Vous êtes sur la page 1sur 18

Magic Quadrant for Enterprise Governance, Risk andCompliance Platforms 13 October 2010French CaldwellGartner RAS Core Research Note

G00206382 The EGRC platform market has expanded from a tactical focus on regulatory compliance to a strategic focus onenterprise risk management. Many vendors are looking toward the next market phase, which includes adding orintegrating with business performance management and scorecarding capabilities. W h a t Y o u N e e d t o K n o w This Gartner Magic Quadrant for enterprise go vernance, risk andcompliance (EGRC) platforms (see Note 1) presents a global view of Gartner's assessment of the main software vendors that should beconsidered by organizations seeking a technology solution to support theoversight and operation of enterpri sewide risk management and complianceprograms, with the overall objective being improvements in corporategovernance and the ability to achieve business objectives.Buyers should evaluate vendors in all four quadrants. Most of the vendorsfrom the Niche Playe rs quadrant have recently met the inclusion criteria forthe Magic Quadrant by either meeting the revenue and customer criteria orhaving added additional functionality. They bring some unique approachesto the market that can be of value to many companies. V endors in theVisionaries quadrant are driving innovation in the market throughintegration with business process modeling, continuous controls monitoring,and other advanced capabilities beyond the core functions required to be inthe Magic Quadrant. Leaders too are innovating with advanced capabilities,have large customer bases, have solid capabilities in the core platformfunctions audit management, compliance management, risk managementand policy management and have executed across several industries,wit h support for multiple professional roles. Challengers have executed well,but lag the Leaders in advancing their range of advanced GRC capabilitiesfor specific industries or professional roles, or they have a functional orarchitectural challenge that should be closed.The placement of the vendors and commentary in this Magic Quadrant (seeFigure 1) are based on multiple sources. Customer perceptions of eachvendor's strengths and challenges are derived from EGRC -related inquirieswith Gartner and an e -mail survey of vendor customers conducted in Juneand July 2010. The evaluations also have drawn from vendor briefings, avendor -completed questionnaire about their EGRC platform strategies and N o t e 1 Def ining the Relation ship of Governa nce, Ri sk Management andCompliance "Governance," "risk management" and "compliance" are general terms that canapply to a wide range of products, IT initiatives and business requirements. Thesethree terms have many valid definitionsthroughout the Gartner client base. Thesedefinitions illus trate the relationship of thethree terms: Governance The process by which policies are set and decisionmaking is executed. Ri sk Management The processfor ensuring that important businessprocesses and behaviors remainwithin the tolerances associatedwith those policies and decisions,going beyond which creates anunacceptable level of uncertainty. Risks are addressed with a balance of mitigation through the applicationof controls, transfer throughinsurance, and avoidance oracceptance through governancemechanis ms. Compliance The process of adherence to policies and decisions.Policies can be derived from internaldirectives, procedures andrequirements, or external laws,regulations, standards andagreements. Note 2 Magic Quadrant for Enterprise Governance, Risk and Compliance Platformshttp://www.gartner.com/technology/media products/reprints/metricstream/vol3/article2/article2.html[24/11/2010 13:37:47] operations, scripted product demonstration sessions with vendors, and otherpublicly available and proprietary fi nancial, product and vendor information.

Return to Top M a g i c Q u a d r a n t Figure 1. Magic Quadrant for Enterprise Governance, Risk and CompliancePlatforms Source: Gartner (October 2010) Return to Top M a r k e t O v e r v i e w The Enterprise Governance, Risk and Compliance Platform Market The EGRC platform market derives from the need for many entities toimprove the oversight of corporate governance including financialreporting compliance, enterprise risk management (ERM) and relatedaudits. Many organizations al so want to consolidate other GRC activitiesinto a common platform. Therefore, an EGRC platform must solve theimmediate GRC management (GRCM) needs associated with corporategovernance and also enable an enterprise to pursue future consolidationand integrati on of a diverse set of GRC activities.GRCM is defined as the automation of the management, measurement,remediation and reporting of controls and risks against objectives, inaccordance with rules, regulations, standards, policies and businessdecisions. Many enterprises typically consider a GRCM application to satisfya specific requirement, such as Sarbanes-Oxley compliance, an industry -specific regulation or operational risk management (ORM) for a businessprocess. However, enterprises often have other GRCM a ctivities in mind, T o p - D o wn a n d B o t t o m - U p Ap p r o a c h e sto GRC Management A top-down approach implies that multiple controls categories will bemeasured and reported, includingIT, financial and operationalrequirements. A top -down approachusually requires less-detailedrequirements for gathering generalcomputer controls data, such asconfiguration and patch data, but places a premium on higher -levelreporting to executives. A top -downapproach is more appropriately addressed with EGRC platforms thanwith IT GRCM. A bottom-up approach impliesgreater detail in IT controls for anIT-centric audience. Manyorganizations use IT GRCM to organize their vulnerability scan,patch and configuration controls data. Traditional IT GRCM tools are more appropriate for IT -specificrequirements. Vendors Added or Dropped We review and adjust our inclusion criteriafor Magic Quadrants and MarketScopes asmarkets change. As a result of these adjustments, the mix of vendors in anyMagic Quadrant or MarketScope may change over time. A vendor appearing in a Magic Quadrant or MarketScope one year and not the next does not necessarilyindicate that we have changed our opinionof that vendor. This may be a reflection of a change in the market and, therefore,changed evaluation criteria, or a change of focus by a vendor. Evaluation Criteria Definitions Ability to Execute Product/Service: Core goods and services offered by the vendor that compete in/serve the defined market. This includescurrent product/service capabilities, quality,feature sets and skills, whether offerednatively or through OEMagreements/partnerships as defined in themarket definition and detailed in thesubcriteria. Overall Viability (Business Unit,Financial, Strategy, Organization): Viability includes an assessment of theoverall organization's financial health, thefinancial and practical success of the business unit, and the likelihood that theindividual business unit will continue investing in the product, will continue offering the product and will advance thestate of the art within the organization's portfolio of products. Sales Execution/Pricing:

