Home > Risk > Are you considering GRC software?

Are you considering GRC software?

September 30, 2013 Leave a comment Go to comments

If you are, I am worried that you might be relying on so-called research by the analyst firm, Gartner. Each year, they publish a Magic Quadrant (MQ) that is presented as addressing organizations’ needs for GRC software. Their 2011 Magic Quadrant for ‘Enterprise Governance, Risk and Compliance Platforms’ (EGRC) is available from Gartner or one of the included software vendors. (I haven’t seen the 2013 MQ).

The purpose of the MQ is to present their “assessment of the main software vendors that should be considered by organizations seeking a technology solution to support the oversight and operation of enterprisewide risk management and compliance programs, with the overall objective being improvements in corporate governance and the ability to achieve business objectives”.

It is good to see my former employer, SAP, in the top quadrant. This means that Gartner considers them visionaries with a high ability to execute.

Also included are players with whose products I have some familiarity: Archer, BWise, IBM, Thomson Reuters, MetricStream, and Oracle.

But does this mean anything? Does it actually have value and relevance for organizations seeking to improve their governance, risk management, and compliance programs?

I have so many criticisms, it is difficult to know where to start:

  1. Gartner assesses software solutions against a defined set of required functionality. That set of functionalities is highly unlikely to be the same as your prioritized needs and requirements! While they talk most prominently about risk management and compliance programs, and these are typically the areas with the greatest need and potential ROI, they include requirements for internal audit, policy management, and more. How many companies would give significant weight, when considering solutions for risk management, to the needs of the (typically small) internal audit function? At the same time, they exclude critical functionality (in my opinion) around the capabilities to link strategy and risk, perform risk monitoring, and support risk workshops. How can you run an effective risk management program without the ability to continuously monitor risks in this turbulent business environment? When you are assessing the effect of uncertainty on objectives (i.e., risk), how do you do that when you have no way to identify the risks to each objective?
  2. They talk about governance, but their assessment includes next to nothing that supports governance. Even their definition of governance is limited and, in my opinion, wrong. It doesn’t include board communications, for example.
  3. Gartner assumes that you need a single platform for risk management and compliance. I believe that compliance-related risks should be included in the risk management program, and that a risk-based approach to compliance is generally wise. However, I find it difficult to believe that all the requirements for a compliance program (e.g., ethics certification and training, investigation case management, legal case management, whistleblower services, anti-money laundering and FCPA compliance, and more) can be found in a single solution – let alone one that supports risk management as well.
  4. Gartner assumes value in the integration of these various functionalities. However, that integration has much less value in practice than they consider. I would prefer to see integration between strategy and risk management than risk management and internal audit!
  5. They don’t consider the need to integrate risk and performance (and strategy) reporting. If we are to integrate risk management into the fabric of the organization, you need combined reporting on both performance and risk indicators.
  6. Few organizations have a ‘GRC’ organization, one that combines (as Gartner sees it) risk management, compliance management, policy management, internal audit, and some limited aspects of governance. So why should we think about a GRC solution?

I will stop there, that looking for a ‘GRC solution’ is (IMHO) short-sighted and likely to lead to selecting the wrong software for your organization.

I might use the MQ to make sure I am considering all the vendors that might have solutions to meet your needs.

But, I would define my requirements based on my needs, my requirements, my potential ROI, and not the needs of the fictional organization considered by Gartner.

I would also be concerned if a vendor presented their solution as addressing the requirements of an EGRC platform, as they may be designing a solution to get better grades from Gartner instead of satisfying their real customers.

What are your needs? If your priority is risk management, look for a risk management solution that has the functionality to meet your current and anticipated needs. If you are looking for compliance solutions, pick the solutions (probably more than one) that will work effectively as a combination.

If you need to address needs in multiple areas, where is the value from integration? Is it better to get separate solutions that are optimal for each area than one that perhaps is good in one or two but less so in others?

As I look back at my former companies where I was chief risk officer, ethics and compliance officer, and led internal audit, I would not have acquired one of these EGRC solutions. I would have acquired separate solutions for risk management, legal case management, SOX compliance, ethics management, and so on. The integration I would have prioritized would have been between risk management and strategy/performance management, and I would also have given significant weight to risk monitoring (using the sophisticated analytics tools now available from SAP, IBM, and Oracle).

I welcome your views.

