After months of diligent product and vendor evaluations, today we published The Forrester Wave: Enterprise GRC Platforms, Q4 2011. In the next few days, we will also publish The Forrester Wave: IT GRC Platforms, Q4 2011. These two reports feature a total of 20 vendors, all with proven capabilities to help customers tackle their continuously mounting regulatory challenges and manage their complicated risk profiles.

Why two Forrester Waves?

Governance, risk, and compliance functions within large and medium enterprises demonstrate tighter collaboration all the time… audit is working more closely with risk, and compliance programs are consolidating under more centralized control. However, Forrester still sees a gap between the requirements of those responsible for IT risk and compliance and the requirements of those managing risk and compliance outside of IT. No doubt, there is often substantial overlap between these groups, and many of the vendors evaluated have customers using their products to supports both IT and enterprise GRC functions. You’ll notice that of the roughly 60 evaluation criteria for each Wave, there are only 3-4 that differ between them. For now though, they remain basically two distinct markets.

So, what did we learn from the countless hours of briefings, demos, customer surveys, and other research we did for this Wave?

  1. It is still difficult to narrow down which vendors to include. For these evaluations, we looked at vendors with the most complete GRC platforms, most substantial market presence, and most relevance to Forrester customers. This year you’ll see strong showings from two vendors new to the Enterprise GRC Wave: SAS and Enablon. The IT GRC Wave also includes solid performances from three new participants: ANXeBusiness, Control Case, and Easy2Comply (which was acquired several weeks ago by Check Point). But as always, there is a long list of other vendors that are certainly relevant to the space that we were unable to include. Check out my GRC Market Overview from last year for a longer list of GRC Platform vendors.
  2. The evaluation criteria, like market requirements, are getting broader, not narrower. As I work with corporate and government clients to develop and strengthen their governance, risk, and compliance programs, I’m struck by how different they are, even among companies of similar size, industry, and geographical footprint. As GRC vendors strive to support such a wide variety of functions and approaches, they are targeting a wider variety of use cases. Often, this means that vendors that were in close competition with each other just a few years ago may now rarely see each other on prospects’ short lists. That also means that for the Wave, we had to look more closely at the fundamental capabilities and functionality of the platforms, while paying a little less attention to specific applications.
  3. Flexibility is an essential factor distinguishing top GRC platforms. Because of the variety of use cases mentioned above, vendors that really stood out were those that had the strongest underlying functionality for GRC object mapping, content management, workflow, and reporting….but also the flexibility to allow customers to use these capabilities for their own unique needs. Vendors that have highly configurable interfaces, workflows, surveys, forms, and reports are more likely to be able to address customers’ more complicated requirements now and as they evolve. Of course, some of the more flexible vendors got lower marks from customers on the “time-to-value” survey questions, so if your needs are less complex, there may be better choices out there for you.

On that last point, and one general comment about these Waves: GRC takes so many forms from one organization to the next, that you shouldn’t simply look at the Wave graphic and assume to know the top 3-4 vendors that will serve your needs. All of the vendors in these reports have strong capabilities and great customer success stories, so depending on what you want out of your GRC (or corporate compliance, or enterprise risk management, or audit management, etc.) program, any of these vendors may be worth considering. Take a look at the spreadsheet linked within the Wave reports for a very detailed explanation of how each vendor scored for each of the nearly 60 criteria we used. If that doesn’t give you what you need, contact me… I have mountains of data on these and other vendors that did not show up in this report.

Finally, a big thanks to all the vendors that participated. This is a rigorous process, and they all did very well to meet our demanding project deadlines and requirements.