Trends in Network Security

The market for enterprise governance, risk and compliance platforms is evolving from a focus on regulatory compliance to include risk management, audit management and policy management. It is dominated by best-of-breed vendors.

WHAT YOU NEED TO KNOW

This document was revised on 9 July 2008. For more information, see the Corrections page on www.gartner.com.

The Gartner Magic Quadrant for enterprise governance, risk and compliance (EGRC) platforms presents a global view of Gartner's assessment of the main software vendors that should be considered by organizations seeking a technology solution to support the oversight and operation of enterprisewide risk management and compliance programs. Buyers should evaluate vendors in all four quadrants. Those from the Niche Players and Visionaries quadrants are driving innovation in areas such as business process modeling of controls and risks, business rules for compliance, and knowledge bases for risk management and compliance. Challengers often have expertise in a particular industry, and are developing more-horizontal solutions or advancing their functionality across a range of GRC functions. Leaders have proven GRC functionality in all four primary GRC management (GRCM) functions – audit management, compliance management, risk management and policy management – and they have executed horizontally across several industries.

The scores and commentary in this research are based substantially on multiple sources – customer perceptions of each vendor's strengths and challenges derived from GRC-related inquiries with Gartner, an e-mail survey of vendor customers conducted in March 2008 and follow-up reference phone discussions, live demonstrations by vendors of their products, and a vendor-completed questionnaire about their EGRC platform strategy and operations.

MAGIC QUADRANT

Figure 1. Magic Quadrant for Enterprise Governance, Risk and Compliance Platforms

Source: Gartner (June 2008)

Market Overview

An EGRC platform must solve immediate GRCM needs and also enable the enterprise to pursue future consolidation and integration of GRC activities. GRCM is defined as the automation of the management, measurement, remediation, and reporting of controls and risks against objectives, and in accordance with rules, regulations, standards and policies. Many enterprises typically consider a GRCM application to satisfy a specific requirement, such as Sarbanes-Oxley compliance, an industry-specific regulation or operational risk management for a business process. However, enterprises often have other GRCM activities in mind, such as audit management, additional regulations, IT governance, remediation management and policy management, which they eventually may integrate into a more consolidated EGRC approach. Most enterprises are also looking for solutions that support their strategies for more controls automation, which falls outside the scope of GRCM, but the reporting from controls automation needs to be integrated into the EGRC platform. Although they may have a specific GRCM requirement in mind, many enterprises are concerned that point solutions will impede their holistic visions.

"Governance," "risk management" and "compliance" are general terms that can apply to a wide range of products, IT initiatives and business requirements. These three terms have many valid definitions throughout the Gartner client-base. The following definitions illustrate the relationship of the three terms:

• Governance – The process by which policies are set and decision making is executed.
• Risk Management – The process for addressing risk with a balance of mitigation through the application of controls, transfer through insurance and acceptance through governance mechanisms.
• Compliance – The process of adherence to policies and decisions. Policies can be derived from internal directives, procedures and requirements, or external laws, regulations, standards and agreements.

Gartner, as aligned to both a supply-and demand-based market perspective, has developed a specific market structure for these general terms – as GRC. GRC as a marketplace can be broadly divided between GRCM products for the oversight and operation of risk management and compliance programs, and other GRC products for the automation and monitoring of controls. Each of these markets demands functionality that is inherent in the EGRC platform. Instead of acquiring separate solutions for finance, IT and other business units, many enterprises are choosing to use a single EGRC platform and, when necessary, integrating the many point and functional solutions to satisfy specific GRC needs. Reporting and managing through a single platform gives executives, auditors and managers a holistic view of the enterprise's risk and compliance postures, as well as views sorted by requirement, entity and geography.

The GRC marketplace is undergoing a transition from U.S.-centric to global. Demand for GRC solutions is highest in the U.S. where corporate governance regulations are the most stringent. However, as other countries, such as Canada, Japan, India and members of the European Union, have begun to enforce similar regulations, demand has increased globally. Although all the leaders are U.S. vendors, notably, two of the four challengers are based outside the U.S., as are all three visionaries and the two niche players. Another market trend that could push some non-U.S. vendors toward becoming leaders is increasing demand for risk management functionality beyond the traditional banking industry. Vendors with a lot of risk management experience include Paisley (U.S.), Cura Software Solutions (Australia), Methodware (New Zealand) and BWise (the Netherlands).