  1. September 30, 2013 at 10:09 AM

    Great blog. This is exactlty what i discussed today with my team.

    I also miss ACL Data Driven GRC!

  2. Martyn Proctor
    September 30, 2013 at 10:10 AM

    Hi Norman

    I’d not seen the latest magic square and jumped on this – but the link is to the 2011 report: I had a quick search on MetricStream as they’re usually fast with this, but couldn’t see a 2013 version yet. I’m intrigued to see if SAP are winning friends there!

    Kind Regards,

    Martyn Proctor І Managing Director
    Direct: +44 7802 573129 І Office: +44 28 9008 0053 І Skype: martyn_proctor


    Web: http://www.integrc.com
    Twitter: GRCIntegrc
    LinkedIn: Integrc

    Registered address: 20 Adelaide Street, Belfast, BT2 8GD. Company No. NI58377
    This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.

  3. Norman Marks
    September 30, 2013 at 10:15 AM

    I have corrected the post to say this is a 2011 report. I understand that Archer placed very highly in the 2013 but have no other information.

  4. Norman Marks
    September 30, 2013 at 10:22 AM

    Here is a link to the 2013 report: http://www.gartner.com/technology/reprints.do?id=1-1KTX6EC&ct=130926&st=sg.

    My thanks to Pieter de Kok.

  5. Mansur Ikhlas
    September 30, 2013 at 11:04 AM

    I fully support your views analysis like.Gartner’s should only be used as a part of evaluation but majority of criteria should come out of realistic requirements analysis. Excellent article.

  6. Lawrence Ellefson
    September 30, 2013 at 12:14 PM

    Norman, I don’t know anything about the packages you mentioned or that the Gartner service reviewed, but I got the idea from this post that they do not support the users ability to define and enter their own risks and mitigating control processes. Is this correct? The solutions mentioned are “canned” and cannot be changed to meet the users needs? For example, if you do not require SOX compliance risk and control issues to be addressed, you cannot ignore those issues? Why should companies have to buy different packages for different purposes? I seems to me that users should be able to identify, enter and assess their own risk categories, risk descriptions, controls, risk tolerance levels, control effective rates etc. based upon their own needs and requirements. I hope I am wrong and this is not true. Do they require the user to purchase different “modules” for different purposes? Just askin’…

    • Norman Marks
      September 30, 2013 at 1:04 PM

      All the solutions let you enter your own risks.

  7. September 30, 2013 at 7:02 PM

    Hi Norman,

    I totally agree with your comments regarding the value of Gartner’s MQ and other ‘analysis’ conducted by research firms. My additional criticism is that they ignore any vendor who does not meet their very strict entry criteria and hence do not paint a real picture of the vendor space, with some of the smaller vendors regularly competing and winning against these MQ ‘leaders’ due to their ability to offer better solutions for their client’s needs.

    Having also worked for a number of the vendors listed in the MQ, I agree with your comment that they often have point solutions but do not truly cover the full spectrum of ‘GRC” needs of an organisation. Where I do disagree with you is your apparent premise that there are no solutions in the marketplace that can cover the risk and compliance needs of an organisation, and assist in the governance and hence maximisation of performance – which is what I classify as GRC. This is what my firm – Protecht – does and does extremely well, and we have the clients who can attest to this.

    We do not spend our time and resources trying to impress Gartner of the other research firms. We prefer to see our success measured in having successful clients who use our training, advisory services and software to achieve (and overachieve) their business objectives. Word of mouth referrals are much more valuable than any MQ rating.

    • Norman Marks
      September 30, 2013 at 9:18 PM

      Alf, I am curious. So your company’s solution supports all compliance requirements, from safety to environmental, FCPA, building codes, hazardous waste disposal, AML, export/import, ethics code, privacy, and so on? Wow! I am impressed.

      • September 30, 2013 at 9:44 PM


        Fundamentally, the problem is one of content (for the obligations), registers (for RCSA, compliance attestations, KRI / KPI input, incidents, and anything else that you want to capture), actions, workflow and business intelligence for reporting. We have designed our solution to do all of these, with linkages across all data using tags to avoid the traditional hierarchical problems associated with many GRC solutions.