The vendor'scapabilities in all presales activities and the structure that supports them. This includesdeal management, pricing and negotiation,presales support and the overalleffectiveness of the sales channel. Ma rket Responsiveness and TrackRecord: Ability to respond, change direction, be flexible and achieve competitive success as opportunities Magic Quadrant for Enterprise Governance, Risk and Compliance Platformshttp://www.gartner.com/technology/media products/reprints/metricstream/vol3/article2/article2.html[24/11/2010 13:37:47] such as audit management, additional regulations, IT governance,remediation management and policy management, which they eventu allymay integrate into a more consolidated EGRC approach. During the past 18months, ERM has overtaken compliance as the leading reason forimplementing an EGRC platform. Related to ERM, there is an emergingdemand to link GRCM to business performance objecti ves.Most enterprises are also looking for solutions that support their strategiesfor more controls automation, which falls outside the scope of GRCM, butthe reporting from continuous controls monitoring of ERP and other controlsautomation in the IT infrast ructure needs to be integrated into the EGRCplatform. Although they may have an immediate, specific GRCMrequirement in mind, many enterprises are concerned that point solutionswill impede their holistic visions. In response, there is a slow trend towardthe convergence of IT GRCM and EGRC platform solutions. Some EGRCplatform vendors are also starting to add content and capabilities to meetoperational GRC needs, such as environmental, health and safety (EH&S)compliance and business continuity planning. Overa ll, EGRC platformvendors are adding capabilities across a wide spectrum of financial, IT,operational and legal needs. IT GRCM Offerings of EGRC Platform Vendors EGRC platforms serve organizations that take an enterprise approach tocompliance and risk management, and that want to have all business units,including the IT organization, on the same GRCM solution. Most vendorswith EGRC platforms offer modest IT governance automation functions. At aminimum, EGRC vendors offer the capability to document, survey, andreport IT risks and controls, but some may lack IT -specific content. Somevendors also provide support for an IT asset repository, IT policymanagement, and the automated collection of IT controls data.Organizations with a primary interest in IT -centric GRCM requirementsshould be aware that most EGRC platforms balance finance, operational andIT requirements at the expense of IT -centric depth.Gartner is monitoring the potential convergence of IT GRCM and EGRCfunctions, such that this differentiation would be come generally irrelevant tothe market; however, this has not yet happened in 2010. The mostsignificant limiting factor is the divergence of requirements between top -down and bottom-up approaches (see Note 2). In many cases,organizations are buying two sep arate tools, indicating that this differenceis more substantial than just vendor marketing and different buyingcenters.This divergence is based on the differences in management and reportingrequirements for top -down versus bottom-up approaches. Top -downrequirements tend to be led by ERM teams addressing business executiverequirements, as opposed to bottom-up requirements, which are typicallyled by IT or information security operations teams. The vendors continue toadd functions that overlap top -down and bottom-up requirements, butconvergence will only happen when organizations stop buying multiple toolsto address diverging requirements, and agree on one tool to address bothapproaches comprehensively.Four EGRC platform vendors qualify as IT GRCM vendors in th e IT GRCMMarketScope. BWise, MetricStream and OpenPages are EGRC platformvendors that have added IT GRCM capabilities. EMC -RSA is also an EGRCplatform vendor, but it started in the IT GRCM market. Other Trends in the EGRC Platform Market Demand for GRC sol utions is highest in the U.S., where corporategovernance regulations are the most stringent. However, as othercountries, such as Canada, Japan, India, Australia, South Africa, andmembers of the European Union, have begun to enforce similar regulations,demand has increased globally. For a list of corporate governance codes

develop, competitors act, customer needsevolve and market dynamics change. Thiscriterion also considers the vendor's historyof responsiveness. Marketing Execution: The clarity, quality,cre ativity and efficacy of programs designedto deliver the organization's message toinfluence the market, promote the brand and business, increase awareness of theproducts, and establish a positive identification with the product/brand andorganization in the mi nds of buyers. This"mind share" can be driven by acombination of publicity, promotionalinitiatives, thought leadership, word -of-mouth and sales activities. Customer Experience: Relationships,products and services/programs that enable clients to be successful with the products evaluated. Specifically, this includes theways customers receive technical support oraccount support. This can also include ancillary tools, customer support programs(and the quality thereof), availability of user groups, service-level agreements and soon. Operations: The ability of the organization to meet its goals and commitments. Factorsinclude the quality of the organizationalstructure, including skills, experiences,programs, systems and other vehicles thatenable the org anization to operateeffectively and efficiently on an ongoingbasis. Completeness of Vision Market Understanding: Ability of thevendor to understand buyers' wants and needs and to translate those into products and services. Vendors that show the highest degree of vision listen to and understandbuyers' wants and needs, and can shape orenhance those with their added vision. Ma rke ting St rat eg y: A clear, differentiatedset of messages consistently communicatedthroughout the organization andexternalized through the w ebsite,advertising, customer programs andpositioning statements. S al es S trategy: The strategy for sellingproducts that uses the appropriate networkof direct and indirect sales, marketing,service and communication affiliates that extend the scope and depth o f marketreach, skills, expertise, technologies,services and the customer base. Offering (Product) Strategy: Thevendor's approach to product developmentand delivery that emphasizes differentiation,functionality, methodology and feature sets as they map to cu rrent and future requirements. Business Model: The soundness and logicof the vendor's underlying businessproposition. Ve rti cal/Indu st ry St rat eg y: The vendor'sstrategy to direct resources, skills and offerings to meet the specific needs of individual market segments, includingvertical markets. Innovation: Direct, related, complementaryand synergistic layouts of resources,expertise or capital for investment, Magic Quadrant for Enterprise Governance, Risk and C ompliance Platformshttp://www.gartner.com/technology/media products/reprints/metricstream/vol3/article2/article2.html[24/11/2010 13:37:47] and regulations, see the "Appendix for Corporate Governance Reforms" inthe University of Michigan study"Cross-Border Target Selection andInvestor Protection Disparity." Although compliance with new regulations as a result of the financial crisisand increased enforcement of regulations requiring more transparency inbusiness relationships (such as the 2010 U.K. Bribery Act and the U.S.Foreign Corrupt Practices Act) are emerging as new drivers of GRCsolutions, ERM has emerged as the most significant driver. With theproliferation of