Market Definition/Description

The EGRC platform supports four primary GRCM functions – audit management, compliance management, risk management and policy management. It can integrate with business applications, business intelligence, enterprise content management, controls automation, monitoring solutions (such as segregation of duties), IT technical controls and continuous controls monitoring. The EGRC platform also integrates with specialized GRCM solutions, such as environmental, health and safety compliance; quality management; and industry GRCM applications.

For a comprehensive market description, see "The Enterprise Governance, Risk and Compliance Platform Defined."

Inclusion and Exclusion Criteria

Vendors were included in the Magic Quadrant if they met the following criteria:

• Ability to deliver three of the four primary GRCM functions: audit management, compliance management, risk management and policy management.
• Credible presence in the marketplace: defined as at least $7.5 million in annual revenue from EGRC platform software and at least 50 customers.

EGRC platform vendors that did not meet the revenue requirement or number of customers, but offer a platform that supports at least three of the four primary GRCM functions, include:

• 80-20 Software – Australian company recently acquired by SAI Global. Its platform supports compliance management, risk management and policy management.
  
  
• BI – U.S. company with a software-as-a-service (SaaS) solution for small and midsize businesses. Its platform supports audit management, compliance management and risk management.
  
  
• CA – U.S. company. Its platform supports compliance management, risk management and policy management.
  
  
• Compliance 360 – U.S. company with a SaaS solution. Its platform supports compliance management, risk management and policy management.
  
  
• DoubleCheck – U.S. company. Its platform supports audit management, compliance management, risk management and policy management.
  
  
• List Group – Italian company. Its platform supports audit management, compliance management, risk management and policy management.

Added

No vendors were added.

Dropped

No vendors were dropped.

Evaluation Criteria

Ability to Execute

Vendors are assessed on their ability and success in making their vision a market reality. Four of the seven Gartner criteria for ability to execute are the most significant at this early stage of the EGRC platform market:

• Product/Service – Core goods and services offered by the provider that competes in/serves the defined market. This includes current product/service capabilities, quality, feature sets and skills, whether offered natively or through OEM agreements/partnerships as defined in the market definition and detailed in the subcriteria.
  
  
• Overall Viability – Includes an assessment of the overall organization's financial health, the financial and practical success of the business unit, and the likelihood of the business unit to continue to invest in the product, offer the product and advance the state of the art in the organization's portfolio of products.
  
  
• Market Responsiveness and Track Record – Ability to respond, change direction, be flexible and achieve competitive success as opportunities develop, competitors act, customer needs evolve and market dynamics change. This criterion also considers the provider's history of responsiveness.
  
  
• Customer Experience – Relationships, products and services/programs that enable customers to be successful with the products evaluated. This includes the ways customers receive technical or account support. This can also include ancillary tools, customer support programs (and the quality thereof), availability of user groups and service-level agreements.

At this early stage, marketing execution is not a significant factor, and with little variation in pricing models, sales execution/pricing also is not a variable. Although not a major variable now, operations will become significant in the next stage of market development as vendors try to grow their revenue from EGRC platform software beyond the $50 million annually mark.

Table 1. Ability to Execute Evaluation Criteria

Evaluation Criteria	Weighting
Product/Service	high
Overall Viability (Business Unit, Financial, Strategy, Organization)	standard
Sales Execution/Pricing	no rating
Market Responsiveness and Track Record	standard
Marketing Execution	no rating
Customer Experience	standard
Operations	no rating

Source: Gartner

Completeness of Vision

Vendors are rated on their understanding of how market forces can be exploited to create value for customers and opportunity for themselves. Five of the eight criteria for completeness of vision were considered significant for the EGRC platform market:

• Market Understanding – Ability of the provider to understand buyers' needs and translate these needs into products and services. Vendors that show the highest degree of vision listen to and understand buyers' wants and needs, and can shape or enhance those wants with their added vision.
  
  
• Offering (Product) Strategy – A provider's approach to product development and delivery that emphasizes differentiation, functionality, methodology and feature set as they map to current and future requirements.
  
  
• Vertical/Industry Strategy – The provider's strategy to direct resources, skills and offerings to meet the specific needs of individual market segments, including vertical industries.
  