        As an example, we have a client that uses our solution to effectively manage and monitor the following:
        • Risk and control self assessments
        • Compliance attestations
        • Key risk indicator/ key performance indicator tracking
        • Safety incident register
        • Workplace Health & Safety Injury Reporting register
        • Hazards register
        • Group Audit findings and action plans register
        • General and IT Asset registers
        • Barcode & packaging registers
        • Community events register and Corporate Social Responsibility register
        • Complaints register
        • Conflicts of interest and Gifts and Gratuities registers
        • Whistle blower / Integrity register
        • Mandatory Standards Checklists
        • New Line Product Checklist
        • Product Assurance register
        • Product Pre-Shipment Inspection register
        • Import Container Quarantine register
        • Factory Quality review register and Quality Investigations and Actions register
        • Security and Restricted Keys registers
        • Site Visitors log

        They display the different business functions with their own dashboards that allow them to drill down to analyse the data with greater granularity, and can quickly publish reports to regulators, senior executive and board either on a scheduled basis or ad hoc.

        If the client does not have the ‘content’ we can integrate the content from the main content vendors and link it to risks and obligations. We can also input and output to other systems using web services.

        Let me know if you want to see the system – it is available as both a SaaS offering or can be installed on our client’s own infrastructure.


  8. September 30, 2013 at 8:32 PM

    I agree with your observations. I have worked in one of Top IT company of India which was using SAP GRC. However, usage was limited to identifying and resolving SOD conflicts. Process and Risk modules were not being used.

    One important point, before thinking to explore any software, successful implementation of framework is necessary and software can help in sustaining the frameworks.


  9. Stephen
    October 1, 2013 at 8:04 AM

    I agree that the Gartner report is flawed – but it also reflects how many big organisations make decisions. Who are the market leaders (by size)? What are my peers doing? etc

    One of the entry requirements is that any solution must have 100+ licenced customers and $12m + turnover. This automatically discounts any new and innovative offerings.

  10. hanan
    October 1, 2013 at 10:07 PM

    I think Gartner reports are useful in the selection. However, and like any IT project defining the requirements and objectives of the solution remain the most important part, you can’t select a software just because of it’s rate in Gartner report.

  11. JCO
    October 5, 2013 at 2:04 AM

    I agree on everything you said, Norman. Especially on “What are your needs? If your priority is risk management, look for a risk management solution that has the functionality to meet your current and anticipated needs. If you are looking for compliance solutions, pick the solutions (probably more than one) that will work effectively as a combination.”. I’ve met several vendors this past month and there really are ones that, in a way, impose their solutions to our organization instead of listening first to our needs and requirements.

  12. Bill Sweeney
    November 27, 2013 at 9:27 AM

    In my roles as CIO for risk, compliance, and legal technology I agree that point solutions that roll up to an Enterprise Risk Framework is the way to go. There are too many detailed requirements within each domain not to mention that the objectives of risk management, compliance, and legal are different. Re: Gartner The usefulness of Gartner however is not the “Magic Quadrant” it’s the rationale they provide for ranking and rating each vendor. I don’t know any CIO that picks the solution based on MQ. It’s generally step one in an evaluation, the “acquire knowledge” step. Product selection requires a much more rigorous mapping of user requirements against both existing and proposed functionality.

  13. August 7, 2014 at 12:14 AM

    Hi Norman, interesting article indeed. I would be interested in having you review our GRC software (SaaS) called PDCA Manager. We built it as a GRC software specifically following ISO 27001 section 4-10 requirements for an information security management solution (ISMS). It is a total ISMS solution. Although its not ERM, we believe we have a new idea and one-of-a-kind approach to GRC compliance within one certifiable scope of ISO 27001. You can view it here at http://www.SecuraStar.com/software.php
    Please feel free to reach out and I would be happy to demo it for you or give you a free trial to evaluate.
    Dave Anders

  14. September 24, 2014 at 1:53 PM

    This is a very quality article. I particularly like the emphasis on targeted solutions for high impact areas or needs (like internal audit, corporate legal, etc.). Much of the drive for comprehensive solutions comes from very large organizations. The vast majority of businesses, however, would be benefit from modest, effective solutions, but do not know where to start. General counsel and compliance officers trying to manage risks more effectively without much of a baseline have found this presentation useful: http://www.berkmansolutions.com/item/legal-risk-management

  1. October 6, 2013 at 10:30 AM
  2. April 18, 2014 at 2:43 PM

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: