Chris McClean

The launch of any new research report is exciting, but I’m especially happy to see the publication of the The Forrester Wave™: Enterprise Governance, Risk, And Compliance Platforms, Q3 2009.

The evaluation speaks for itself. Forrester goes through great pains to assure a fair, detailed process that looks into the strengths and weaknesses customers care about most — and this Wave is no exception. But considering the amount of time and effort we spent putting this report together, I wanted to provide some additional thoughts on what I learned during the process:

  • Wave research is very rewarding. Among best practices, trends, and other reports, the Wave research is probably the most enjoyable for me and beneficial to our corporate customers. In a relatively short time period, I sat through hours and hours and hours of product demos (really, it’s not as bad as you think), debated with vendors about market dynamics, and analyzed massive amounts of customer reference data. During the evaluation process, I was also working on several vendor selection projects with Forrester customers. Since the Wave criteria are based on buyer demands, the research I was doing was very applicable to my customer engagements as well.

In additional, the comprehensive and transparent nature of the Wave methodology helps to justify all of the scores and analysis. That means that if a customer (or former colleague) has a question about any of the results, they are able to see exactly what criteria I used and why I scored each vendor the way I did (and then of course they can proceed to agree or disagree as they see fit).

  • It’s impossible to include everything. The GRC landscape is vast. For every vendor that appeared in the Wave, there were probably at least two more that wanted to be included. Some were not invited because they didn’t meet all of the participation criteria, while others were invited but declined to participate because they couldn’t meet our required information requests and/or deadlines. The vendors evaluated here, however, have demonstrated strong customer successes and ability to meet the market demands we see from the hundreds of GRC inquiries and advisories we do every year.

One thing you may not be able to tell from the graphic alone is how each vendor is trending relative to their market position. Yes, the vendors that have stayed on top of the Leaders category have had to work very hard to maintain that position. However, it’s often other vendors that are showing the most innovation and progress. In fact, I spend quite a bit of time discussing this in the Wave report as well as a podcast I recently recorded.

  • GRC buyers and implementation are more mature. While this will come out more in upcoming reports, GRC buyers and users are more sophisticated than ever. Current budget constraints may require implementations to start very small, but more and more, organizations are seeing long-term value of comprehensive GRC that spans across compliance, risk, audit, IT, and other departments.

Software firms have responded appropriately, which means they can't be easily segmented by which vendors target risk management professionals or which target compliance professionals… the best ones are addressing all relevant users. With that in mind, I chose not to segment out separate Wave graphics for Governance users, Risk users, and Compliance users. If we are truly set on the unique value GRC brings by combining these functions, we should focus on solutions that address each of their needs simultaneously.

For customers that are looking for solutions that skew to specific areas of GRC, I would recommend using our Wave model to adjust the score weightings to meet your unique needs. Are you more interested in products that can help automate your control testing? Do you care more about training and awareness capabilities? You can adjust the weightings of these criteria as you see fit, and then see which vendors rise to the top of your own custom Wave.

I wanted to thank all of the vendors that participated and the teams that spent time gathering the necessary information for our evaluation. For those that did not participate, rest assured… we still get a lot of customer inquiries asking for details about vendors that are not in the Wave. And so it is of course my intention to keep up to date with all vendors in the GRC market.

For GRC buyers, there are of course questions that you have that could not be fully covered in this report. I encourage you to look through the details of our evaluation, and feel free to set up an inquiry to discuss any other issues in more detail.

[posted by Chris McClean]