  
• Innovation – Direct, related, complementary and synergistic layouts of resources, expertise or capital for investment, consolidation, and defensive or pre-emptive purposes.
  
  
• Geographic Strategy – The provider's strategy to direct resources, skills and offerings to meet the specific needs of geographies outside its native geography – directly or through partners, channels and subsidiaries – as appropriate for that geography and market.

At this early stage, marketing and sales strategies do not vary significantly among the vendors. Although not yet a major factor, vendors' business models could become significant differentiators as vendors try to take advantage of the next stage of market growth.

Table 2. Completeness of Vision Evaluation Criteria

Evaluation Criteria	Weighting
Market Understanding	standard
Marketing Strategy	no rating
Sales Strategy	no rating
Offering (Product) Strategy	high
Business Model	no rating
Vertical/Industry Strategy	standard
Innovation	standard
Geographic Strategy	low

Source: Gartner

Leaders

The EGRC platform market is new, but the vendors in this market have had time to develop their products and strategies in other precursor markets. Because they have developed with a focus on corporate governance and executive reporting requirements, vendors with experience in the finance GRCM market have an advantage in the EGRC platform market. Of the four leaders, Paisley and OpenPages were leaders in the 2007 finance GRCM Magic Quadrant, and Oracle was a challenger. MetricStream is a newcomer, and its progress from a relatively obscure quality management and operations compliance vendor to a leader in this Magic Quadrant is remarkable. Customers will be looking for leaders to provide additional functionality, such as integration with advanced business intelligence and corporate performance management applications, more-flexible and ad hoc reporting, and more support for the internal audit organization. They will also expect support across multiple geographies. The large vendors are best positioned for these requirements, yet smaller vendors are in the Leaders quadrant because of continued viability, more-advanced functionality and market understanding.

Vendors in the Leaders quadrant are:

• MetricStream is headquartered in the U.S. and has a large development team in India. It has 250 employees. The MetricStream Enterprise Compliance Platform supports solutions for audit management, compliance management, risk management, policy management and quality management. It is based on Java Platform, Enterprise Edition (Java EE).
  
  
• Paisley is headquartered in the U.S. and has 250 employees. It offers EGRC for audit management, compliance management, risk management and policy management, and it has a SaaS version called GRC on Demand. Both are based on Java EE.
  
  
• OpenPages is headquartered in the U.S. and has 140 employees. OpenPages' GRC platform supports solutions for audit management, compliance management, risk management and policy management. It is based on Java EE.
  
  
• Oracle is a software megavendor that is headquartered in the U.S. Oracle GRC Manager is based on technology acquired from Stellent. It supports solutions for audit management, compliance management, risk management and policy management. It is based on Java EE. GRC Intelligence provides advanced reporting beyond that found in GRC Manager and is based on business intelligence technology from Siebel.

Challengers

Challengers have proven viability, demonstrated market performance and the ability to exceed customer expectations on technical functionality. Challengers need to focus on their product road maps, as well as their sales, marketing, geographic and vertical industry strategies to move into the Leaders quadrant.

Vendors in the Challengers quadrant are:

• Achiever was recently acquired by the Sword Group and is based in the U.K. It has 75 employees (25 of them are in U.S.). Achiever Plus is primarily a solution for operations compliance (environmental, health and safety, quality management and others). It supports financial management compliance, and the platform provides solutions for audit management, compliance management, risk management and policy management. It is based on .NET.
  
  
• Archer Technologies is headquartered in the U.S. and has 96 employees. The Archer SmartSuite Framework is primarily a solution for IT GRCM. However, it supports financial management compliance, as well as solutions for audit management, compliance management, risk management and policy management. It is based on .NET.
  
  
• Axentis is based in the U.S. and has 98 employees. The Axentis GRC platform supports four suites: Financial GRC, Legal and Regulatory, IT GRC, and Ethics and Integrity. These suites are inclusive of solutions for risk management, compliance management and policy management. The platform is based on .NET and delivered as SaaS.
  
  
• Methodware is based in New Zealand and has 47 employees. It was recently acquired by Jade Software. Its Enterprise Risk Assessor supports solutions for audit management, compliance management, risk management and policy management. The current platform has proprietary middleware architecture with a Java EE interface and a standard Structured Query Language database interface. The next version (v.8) will be a .NET product.
  
