14 top platforms for governance, risk and compliance data management
The pending General Data Protection Regulation that goes into effect on May 25 has placed greater focus on governance, risk and compliance systems and how organizations manage GRC data. As Forrester Research notes in its recent Wave report, “Governance, Risk and Compliance Platforms, Q1, 2018,” on-premise systems require a great deal of support, which is inspiring many firms to look at software-as-a-service offerings. Forrester reviewed 14 top products in this space. The report was authored by Forrester research analysts Renee Murphy and Claire O’Malley.
Of the 14 products reviewed for this Wave Report, seven were determined to have stronger current product offerings and stronger market strategies, qualifying them as leaders in this space.
SAI Global Compliance 360
“SAI Global has an increasingly diverse, extremely happy customer base,” the analysts write. “SAI Global’s customers told us again this year that they are very satisfied with their implementations and consider SAI Global to be their compliance business partner. With the acquisition of Modulo, the company leapt into IT GRC and security governance markets, where it has been lacking in the past. Key takeaway: With diverse use cases in case management, healthcare, and GDPR, the additions of IT GRC and business continuity round out the platform as a single point of governance and compliance capabilities in the enterprise.”
MetricStream M7 GRC Platform
“MetricStream is showing clear market innovation with its user interface design,” according to the analysts. “The user interface for the latest release of the MetricStream platform, M7, gives a unique experience to light-touch users. The new interface reflects MetricStream’s customer-centric pivot over the past 18 months, which also includes maturing its customer support program and delivering a version of the platform to the midmarket. MetricStream’s platform supports a very large number of use cases across diverse industries, including energy, healthcare, insurance, food and beverage, and automotive. Key takeaway: MetricStream’s focus on user growth has slowed its technical disruption of the market. While the user interface is unique, the company will have to give users better analytics to keep pace with the more agile vendors in the space.”
“LogicManager takes an integrated approach to GRC customer success,” the analysts say. “LogicManager’s customers say that the true differentiator of the company’s offering is its customer support; customers are assigned two highly engaged analyst advisors at no additional cost. The platform boasts one of the most rapid average deployment times on the market, and it supports a diverse number of use cases as well as content to support many verticals. Key takeaway: LogicManager’s rapid deployment and ongoing partnership with customers help the company take on the big players in the market.”
Nasdaq BWise version 5
“Nasdaq continues its march toward a subscription-based SaaS model,” the analysts say. “The Nasdaq BWise platform has a strong regulatory change management offering for heavily regulated environments, and it is gaining traction with buyers in the midmarket and in information security organizations. Customers continue to extend their implementations with additional use cases and grow the application’s footprint in the enterprise. Key takeaway: Nasdaq offers a very diverse and capable platform, although this can often lead to complicated and lengthy implementations.”
Riskconnect Integrated Risk Management version GRC.2017.2
“Riskonnect leverages the Force.com platform for its functional foundation,” according to the analysts. “Funded by private equity firm Thoma Bravo, Riskonnect built its GRC offering on the Force.com platform, which in essence means the engineers of Salesforce actively work to develop and maintain the product’s underlying capabilities. Among many benefits, this means Riskonnect GRC includes support for 72 languages, strong workflow, and extensive dashboarding and reporting. This approach also allows Riskonnect to focus on use case development, content, and analytics for GRC. Key takeaway: Riskonnect is an appealing option for Salesforce.com users and deserves a look on its own for its solid GRC capabilities.”
Rsam GRC version 9.2
“Rsam is extraordinarily good at collecting data and putting it to actionable use,” the analysts say. “The Rsam platform’s strengths lie with input, output, distribution, and communication. Specifically, it collects data in almost any format (structured or unstructured) from multiple platforms (e.g., financial, ITSM, security, third-party risk intelligence feeds) and leverages it throughout various functions and modules. Customers use this data to identify, analyze, and manage risk. The platform continues to grow with customer needs, one example being its expanding capabilities for third-party risk management. Key takeaway: If you’re looking for a platform that can collect a wide variety of data from other systems to help manage risk, Rsam continues to be a good choice.”