regulations and concerns over corporate governance andtransparency, ERM is seen by many regulators and business leaders as astrategic approach to achieve improved corporate governance, moretransparency in the decision making of the board and senior executives,and improved performance against business objectives. A 2010 Gartnersurvey of 60 customer references from EGRC platform vendors showed thatERM (58.3%) and ORM (51.7%) have overtaken compliance with Sarbanes -Oxley and similar laws (46.7%) as the largest use cases for the EGRCplatform.Consolidation in the EGRC platform market picked up in 2009 and continuedinto 2010. In September 2010, IBM announced its plans to acquireOpenPages. In early 2010, Archer was acquired by EMC -RSA, and BPS andResolver merged to form BPS Resolver. Paisley was acquired by ThomsonReuters in early 2009, and in the third week of July 2009 alone, threeacquisitions were announced: IDS Scheer by Software AG, Cura by SoftProSystems, and Axentis by Wolters Kluwer. None of these acquisitions havehad immediate impact on current customers; however, over the long run, itis important to ensure that the goals of the acquirer are in line with the original rationale of the solution buyer. Also, when the acquirer has otherrelated GRC software and services, there is often a challenge in integratingthem with the acquired EGRC platform. Return to Top M a r k e t D e f i n i t i o n / D e s c r i p t i o n GRC as a marketplace can be broadly divided between GRCM products forthe oversight and operation of risk management and compliance programs,and other GRC products for the automation and monitoring of controls. Fora comp rehensive description of the GRC marketplace, see "A ComparisonModel for the GRC Marketplace, 2008 to 2010," which addresses the EGRCplatform and its relationship to other GRCM markets, such as IT GRCM,ORM and financial governance. Each of these markets de mandsfunctionality that is inherent in the EGRC platform. Instead of acquiringseparate solutions for finance, IT and other business units, manyenterprises are choosing to use a single EGRC platform and, whennecessary, integrating the many point and functio nal solutions to satisfyspecific GRC needs. Reporting and managing through a single platformgives executives, auditors and managers a holistic view of the enterprise'srisk and compliance postures, as well as views sorted by requirement,entity and geography .The primary purpose of the EGRC platform is to automate much of thework associated with the documentation and reporting of the riskmanagement and compliance activities that are most closely associatedwith corporate governance and business objectives. The primary end usersinclude internal auditors and the audit committee, risk and compliancemanagers, and accountable executives. The key functions of importance tothese groups are: Audit management Supports internal auditors in managing workpapers, and sched uling audit -related tasks, time management andreporting. Policy management Includes a specialized form of document consolidation, defensive or pre -emptivepurposes. Geographic Strategy: The vendor'sstrategy to direct resources, skills and offerings to meet the specific needs of geographies outside the "home" or native geography, either directly or throughpartners, channels and subsidiaries asappropriate for that geography and market. Magic Quadrant for Enterprise Governance, Risk and Compliance Platformshttp://www.gartner.com/technology/media products/reprints/metricstream/vol3/article2/article2.html[24/11/2010 13:37:47] management that enables the policy life cycle from creation toreview, change and archiving of policies; mapping of policies tomand ates and business objectives in one direction, and risks andcontrols in another; and distribution to and attestation by employeesand business partners. Compliance management

Supports compliance professionals withthe documentation, workflow, reporting and visualization of controlsobjectives, controls and associated risks, surveys and self assessments, testing, and remediation. At a minimum, compliancemanagement not only will include financial reporting compliance(Sarbanes -Oxley compliance), but also can su pport other types of compliance, such as ISO 9000, Payment Card Industry, industry -specific regulations, service -level agreements, trading partnerrequirements and compliance with internal policies. Risk management Supports risk management professionals withthe documentation, workflow, assessment and analysis, reporting,visualization, and remediation of risks. This component focuses ongeneral ORM, but may collect data from specialized risk analyticstools to provide a consolidated view of ERM. Many industr y-specificrisk management requirements may not be supported. For example,many banks require highly specialized capabilities for Basel IIcompliance. Only a few EGRC platform vendors support the ORMneeds of banking, and most vendors prefer to integrate the p latformwith specialized solutions from other vendors.The EGRC platform can integrate with business applications, businessintelligence, enterprise content management, controls automation,monitoring solutions (such as segregation of duties), IT technical con trols(such as server configuration auditing) and continuous controls monitoringfor transactions. The EGRC platform also integrates with specialized GRCMsolutions, such as EH&S compliance; quality management; and industryGRCM applications. Return to Top I n c l u s i o n a n d E x c l u s i o n C r i t e r i a Vendors were included in this Magic Quadrant if they met these criteria:Ability to deliver the four primary GRCM functions: auditmanagement, compliance management, risk management and policy management.Credible presence in the marketplace: defined as at least $10 millionin annual revenue from EGRC platform software, at least 50customers, and customers able to be referenced for corporate -governance-related GRC activities, such as financial reportingcompliance and ERM.Vendors were excluded if they did not meet the functional, revenue andimplementation criteria; did not have adequate referenceability; or were anindustry-specific or highly specialized solution. Exceptions were made forvendors that have a credible presence in the mark et, despite not having allthe functionality. Return to Top A d d e d EMC/RSA acquired Archer Technologies.BPS Resolver was formed through the merger of two smaller EGRCplatform vendors. Magic Quadrant for Enterprise Governance, Risk and Compliance Platformshttp://www.gartner.com/technology/media products/reprints/metricstream/vol3/article2/article2.html[24/11/2010 13:37:47] LogicManager is a 100% software -as-a-service (SaaS) EGRC platformvendor with a low cost option.SAP has begun to integrate GRC p oint solutions into a common EGRCplatform.Software AG acquired IDS Scheer.Strategic Thought originally focused on risk management. It hasadded additional audit management and policy management toprovide a comprehensive EGRC platform. Return to Top D r o p p e d Archer Technologies was acquired by EMC/RSA.IDS Scheer was acquired by Software AG. Return to Top E v a l u a t i o n C r i t e r i a A b i l i t y t o E x e c u t e Vendors are assessed on their ability and success in making their vision amarket reality. The following six Gartner criteria for Ability to Execute wereconsidered:Product/Service Core goods and services offered by the providerthat competes in/serves the defined market. This