  
• Protiviti is based in the U.S. and is a 3,000-person global risk consultancy. The Risk Technology Solutions group that is responsible for the Protiviti Governance Portal has 75 employees. The Governance Portal supports solutions for audit management, compliance management, risk management and policy management. The platform is based on .NET.

Visionaries

Visionaries have a solid understanding of the market, as demonstrated by domain expertise and responsiveness to customers' expectations. They are actively executing against an aggressive product road map that expands support to additional regulatory and nonregulatory compliance and risk management needs.

Vendors in the Visionaries quadrant are:

• BWise is headquartered in The Netherlands and has 117 employees. The BWise suite supports solutions for audit management, compliance management, risk management and policy management. It is based on Java EE.
  
  
• Cura Software Solutions has moved its headquarters from Australia to the U.S. It has 97 employees. Cura Enterprise supports solutions for compliance management, risk management and policy management. It is based on a combination of C# and .NET.
  
  
• Mega is a business process management (BPM) vendor headquartered in France. It has 240 employees. The Mega GRC Suite supports audit management, compliance management, risk management and policy management. It is based on Java EE.

Niche Players

For niche players, product improvements are rolled out frequently, and new investment and product developments can enable niche vendors to refresh their product road maps, improve marketing and sales support, and move into more geographies and vertical industries. Vendors could also be in the Niche Players quadrant because they have a novel business model that only time can tell whether it will succeed, or because they have set their sites on a specific market segment, such as an existing customer base for other products. Niche players also can be successful in the markets of their home and targeted geographies, or a specific industry segment.

Vendors in the Niche Players quadrant are:

• IDS Scheer is a large BPM vendor headquartered in Germany. It has 3,000 employees worldwide. The ARIS Solution for Governance, Risk and Compliance Management supports compliance management and risk management. It is developed on the ARIS Platform, which is based on Java EE.
  
  
• Qumas is headquartered in Ireland and has 100 employees. The Qumas GRC Suite supports compliance management, risk management and policy management. It is based on .NET.

Vendor Strengths and Cautions

Achiever

Strengths

• Demonstrated effectively all four GRCM primary functions – audit management, compliance management, risk management and policy management
• Operations compliance – International Organization for Standardization standards, environmental, health and safety, and quality management
• Integration with Microsoft Office

Cautions

• Financial reporting compliance – demonstrated capabilities, but limited customer referenceability for this capability
• Risk management – no quantitative analytics

Archer Technologies

Strengths

• Demonstrated effectively all four GRCM primary functions – audit management, compliance management, risk management and policy management
• IT GRCM as a core installed base
• Intuitive Web-based interface and navigation
• Archer Community – a social network for customers to share the applications, content and services they develop

Cautions

• Financial reporting compliance – demonstrated capabilities, but limited customer referenceability, for this capability
• No native content or document management capabilities

Axentis

Strengths

• Demonstrated effectively three of four GRCM primary functions – compliance management, risk management and policy management
• Vertical market support for healthcare, insurance and life sciences – including corporate integrity agreement compliance
• Broad set of offerings integrating GRCM with content
• Integrated e-learning to support training and to record certification and awareness

Cautions

• No audit planning and resource management, but it does have an adaptor for CCH TeamMate
• Weak on operational risk management – no loss-event reporting

BWise

Strengths

• Demonstrated effectively all four GRCM primary functions – audit management, compliance management, risk management and policy management
• Financial services industry compliance – including banking and investment regulations, financial reporting compliance, and IT GRCM
• BPM capabilities enable mapping of processes against risks and controls – enabling business process improvements

Cautions

• Data extraction is difficult, which limits reporting flexibility – improvements are planned for the August 2008 release
• Customer references cited late releases, but BWise provided data showing that five of its six releases in the past two years were on time or within one month of their expected date – the latest release was five months late

Cura Software Solutions

Strengths

• Demonstrated effectively three of four GRCM primary functions – compliance management, risk management and policy management
• Market support for financial services, energy and utilities, and mining industries
• Extensive best-practice knowledge bases, especially with regard to operational risk management

Cautions

• No audit and resource management, but they do have an adaptor for CCH TeamMate
• Limited native document management, but comes with SharePoint integration and proven integration with Documentum

