Gartner’s coverage of vendors in the GRC marketplace is about to change. The main reason for the change, as noted in the most recent Enterprise Governance, Risk and Compliance Platforms Magic Quadrant, is that GRC solutions buyers are shifting away from a platform-centric approach to one focused on targeted solutions for specific use cases.
A platform approach is attractive for its ability to get all risk management and compliance professionals on the same system of record. Being on the same system of record allows more effective sharing of risk and controls information, and the elimination of inefficient overlaps between risk management and compliance silos. Internal auditors for instance can gain access to IT security’s risk assessments, thus enabling more effective allocation of audit resources to higher risk areas. And IT security and audit, by using the same taxonomies for risks and controls, can reach agreement on where remediation is most needed. Platforms also enable improved executive and board level reporting through aggregation of risk and control data across risk management and compliance programs.
On the other hand, buyers of platform-based solutions usually end up sub-optimizing. For instance a GRC vendor may have a superb solution for corporate compliance management, but poor operational risk management capabilities. When most enterprises had fairly immature risk management and compliance organizations, the trade-off of sub-optimizing some technology solutions in order to get all the organizational silos on the same system of record was reasonable. However, as organizational maturity improves, the gaps in technology support become more of a limitation.
As more enterprises have matured their risk management and compliance functions, the market has reached the point where buyers want targeted solutions that fit their needs for specific use cases. The following use cases are the subject of ongoing GRC research at Gartner:
Use case 1: IT Risk Management (ITRM). The use of GRC tools for management, measurement, and reporting against IT risk. While this may include security operations data and processes, implementations that are primarily focused on security operations, analysis, and reporting will be considered “below the line” and not part of this use case.
Use case 2: Operational risk management (ORM). The use of GRC tools for management, measurement, and reporting against operational risk. Enterprise risk management, considered as the impact of risks on enterprise strategic objectives, will also be addressed in this use case.
Use case 3: Audit management. Audit solutions used by internal audit teams that document and track phases of the audit cycle — audit planning, audit risk assessment, audit project management, time and expense management, issue tracking, audit work paper management, audit evidence management, and reporting. Implementations primarily for the benefit of non-audit functions are excluded.
Use case 4: Vendor risk management (VRM). The use of VRM tools for management, measurement, and reporting against vendor and third party related risk. This will include capabilities to identify, classify, monitor, and recommend risk mitigation to support business operations and regulatory requirements.
Use case 5: Business continuity management (BCM). Supporting the coordinating, facilitating and executing activities that ensure an enterprise’s effectiveness in identifying and mitigating operational risks that can lead to business disruptions, and recovering mission-critical business operations after a disruptive event turns into a disaster.
Use case 6: Corporate Compliance and Oversight. Compliance management and reporting associated with corporate governance codes, ethics, and financial reporting integrity regulations, such as Sarbanes-Oxley, Turnbull and others, and other regulations, standards and policies that materially affect the compliance posture of the overall enterprise.
Having all these use cases supported by the same vendor on the same platform is helpful but not mandatory. Vendors who are opening up their platforms to make integration easier are more competitive in this new phase of the GRC marketplace.
Recognizing the shift in the GRC marketplace from platform-centric to targeted solutions, Gartner will no longer publish the Enterprise Governance, Risk and Compliance Platform magic quadrant or the IT GRC Management marketscope. We have instead developed an aggressive 2014 GRC technology agenda with specific deliverables for targeted solutions, including the following, with lead author:
Market Guide for Audit Management – Khusbu Pratap
Magic Quadrant for Operational Risk Management – John Wheeler
Magic Quadrant for Security & IT Risk — Paul Proctor (Erik Heidt will lead additional Gartner for Technology Professionals deliverables)
Magic Quadrant for Business Continuity Planning — Roberta Witty
Magic Quadrant for Vendor Risk Management — Gayla Sullivan
Market Guide for Corporate Compliance and Oversight — French Caldwell
These deliverables will include both broad-based GRC platform vendors, as well as vendors who offer only targeted solutions.
Of course, the GRC platform market is far from dead. Besides using platform solutions to enable cross-silo collaboration, many enterprises designate one of their GRC platforms as the platform of record for higher level reporting for enterprise risk management, strategic planning, and incident management. To facilitate collaboration between risk silos, and cross-enterprise coordination and reporting, we recognize that many buyers in the market will still want to compare GRC platforms. To enable comparison of GRC platform vendors who address multiple use cases, we will produce the following research note that will rate the top 10 GRC vendors on each of the use cases and also provide an overall ranking of the platforms:
Critical Capabilities of GRC Vendors — French Caldwell
Most of the above research notes will be delivered in Q3 and Q4 of 2014. In the meantime, our clients welcome to contact the analysts above. Vendors, whether client or not, who wish to brief us on their capabilities to support any of the use cases above or who have questions on the process should please contact Gartner’s vendor relations to schedule a briefing.
We recognize this is a large change to how GRC is covered at Gartner, but it is indicative of the market direction. We expect our competitors to follow suite.