includes currentproduct/service capabilities, quality, feat ure sets and skills, whetheroffered natively or through OEM agreements/partnerships as definedin the market definition and detailed in the subcriteria. Vendors wereevaluated primarily on effective provisioning of the four primaryfunctions audit managemen t, compliance, risk management andpolicy management. Ability to support IT GRCM was also an element.Overall Viability Includes an assessment of the overallorganization's financial health, the financial and practical success of the business unit, and the likelihood of the business unit to continueto invest in the product, offer the product and advance the state of the art in the organization's portfolio of products. Overall companyrevenue and revenue from the EGRC platform were the keydeterminants.Market Responsiveness and Track Record Ability to respond,change direction, be flexible and achieve competitive success asopportunities develop, competitors act, customer needs evolve andmarket dynamics change. A key metric was sales performance in2009 and the f irst quarter of 2010, a very challenging period for theIT industry.Sales Execution/Pricing The technology providers' capabilities in allpresales activities and the structure that supports them. This includesdeal management, pricing and negotiation, presa les support, and theoverall effectiveness of the sales channel. For sales execution, a keymetric was the size of the EGRC platform customer base, and forpricing, key metrics were transparency and ease of calculation of thepricing model.Customer Experience Relationships, products andservices/programs that enable customers to be successful with theproducts evaluated. Customers were asked a variety of questions todetermine their experience with the vendor and the EGRC platform, Magic Quadrant for Enterprise Governance, Risk and Compliance Platformshttp://www.gartner.com/technology/media products/reprints/metricstream/vol3/article2/article2.html[24/11/2010 13:37:47] including whether the product met, exceeded or failed to meetexpectations, areas whe re the vendor should improve, and overalllevel of satisfaction with the vendor. Key metrics included overallsatisfaction, breadth of use, ability to meet performance expectations,and negative comments from reference customers.Operations The ability of th e organization to meet its goals andcommitments. Factors include the quality of the organizationalstructure including skills, experiences, programs, systems andother vehicles that enable the organization to operate effectively andefficiently on an ongoin g basis. Key metrics were the experience of senior management, and turnover of senior management.In 2010, the weighting for product/service was lowered to reflect the factthat most vendors have the core platform functions. This change resulted insome shift s in the Ability to Execute position of some vendors (see Table1). Table 1. Ability to Execute Evaluation CriteriaE v a l u a t i o n C r i t e r i a W e i g h t i n g P r o d u c t / S e r v i c e S t a n d a r d Overall Viability (Business Unit, Financial, Strategy, Organization) Standard S a l e s E x e c u t i o n / P r i c i n g S t a n d a r d M a r k e t R e s p o n s i v e n e s s a n d T r a c k R e c o r d H i g h M a r k e t i n g E x e c u t i o n N o R a t i n g C u s t o m e r E x p e r i e n c e S t a n d a r d O p e r a t i o n s L o w Source: Gartner (October 2010) Return to Top C o m p l e t e n e s s o f V i s i o n