IDS Scheer

Strengths

• Demonstrated two of four GRCM primary functions – compliance management and risk management
• Largest BPM vendor delivering a GRCM solution on a robust platform
• BPM capabilities enable mapping of processes against risks and controls – thus aligning risks with process steps and enabling business process improvements
• Superb dashboard visualization of risks and controls

Cautions

• No audit planning and resource management; no policy management – whereas it did not meet the minimum criteria for inclusion, its strong platform, reporting and customer base warranted an exception
• Requires competency in the ARIS process modeling tools

Mega

Strengths

• Demonstrated all four GRCM primary functions – audit management, compliance management, risk management and policy management
• BPM capabilities; its architecture tool enables mapping of processes against risks and controls – thus enabling business process improvements
• Good audit planning features within audit management

Cautions

• Survey and assessments can be difficult to execute – improvements are planned for its September 2008 release
• Policy management is limited because of a basic document management functionality

Methodware

Strengths

• Demonstrated all four GRCM primary functions – audit management, compliance management, risk management and policy management
• Exceptional audit management functionality
• A long track record of proven risk management – good qualitative and quantitative analytic features
• Focus on the midsize business marketplace, as well as financial services, higher education, national government and manufacturing vertical markets

Cautions

• Policy management is limited because of a lack of content management
• Sparse communication with customers
• No native content management, workflow and process automation functionality

MetricStream

Strengths

• Demonstrated effectively all four GRCM primary functions – audit management, compliance management, risk management and policy management
• Domain expertise – no vendor was better able to articulate its vision and to capture that vision in the current offering of the product
• Audit planning and calendaring with offline audit management capability
• Manage a community portal called ComplianceOnline.com and use that community to help with development

Cautions

• Relatively small vendor that is new to this market – emerged rapidly from operations compliance, mostly quality management
• Needs more structure in its road map for new releases

OpenPages

Strengths

• Demonstrated effectively all four GRCM primary functions – audit management, compliance management, risk management and policy management
• Viability – strong management team with good domain knowledge and a large customer base with good retention
• Good ability to make associations among mandates, policies, procedures and requirements (which in its taxonomy is a group of controls)
• Reporting and the ability to get to useful data – Cognos reporting engine and proven integration with Hyperion for advanced financial management reporting

Cautions

• Deloitte content for IT risks and controls, but must contract separately with Deloitte for that
• Self-assessment function is broad and complete, but the advanced self-assessment is awkward for the casual user

Oracle

Strengths

• Demonstrated effectively all four GRCM primary functions – audit management, compliance management, risk management and policy management
• Committing adequate investment to an aggressive development road map with plans for many vertical-specific versions of GRC Manager
• A suite of controls products, such as Oracle Application Access Controls Governor and Oracle Transaction Controls Governor, that is integrated into the GRC Manager platform
• Integrates with the project management capabilities of Microsoft project and other such products easily – thus enabling better management of complex remediations or audit plans

Cautions

• A small piece of the overall technical footprint of GRC Manager requires .NET; constraint will be removed in the next release
• For improved reporting, customers must get a separate license for GRC Intelligence, which has a different look and feel from GRC Manager
• No quantitative risk modeling

Paisley

Strengths

• Demonstrated effectively all four GRCM primary functions – audit management, compliance management, risk management and policy management
• Strong management team that is involved with the U.S. regulators in shaping the rules
• Strong audit management with offline capability – the chief competitor to CCH TeamMate in that market; good planning capabilities for audits and testing
• Paisley Snap! Reporter enables quick report building; good ad hoc report generation

Cautions

• Must buy all or nothing with its pricing model – licenses are sold on a named-user basis with access to the whole suite; not possible to buy, for instance, just audit management, and then add risk management and compliance later
• No quantitative risk modeling

Protiviti

Strengths

• Demonstrated effectively three of four GRCM primary functions – compliance management, risk management and policy management; also demonstrated audit management
• Abundant GRC domain expertise and content; is a well-known risk management and compliance consultancy
• A good search function enhances navigation within the application

Cautions

• Audit management is weak, but it is a high priority on Protiviti's road map – will add offline capability
• Reporting is weak – customers must engage Protiviti to customize means to generate presentation-quality reports

