ability to support governance roles (30%), Ability to support risk management roles (35%), Ability to support compliance roles (35%).

5 Source: Q3 2013 Global Governance, Risk, And Compliance Platforms Forrester Wave Customer Reference Online Survey.

Forrester Research (Nasdaq: FORR) is a global research and advisory firm serving professionals in 13 key roles across three distinct client segments. Our clients face progressively complex business and technology decisions every day. To help them understand, strategize, and act upon opportunities brought by change, Forrester provides proprietary research, consumer and business data, custom consulting, events and online communities, and peer-to-peer executive programs. We guide leaders in business technology, marketing and strategy, and the technology industry through independent fact-based insight, ensuring their business success today and tomorrow. 106501

Forrester Focuses On Security & Risk Professionals to help your firm capitalize on new business opportunities safely,

you must ensure proper governance oversight to manage risk while

optimizing security processes and technologies for future flexibility.

Forresters subject-matter expertise and deep understanding of your

role will help you create forward-thinking strategies; weigh opportunity

against risk; justify decisions; and optimize your individual, team, and

corporate performance.

Sean RhodeS, client persona representing Security & Risk Professionals

About Forrestera global research and advisory firm, Forrester inspires leaders,

informs better decisions, and helps the worlds top companies turn

the complexity of change into business advantage. our research-

based insight and objective advice enable it professionals to

lead more successfully within it and extend their impact beyond

the traditional it organization. tailored to your individual role, our

resources allow you to focus on important business issues

margin, speed, growth first, technology second.

foR moRe infoRmation

To find out how Forrester Research can help you be successful every day, please contact the office nearest you, or visit us at www.forrester.com. For a complete list of worldwide locations, visit www.forrester.com/about.

Client SuppoRt

For information on hard-copy or electronic reprints, please contact Client Support at +1 866.367.7378, +1 617.613.5730, or [email protected]. We offer quantity discounts and special pricing for academic and nonprofit institutions.
mailto:[email protected]