SAP Solutions for GRC
“SAP’s GRC strategy removes the focus on APIs and puts HANA front and center,” according to the analysts. “Taking a different approach to connectivity and integration is the real differentiator for the SAP GRC offering. Shunning APIs and web services and leveraging HANA’s in-memory data access, SAP is making a bet that customers want big data and predictive analytics natively in their risk solution. SAP continues to meet the needs of its current GRC customers while driving product innovation. One standout from that strategy is the SAP audit tool, which continues to be a strong SaaS solution with full mobile capabilities. Key takeaway: If you’re an SAP shop, be sure to put SAP GRC on your short list.”
Five of the 14 firms considered were determined to have either stronger current products or stronger market strategies, but not both.
Enablon 8 verson 8.4
“Enablon continues to be experts in EHS and operational risk use cases,” the analysts write. “Enablon officially became an operating unit of Wolters Kluwer’s Legal and Regulatory division in July, 2016. The company plans to leverage Wolters Kluwer’s market presence to expand its customer base around the world. Enablon’s core strengths continue to be environmental, health, and safety (EHS) management as well as sustainability and operational risk management. Customers are generally in highly regulated environments, looking for industry-specific content and solutions. Key takeaway: If your organization is looking to manage corporate social responsibility initiatives, environmental health and safety, enterprise risk management, or incident/event management, Enablon should be on your short list.”
ACL Analytics version 12.5 and ACL Analytics Exchange version 6.5
“ACL’s GRC portfolio has grown substantially from its well-known audit tool,” the analysts note. “ACL’s GRC product portfolio began with an audit solution, known for its strong analytics and financial controls testing. From there, the company has evolved to a comprehensive GRC platform vendor, with a product that leverages these exceptional native analytics in every function it offers. The company has a very large and mature customer community, where practitioners share ideas and interact with ACL experts. Key takeaway: If you’re looking for a GRC product with a simple user interface, strong mobile support, and strong analytic integration, ACL is worth serious consideration.”
RSA Archer version 6.2
“RSA Archer continues to excel in IT GRC use cases,” according to the analysts. “The RSA Archer platform’s core capabilities are comparable with the rest of the market, and its continued strength is its very tight integration with RSA security tools. RSA Archer’s forgotten differentiator is its most mature domain; while many organizations consider Archer for a wide range of use cases, its product strengths and integration with IT systems make it best-suited for IT GRC. Key takeaway: RSA continues to create use cases in third-party risk, financial risk management, and regulatory change management, building on its IT GRC lineage.”
“IBM is embracing analytics in its approach to GRC,” the analysts say. “The IBM OpenPages GRC platform has been known as a financial controls management product since its inception. It’s also a strong operational risk platform, and customers are looking to expand their use of the platform for nonfinancial use cases as well. While some customers report that they will make use of Watson capabilities over the next year, others say the user interface needs improvement first. Key takeaway: OpenPages is an enterprise-class platform and worth a look for complicated implementations that require good analytics and reporting.”
NAVEX Global PolicyTech, NAVEX Exchange, RiskRate and EthicsPoint
“NAVEX Global specializes in compliance, with training content and data management,” the analysts say. “NAVEX Global continues to shine in the market with its whistleblower hotline and corporate compliance offerings. This includes true anonymous input and workflow to support many use cases, such as case management and third-party compliance. In 2015, NAVEX Global acquired The Network, bolstering its ethics and compliance consulting services as well. Key takeaway: NAVEX Global does not yet offer a full risk management platform, but it does meet the corporate compliance needs for firms in any industry.”
Two of the 14 products considered were determined to have moderately strong current product offerings and market strategies.
ServiceNow Governance Risk and Compliance, version Jakarta
“ServiceNow has entered the GRC platform market,” the analysts note. “ServiceNow is well-known around the world as an IT service management platform, and now the company is the newest significant entrant into the GRC platform market. ServiceNow’s GRC module leverages the information that the ITSM tool collects (including data for asset management, change management, incident management, and problem management), which makes a compelling driver for IT GRC use cases. Key takeaway: Customers of ServiceNow ITSM are finding ServiceNow GRC to be an easy transition that helps them take a risk-based approach to information security and IT operations.”
Thomson Reuters Connected Risk
“Thomson Reuters’ GRC solutions support a wide range of use cases,” the analysts say. “Thomson Reuters continues to be a capable solution for financial controls management and a strong player in the regulatory change management space. Its Connected Risk solution offers capabilities to manage risk to any area of the business, and the company leverages its regulatory content in its software offering. Key takeaway: Connected Risk is a strong contender for a wide array of use cases, and Thompson Reuters’ risk and compliance content is among the best in the industry.”