Qumas

Strengths

• Demonstrated three of four GRCM primary functions – compliance management, risk management and policy management
• Business rules – for example, when a test fails, business rules automatically kick in that require recording an issue and assigning an action
• Scalable document-centric compliance – when compliance is highly dependent on documentation, it provides a controlled and structured workflow with documents maintained securely in a PDF format

Cautions

• No audit planning and resource management
• Functionality is split across three products that do not share a common platform out of the box, but do share a common interface

Acronym Key and Glossary Terms
BPM	business process management
EGRC	enterprise governance, risk and compliance
GRC	governance, risk and compliance
GRCM	GRC management
SaaS	software as a service

Vendors Added or Dropped

We review and adjust our inclusion criteria for Magic Quadrants and MarketScopes as markets change. As a result of these adjustments, the mix of vendors in any Magic Quadrant or MarketScope may change over time. A vendor appearing in a Magic Quadrant or MarketScope one year and not the next does not necessarily indicate that we have changed our opinion of that vendor. This may be a reflection of a change in the market and, therefore, changed evaluation criteria, or a change of focus by a vendor.

Evaluation Criteria Definitions

Ability to Execute

Product/Service: Core goods and services offered by the vendor that compete in/serve the defined market. This includes current product/service capabilities, quality, feature sets and skills, whether offered natively or through OEM agreements/partnerships as defined in the market definition and detailed in the subcriteria.

Overall Viability (Business Unit, Financial, Strategy, Organization):Viability includes an assessment of the overall organization's financial health, the financial and practical success of the business unit, and the likelihood that the individual business unit will continue investing in the product, will continue offering the product and will advance the state of the art within the organization's portfolio of products.

Sales Execution/Pricing: The vendor’s capabilities in all pre-sales activities and the structure that supports them. This includes deal management, pricing and negotiation, pre-sales support and the overall effectiveness of the sales channel.

Market Responsiveness and Track Record: Ability to respond, change direction, be flexible and achieve competitive success as opportunities develop, competitors act, customer needs evolve and market dynamics change. This criterion also considers the vendor's history of responsiveness.

Marketing Execution: The clarity, quality, creativity and efficacy of programs designed to deliver the organization's message to influence the market, promote the brand and business, increase awareness of the products, and establish a positive identification with the product/brand and organization in the minds of buyers. This "mind share" can be driven by a combination of publicity, promotional initiatives, thought leadership, word-of-mouth and sales activities.

Customer Experience: Relationships, products and services/programs that enable clients to be successful with the products evaluated. Specifically, this includes the ways customers receive technical support or account support. This can also include ancillary tools, customer support programs (and the quality thereof), availability of user groups, service-level agreements and so on.

Operations: The ability of the organization to meet its goals and commitments. Factors include the quality of the organizational structure, including skills, experiences, programs, systems and other vehicles that enable the organization to operate effectively and efficiently on an ongoing basis.

Completeness of Vision

Market Understanding:Ability of the vendor to understand buyers' wants and needs and to translate those into products and services. Vendors that show the highest degree of vision listen to and understand buyers' wants and needs, and can shape or enhance those with their added vision.

Marketing Strategy: A clear, differentiated set of messages consistently communicated throughout the organization and externalized through the Web site, advertising, customer programs and positioning statements.

Sales Strategy:The strategy for selling products that uses the appropriate network of direct and indirect sales, marketing, service and communication affiliates that extend the scope and depth of market reach, skills, expertise, technologies

Offering (Product) Strategy:The vendor's approach to product development and delivery that emphasizes differentiation, functionality, methodology and feature sets as they map to current and future requirements.

Business Model:The soundness and logic of the vendor's underlying business proposition..

Vertical/Industry Strategy:The vendor's strategy to direct resources, skills and offerings to meet the specific needs of individual market segments, including vertical markets.

Innovation:Direct, related, complementary and synergistic layouts of resources, expertise or capital for investment, consolidation, defensive or pre-emptive purposes.

Geographic StrategyThe vendor's strategy to direct resources, skills and offerings to meet the specific needs of geographies outside the "home" or native geography, either directly or through partners, channels and subsidiaries as appropriate for that geography and market.

Source: Gartner Core Research Note G00158295, French Caldwell, Tom Eid, 30 June 2008