Vendors are rated on their understanding of how market forces can beexploited to create value for customers and opportunity for themselves. Thefollowing six criteria for Completeness of Vision (see Table 2) wereconsidered significant for the EGRC platform market:Market Understanding Ability of the provider to understand buyerneeds and translate these needs into products and services. Vendorsthat show the highest degree of vision listen to and understand buyerwants and needs, and can shape or enhance those wants with itsadded vision. Vendors understood major EGRC platform trends,particularly the relationship of ERM to business performance.Marketing Strategy A clear, differentiated set of messagesconsistently communicated throughout the organization andext ernalized through the website, advertising, customer programs andpositioning statements. EGRC platform vendors were evaluated onwhether their strategy was clearly consistent and aligned with marketdirection.Offering (Product) Strategy A provider's approach to productdevelopment and delivery that emphasizes differentiation,functionality, methodology and feature set as they map to currentand future requirements. EGRC platform vendors were evaluated onwhether they were closing any significant product gaps, t he ability toaddress a variety of use cases with core and advanced capabilities,and their GRC content strategy. Magic Quadrant for Enterprise Governance, Risk and Compliance Platformshttp://www.gartner.com/technology/media products/reprints/metricstream/ vol3/article2/article2.html[24/11/2010 13:37:47] Vertical/Industry Strategy The provider's strategy to directresources, skills and offerings to meet the specific needs of individualmarket segments, including vertical industries. EGRC platform vendorswere evaluated on whether had differentiated offerings for two ormore highly regulated industries, could meet the ORM needs of thefinancial services industry, and had content and capabilities forindustry -specific needs.Innovation Direct, related, complementary and synergistic layoutsof resources, expertise or capital for investment, consolidation, anddefensive or pre -emptive purposes. The primary metrics for EGRCvendors were R&D investment and significant noncore capabilities.Geographic Strategy The provider's strategy to direct resources,skills and offerings to meet the specific needs of geographies outsideits native geography directly or through partners, channels andsubsidiaries as appropriate for that geography and market. Theprimary metrics were direct sales and support presence in multiplegeographies, and reseller and services partner support.Sales strategies and business models were not considered. Because themarket is consolidating and competitive pressures are increasing, marketingstrategy was ad ded in 2010. Due to pauses in development in advancedcapabilities or a shift in strategy due to an acquisition, some vendors thatwere in the Visionaries and Leaders quadrants in 2009 have moved to theChallengers and Niche Players quadrants. Ta bl e 2 . Co mpleten e ss of Vi si onEvaluation CriteriaE v a l u a t i o n C r i t e r i a W e i g h t i n g Ma rke t Unde rsta ndi ng S tand ardM a r k e t i n g S t r a t e g y StandardS a l e s S t r a t e g y N o R a t i n g Offering (Product) Strategy High B u s i n e s s M o d e l N o R a t i n g Vertical/Industry Strategy Standard I n n o v a t i o n S t a n d a r d Geographic Strategy Low Source: Gartner (October 2010) Return to Top L e a d e r s The EGRC platform market is starting to consolidate, and the vendors inthis market have had time to develop their products and strategies.Customers are looking for Leaders to provide additional functionality, suchas support for chief risk officer, integration with advanced businessintelligence and corporate performance management applications, businessprocess modeling, more -flexible and ad hoc reporting, planning andresource management for internal audit, and content and specializedcapabilities for risk management and compliance beyond the core functions.They will also expect support across multiple geographies. The largevendors should be best positioned for these requirements, yet

smallervendors are in the Leaders quadrant because of continued viability, more -advanced functionality and market understanding. Return to Top Magic Quadrant for Enterprise Governance, Risk and Compliance Platformshttp://www.gartner.com/technology/media products/reprints/metricstream/vol3/article2/article2.html[24/11/2010 13:37:47] C h a l l e n g e r s Challengers have proven viability, demonstrated market performance andthe ability to exceed customer expectations o n technical functionality.Challengers need to focus on their product road maps, as well as theirsales, marketing, geographic and vertical industry strategies to move intothe Leaders quadrant.Market consolidation has resulted in many vendors moving into the Challengers quadrant. In some cases, vendors have moved from theLeaders to the Challengers quadrant due to their vision and thedevelopment of advanced capabilities not keeping up with the marketdirection and expectations. This misalignment can often occur after a largevendor that has a broad array of products and services acquires an EGRCplatform vendor. Due to the improved viability after an acquisition, somevendors have moved to the Challengers quadrant from the Niche Playersquadrant. Others have moved from the Niche Players quadrant due toongoing growth in customers and revenue. The bottom line is that, as themarket has grown and matured, the number of Challengers has increased. Return to Top V i s i o n a r i e s Visionaries have a solid understanding of the marke t, as demonstrated bydomain expertise and responsiveness to customer expectations. They areactively executing against an aggressive product road map that expandssupport to additional regulatory and nonregulatory compliance and riskmanagement needs, includi ng support for the integration of GRC withbusiness performance. Return to Top N i c h e P l a y e r s Niche Players often have a unique approach to the market. Vendors couldalso be in the Niche Players quadrant because they have to improve thecore platform functions. Niche Players may also target a specific industryvertical or the needs of particular professionals. All vendors in the NichePlayers quadrant are successful in the market with competitive solutions. Return to Top V e n d o r S t r e n g t h s a n d C a u t i o n s A l i n e Aline offers Aline GRC, a SaaS solution. The release demonstrated becameavailable in April 2010. Aline moved from the Niche Players quadrant to theChallengers quadrant this year based on ongoing customer growth and asignificant increase in 2 009 revenue. Its approach to include performancemanagement on the platform is visionary for buyers looking for an ERMsolution. Aline is positioned to the left due to some product gaps in auditmanagement and policy management, with no clear road map to clos ethem and no vertical/industry strategy. Return to Top S t r e n g t h s Market Understanding and Strategy Aline has a solid understandingof the relationship of business performance management to ERM,demonstrating a clear understanding of market direction. Thepe rformance management/risk management linkage has been a Magic Quadrant for Enterprise Governance, Risk and Compliance Platformshttp://www.gartner.com/technology/media products/reprints/metricstream/vol3/article2/article2.html[24/11/2010 13:37:47] consistent and clear message from Aline for three years.Product Compliance management is strong with good scopingfeatures. Aline is one of the few vendors with a dedicated businessperformance management module business performance controlsare

