This post is being updated periodically to address vendor categorization changes. Last update 9 July 2014
We are 6 months in to our GRC process reset and we have some progress to report. A quick disclaimer: This blog post contains no Gartner analysis, because to this point, our process has (mostly) been a self-selecting process. For a complete discussion of our reset process, read this post.
Here is a quick recap: GRC is one of the most flexible terms in the vendor lexicon, because most of them use it to describe whatever they are selling. Also, many of these products are shells that can be programmed to do whatever you need them to do, so we are putting the emphasis on production usage.
By the numbers
9 – Number of Gartner analysts in our GRC working group
1000 – Number of calls these 9 analysts take on GRC each year
6 – Number of common use cases
78 – Number of vendors we contacted
37 – Number of vendors who responded with references
15 – Number of vendors who have not yet produced references
16 – Number of vendors we dropped
600+ – Number of references produced by 37 vendors
4 – Number of vendors able to produce 5 references in all 6 use cases
The top 6 use cases:
– ITRM – IT risk management
– ORM – Operational risk management
– VRM – Vendor risk management
– BCMP – Business continuity management and planning
– AM – Audit management
– CCO – Corporate compliance & oversight
We asked 73 vendors to provide 5 references for each of these use cases, and absent our rigorous research process, what they were willing (or able) to produce is interesting all by itself.
The following vendors produced references for specific use cases. THESE ARE NOT GARTNER RECOMMENDATIONS. Our reports in September will vet these and produce recommended vendors for each use case.
These are the vendors who produced one or more references for one or more of our defined use cases. The codes in parens are the first letter of the use cases for which they produced references.
- ACL (A)
- Agiliance (I, O, V, B)
- Allgress (A, I, V, C)
- BPS Resolver (O, A, C)
- Brinqa (I, V)
- CMO Compliance (O, V, C, A)
- ControlCase (I)
- Covalent Software (A, O)
- DF Labs (O)
- eGestalt (I, O, A, B, V, C)
- Enablon (O, A, C)
- Group Enode (O)
- Happiest Minds (I)
- IBM OpenPages (A, O, I, C)
- Ideagen (I, A, B, V)
- LockPath (I, O, A, B, V, C)
- Magique Galileo (A, O)
- Mega (A, O, C)
- MetricStream (I, O, A, B, V, C)
- MKinsight/Morgan Kai (A)
- Modulo (I, O, B, V)
- Nasdaq BWise (I, O, A, B, C)
- ProcessGene (A, I, C)
- Protivity (A, O, C)
- Quantivate (O, V)
- Rivo Software (O, A, C)
- RSA/Archer (I, O, A, B, V, C)
- Rsam (I, O, A, V, C)
- SAP (I, O)
- SAS (O)
- Securimate (A, O, C)
- Sword Group (A, O, C)
- TeamMate (A)
- Thomson Reuters (O, A, C)
- Tripwire (O, I, C)
- Wolters Kluwer (O, A, C)
- Wynyard Group (O)
- Xactium (O)
The following vendors are likely to be included in our analysis, but have not produced references.
- Fusion Risk
- Hiperos (recently acquired by Opus Global)
- SAI Global
- Software AG
- The Network
Notable vendors who do not address the Gartner definitions of the GRC use cases for ITRM, ORM, AM, BCMP, VRM, or CCO.
- Symantec (No longer positions in the GRC market)
- Hewlett Packard (Reported that they do not have any offerings that address our use cases)
- McAfee (Has not responded to our inquiries)
- Microsoft (Reported that our use cases do not fit their strategic direction)
- NetIQ (Has not responded to our inquiries)
- Qualys (Has not responded to our inquiries)
- Oracle GRC – A company is free to use any name they want for their product, but this product addresses SOD in ERP
Vendors who are on our radar, but do not meet our inclusion criteria for one reason or another.
- SDG TruOps
- Happiest Minds
The next step in the process is to send a rigorous survey to each of the references and a survey to the vendors to complete our analysis process. We expect to publish in the fall.
NOTE: If you have used any of these products for a GRC project and would like to be a reference, please tweet me (@peproctor).
NOTE: If you are a vendor and have corrections to this post, please contact me at Gartner.