provided by the American Productivity and Quality Council.Market Responsiveness Aline has shown consistently high growth incustomers and revenue. The 100% SaaS delivery model is attractiveto many companies seeking to minimize upfront costs, especiallysmall and midsize businesses, many of which are just entering the market.Customer Experience Customers are very satisfied, and had fewnegative comments.Operations The management team is experienced and stable. Return to Top C a u t i o n s Product Strategy Significant gaps in audit management and policymanagement are not being addressed.Vertical Industry Strategy There is no evidence of a verticalindustry strategy.Innovation R&D investment remains below the average for smallvendors.Geographic Strategy Aline is beginning to move beyond the U.S.,but direct product support outside normal U.S. business hours is limited.Product Audit management is weak, policy management is almostnonexistent and data collected from surveys cannot be automaticallypulled into dashboards. Integration with Microsoft Office productivitytools exists, but there's no drill -down from graphs and charts createdin them. No quantitative risk management exists. Return to Top A x e n t i s ( W o l t e r s K l u w e r ) ARC Logics is the GRC software division of Wolters K luwer. It offers threeGRC -related products Axentis for general compliance management andpolicy management, TeamMate for audit management, and Sword for ORM.The demonstration was centered on Axentis Enterprise, version R -10,released in March 2010. Element s of TeamMate and Sword were alsoincluded in the demonstration. ARC Logics is migrating all three products toa common platform, but continues to market them separately. Aspects of each can be exposed through the platform, which shares commonfunctions, such as workflow and reporting. In the 2009 Magic Quadrant,Axentis was in the Challengers quadrant. This year, Axentis is in theVisionaries quadrant. Its low position on the Ability to Execute axis is dueto slow sales growth of Axentis and the ongoing challeng es of evolving theplatform that integrates the three products. While the execution against theproduct strategy for an integrated platform delivering GRC software andcontent is proceeding, the marketing strategy could be hampered by thethree brands. The Sep tember 2010 announcement by Wolters Kluwer of plans to acquire banking compliance and risk management vendor FRSGlobal was not considered in this evaluation. Return to Top Magic Quadrant for Enterprise Governance, Risk and Compliance Platformshttp://www.gartner.com/technology/media products/reprints/metricstream/vol3/article2/article2.html[24/11/2010 13:37:47] S t r e n g t h s Market Understanding and Strategy Wolters Kluwer set up ARCLogics as a separate software division with its three GR C softwareproducts Axentis, TeamMate and Sword to improve its GRCpositioning. ARC Logics is strong in audit management, riskmanagement for financial services, and policy -based compliance, suchas anti -fraud rules and corporate integrity agreements.Produ ct Strategy ARC Logics is integrating its GRC softwaresolutions on a common platform. Integration is going in stages andwill be complete in 2011. It is using its strengths in content todifferentiate its GRC solutions from competitors.Vertical/Industry St rategy It is strong in healthcare, life sciencesand financial services. Its anti-fraud capabilities could also be appliedto industries most affected by anti corruption regulations.Innovation ARC Logics has made significant R&D investments tobring together the strengths of its three GRC solutions.Product With TeamMate, ARC Logics offers a very strong auditmanagement capability. Sword offers strong capabilities in ORM forfinancial services. Axentis is strong in policy management, and ARCLogics is the only vendor with an integrated e -learning solution tosupport policy training and attestation. Axentis has traditionally beenoffered as a 100% SaaS solution, but an on -premises

application isbeing developed.Customer Experience References were very satisfied and statedthat Axentis exceeded expectations in policy management. Return to Top C a u t i o n s Market Understanding and Strategy Business performancemanagement is not a focus. The three GRC solutions are positionedmuch stronger individually than as an integr ated EGRC platform.Product Compliance management for Sarbanes -Oxley, privacy andother regulations was not as strong as that for policy -basedcompliance, such as anti -fraud and corporate integrity agreements.Sales Execution Products are mostly sold separ ately, rather than asan integrated platform solution.Pricing The pricing model for the integrated platform is not yetdetermined.Market Responsiveness Axentis is experiencing slow customergrowth. Its strategy has shifted to address larger customers.Over all Viability Axentis' overall viability is fair. The primary GRCproduct, Axentis, has had limited new customer growth in two years,but having been acquired by Wolters Kluwer, financial viability is notan issue. Future viability depends on the ability to execute againstaggressive technology and marketing road maps, leading to a fullyintegrated EGRC platform that includes all three GRC productsmanaged by ARC Logics. Return to Top B P S R e s o l v e r BPS Resolver demonstrated BPS Resolver GRC Suite, version 6.2, released Magic Quadrant for Enterprise Governance, Risk and Compliance Platformshttp://www.gartner.com/technology/media products/reprints/metricstream/vol3/article2/article2.html[24/11/2010 13:37:47] in May 2010. BPS Resolver provides good capabilities i n all the corefunctions, and its audit management is above average. This is the first timethat BPS Resolver has been in the Magic Quadrant. Its position in the NichePlayers quadrant is due to just meeting the minimum requirement onrevenue, work required to fully integrate the two existing products, and alimited geographic strategy. However, it is addressing all three issues withgood customer growth, integration work that is progressing, and newpartners to reach into more geographies. Return to Top S t r e n g t h s Market Understanding and Strategy BPS Resolver has a goodunderstanding of customer needs for ERM, as well as somespecialized industry compliance requirements.Product Strategy Primary EGRC platform capabilities are in place.Its focus during the next se veral months is on architecting a commonplatform for existing BPS and Resolver products, and broadening therange of GRC activities supported by the platform.Vertical/Industry Strategy BPS Resolver targets multiple verticalindustries and has developed spe cialized capabilities for somecompliance challenges in healthcare and utilities. Specific support forhealthcare compliance exists, particularly with Centers for Medicareand Medicaid Services (CMS) and Recovery Audit Contractors (RAC).BPS Resolver also supp orts electrical utilities' compliance with NERC -CIP.Innovation It has some innovative solutions, such as electronicmeeting balloting, which can be used for risk assessments. It has ahigh budget for R&D.Product BPS Resolver is addressing the integration of its twosystems. With the data and reporting layers being complete, the userexperience already is mostly one of an integrated platform. Contentincludes a stock library of risks. It offers excellent reporting through aspreadsheetlike matrix that can be taken offline.Customer Experience In the customer reference survey, there wereno negative comments regarding BPS Resolver, and respondents wereoverall satisfied. Return to Top C a u t i o n s Market Understanding and Strategy Although BPS Resolver hassome business performance capabilities, business performance is notan explicit element of its GRC strategy.Product The underlying architecture for a combined implementationof BPS and

Resolver is based on two products f or now.Geographic Strategy BPS Resolver has no direct presence outsideNorth America, but it is adding partners in several regions. Return to Top B W i s e BWise demonstrated version 4.1 SP -1, which was released in May 2010.BWise's position in the Leaders qua drant is based on a mature EGRCplatform, to which BWise continues to add more-advanced capabilities, alarge customer base and relatively high revenue, an experienced Magic Quadrant for Enterprise Governance, Risk and Compliance Platformshttp://www.gartne r.com/technology/media products/reprints/metricstream/vol3/article2/article2.html[24/11/2010 13:37:47] management team, and an innovative product strategy. It is the onlyvendor besides the large ERP vendors to offer an organic continuouscontrols monitoring solution that integrates with its EGRC platform. BWise isalso included in the IT GRCM MarketScope. Return to Top S t r e n g t h s Market Understanding and Strategy BWise has a solidunderstanding of the market for integration of risk management andperformance management, and a strong business process orientation.Product Strategy Its road map emphasizes improvement in auditmanagement and quantitative risk analysis, with consideration forcustomers needing credit and market risk management capabilities.BWise is adding an e-learning capability, which will boost support forcompliance with ethics and anti -corruption/anti -fraud rules.Vertical/Industry Strategy BWise is well-positioned for financialservices. It also has a risk library targeted at other vertical ind ustries,such as energy, government and transport.Innovation BWise is challenging the large ERP vendors by addingcontinuous controls monitoring to its EGRC platform.Geographic Strategy It is continuing to expand beyond its homebase in the Netherlands, w ith a large presence in North America andadditional capability in the U.K. and German -speaking countries.Other geographies are covered through partnerships.Product BWise has strong capabilities in compliance managementand risk management, with both quali tative and quantitativecapabilities. It has solid loss event and root -cause analysis, with anintegrated Monte Carlo engine from a partner, Rogue Wave Software.Its platform includes a business process modeling capability todocument and visualize business pr ocesses, risks and controls. Anoptional continuous controls monitoring capability is also available.Operations BWise has a stable, experienced management team. Return to Top C a u t i o n s Product Audit management planning and scheduling are limited;however, that gap is expected to be closed in the next release by theend of 2010. Although content management is typically a strength of BWise, during the demonstration, policy management was not well presented.Sales Execution Outside of Europe and North America , direct salesand support are limited.Market Responsiveness BWise has a large customer base, but itexperienced flat revenue growth in 2009. Return to Top C u r a ( S o f t P r o S y s t e m s ) SoftPro Systems demonstrated Cura Enterprise, version 3.5, which wasreleased in March 2010. Cura has moved from the Visionaries quadrant tothe Challengers quadrant. Its overall viability has improved significantly dueto the acquisition by SoftPro Systems, which has invested in acceleratingthe product road map and adding to the dire ct sales force. Cura's move to Magic Quadrant for Enterprise Governance, Risk and Compliance Platformshttp://www.gartner.com/technology/media products/reprints/metricstream/vol3/article2/article2.html[24/11/2010 13:37:47] the left in the Magic Quadrant reflects challenges in clarifying its marketingstrategy and the need to continue executing on its road map toward betterplatform integration.

Return to Top S t r e n g t h s Product Strategy The acquisition by SoftPro Systems has enabledmore investment in R&D, enabling Cura to advance its road map. Arearchitected platform with better integration between componentsand improved reporting will be available in early 2011.Vertical/Industry Strategy Cura has good support for financials ervices and process industries that have a lot of investment focusedon major projects.Geographic Strategy Cura has direct support in North America,Europe, South Africa and Australia.Product It is very strong in risk management, with solid capabilitiesf or qualitative and quantitative analysis, including Monte Carlosimulation. Cura is capable of broad ERM and ORM for financialservices, and is particularly well -suited for project risk management.It provides a lot of content in its knowledgebases. In South Africa,Cura has teamed with LexisNexis to provide regulatory content feeds.Market Responsiveness It has a large customer base and ongoinggrowth year over year.Pricing Its very practical per-module and per -user pricing model iseasy to calculate and compare.Customer Experience References indicate that Cura exceedsexpectations for ERM. Return to Top C a u t i o n s Marketing Understanding and Strategy Cura's marketing messageis confusing and diffuse. The acquisition by SoftPro, while providingmore investment, so far, has not helped Cura to develop a morefocused marketing strategy.Product Reporting has been an issue. Some evidence exists of challenges in supporting roll -up and reporting for large multientityenterprises. Recently, adding integration with Busin essObjects isbeginning to close the gap.Customer Experience The customer references were primarilyfocused on risk management. Return to Top EMC-RSA EMC-RSA offers the RSA Archer eGRC Platform. The release demonstratedwas version 4.5.2., which became avai lable in April 2008. EMC -RSA movedfrom the Visionaries quadrant to the Challengers quadrant. EMC -RSA'sacquisition of Archer has improved its overall viability, and there has beenongoing growth in customers and revenue for EGRC purposes. Its solutionis rated highly in the IT GRCM MarketScope. It moved to the left in theMagic Quadrant due to ongoing delays in the release of the next version,and gaps in audit management that are to be addressed in the nextversion. Magic Quadrant for Enterprise Governance, Ri sk and Compliance Platformshttp://www.gartner.com/technology/media products/reprints/metricstream/vol3/article2/article2.html[24/11/2010 13:37:47] Return to Top S t r e n g t h s Product Strategy The RSA Archer eGRC Platform enables EMC -RSAto support a breadth of use cases beyond the standard riskmanagement and compliance cases, through customer self-development and sharing between customers in the Archer Exchangecommunity, and through the development of new capabilities by RSA.Content is a strength of Archer's, and RSA is adding additionalcontent to support more vertical industry and compliance needs.Product RSA Archer has functional capabilities in the four coreEGRC platform functions. Advanced capabilities include loss event androot -cause analysis features that are helpful in optimizing riskmanagement and compliance processes. They are suitable fornonfinancial services applications, but are not intended to supportfinancial services' specific requirements for ORM, such as Basel II.Incident management supports a basic investigation capability itsuits ethics and other HR -related investigations well.Overall Viability The overall viability is much improved due to theacquisition of Archer by EMC -RSA in early 2010.Market Responsiveness It has strong year-over-year growth incustomers and revenue.Pricing It has an easy-to-understand pricing model and per -moduleannual license for unlimited enterprise use.Customer Experience Customers use RSA Archer for a very widerange of GRC activities.

Return to Top C a u t i o n s Market Understanding and Strategy For EGRC, RSA needs topresent more emphasis on the relationship of risk management tostrategic objectives and business performance. RSA Archer is ratedhighly for IT GRC.Product Strategy RSA Archer has been slow to clos e some gaps inaudit management, which it states will be addressed in version 5.0.Innovation RSA Archer has not met release dates for its nextversion. Investment by EMC -RSA is expected to improve its ability tomeet release dates.Product Some gaps in audit management exist, specifically withrespect to scheduling and resource management. RSA Archer is ratedhighly in the IT GRC management market. However, customers wouldlike to see improvements in data collection from automated controls. Return to Top L o g i c M a n a g e r LogicManager demonstrated version 3.2, released in December 2009.LogicManager is a 100% SaaS offering and has a strong focus on theintegration of ERM with business performance. LogicManager is well -positioned to take advantage of growing interest in enterprise GRCplatforms by small and midsize companies. This is LogicManager's first timein the Magic Quadrant. Its position in the Niche Players quadrant is basedon some gaps, primarily in compliance and policy management, and in

Magic Quadrant for E nterprise Governance, Risk and Compliance Platformshttp://www.gartner.com/technology/media products/reprints/metricstream/vol3/article2/article2.html[24/11/2010 13:37:47] revenue, which affect its overall viability score. Return to Top S t r e n g t h s Market Understanding LogicManager supports a risk -basedapproach, with a strong linkage to performance management.Product Strategy Performance management is a focus of itsstrategy.Product The linkage of risk management to performancemanagement is a key differentiator.Sales Execution LogicManager has a very large customer base;however, based on estimated revenue, most sales are very small.Market Responsiveness LogicManager has good ongoing growth inits customer base. The 100% SaaS delivery model is attractive tomany companies seeking to minimize upfront costs, especially smalland midsize businesses many of which are just entering the market.Pricing It has a simple-to-understand, per -user SaaS pricingmodel.Customer Experience We didn't receive any negative comments,and customers were reasonably satisfied with applying the product toseveral different GRC activities. Return to Top C a u t i o n s Product Although LogicManager has a strong focus on riskmanagement and perf ormance management, audit management andcompliance are not as well -developed, and workflow for policymanagement is weak.Product Strategy No evidence exists in LogicManager's road mapthat it is closing gaps in core functionality.Geographic Strategy The company is focused on North Americaonly.Overall Viability LogicManager would not share revenueinformation. This lack of transparency in small vendors can be causefor concern. Return to Top M e g a Mega demonstrated its Mega Suite, version 3.1, which was rel eased inFebruary 2010. Mega remains in the Visionaries quadrant. As a businessprocess analysis and enterprise architecture vendor, Mega offers the abilityto align GRC activities with business objectives and processes. Thisalignment provides a solid foundat ion for enterprise and operational riskmanagement. As noted by references, time to deploy the solution can belong for customized implementations. Return to Top S t r e n g t h s

Magic Quadrant for Enterprise Governance, Risk and Compliance Platformshttp://www.ga rtner.com/technology/media products/reprints/metricstream/vol3/article2/article2.html[24/11/2010 13:37:47] Market Understanding and Strategy Mega's strong alignment of riskmanagement to business process analysis complements well themarket direction of risk management as a key component of business performance.Product Strategy It is improving the integration of its GRC offeringwith its business process analysis and enterprise architectureofferings. Mega plans to add CCM capabilities throug h an OEMpartner. All this is consistent with a focus on business performance.Vertical/Industry Strategy Mega has a heavy focus on financialservices.Innovation It has a comprehensive road map backed with solidinvestment. It has been innovative through i ntegration with organicand partner capabilities to improve the business performance andORM focus of their GRC platform.Geographic Strategic For a relatively small vendor, Mega's directsales and support coverage in multiple geographies is extensive. Ituse s a solid network of reseller partnerships to add more coverage.Product Mega has very complete audit management functionalityand is adding offline capability. It has excellent ORM capability, withorganic qualitative and quantitative analysis, including a Monte Carlosimulation capability. Content and software partnerships withspecialty risk management vendors and content providers extendORM and add credit and market risk capabilities. Return to Top C a u t i o n s Vertical/Industry Strategy Mega has limited spe cialized verticalsupport beyond financial services. Its focus is on ORM in support of business performance and compliance with risk related regulations,such as Basel II and Solvency II.Product Mega is weak on policy management.Customer Experience The length of time it takes to implement issometimes an issue. Return to Top M e t h o d w a r e ( J a d e ) Methodware, owned by Jade, demonstrated Enterprise Risk Assessor (ERA)version 7.1, released in April 2010. Methodware offers a low -priced platformthat is robust in au dit, compliance and risk management capability.Methodware has good customer growth and a solid product. However, witha narrowly focused strategy and not much emphasis on the integration of GRC with business performance, it has shifted to the left in the Challengersquadrant. Return to Top S t r e n g t h s Vertical/Industry Strategy Methodware has a strong focus on thefinancial services industry.Geographic Strategy It has a direct presence in North America,Europe, Australia and New Zealand, with partners for sev eral othergeographies.