About This Constellation ShortList™
While often tracked as distinct platforms, Enterprise Risk Management and Governance, Risk, and Compliance (GRC) platforms have been overlapping more and more in recent years as policy, risk, regulatory, safety and compliance tracking has become a combined top-level function in most publicly traded companies and many private firms as well. This trend is especially important as new regulatory regimes, such as GDPR, have become top compliance concerns.
The industry is currently at a crossroads with today’s industry solutions for ERM and GRC, which are moving out to the public cloud and becoming easier to use. Yet, many specialized legacy and emerging vendors only address particular segments, scenarios, or key business functions. These can range widely from policy management suites for guiding global corporate strategy and content management of risk data to reporting on risk posture and conducting automated audits for identifying and managing IT vulnerabilities.
As a result, a mix of old and new ERM/GRC platforms exist today with very different capabilities and sensibilities, with few covering every type of feature. However, many are increasingly heading in the direction of becoming comprehensive suites with some already offering extensive feature sets. Given the wide variety of capabilities represented by ERM/GRC products, buyers should be prepared to carry out detailed comparisons of the many different features and capabilities when comparing vendors to ensure their needs will actually be met.
Note: Constellation will be publishing a more detailed ERM/GRC buyer’s guide in 2019 to help navigate the complex landscape of this enterprise software category.
Constellation considers the following criteria for these solutions, taking into account capabilities from stablethird-party marketplace providers if required:
- Ability to track key ERM/GRC data types (e.g., policies, risks, controls, procedures) in an integrated data model or document framework
- Features to carry out audits, risk assessments, and collect evidence
- Robust reporting and analytics with common ERM/GRC templates
- Effective training and education materials for users and admins
- Ability for most key ERM/GRC features to be configured (as opposed to customized)
- Support for Active Directory and HRM integration
- Workflow management capabilities for common ERM/GRC tasks
- Vendors with a sufficient customer base and revenue for stability
The Constellation ShortList
Constellation evaluates over 50 solutions categorized in this market. This Constellation ShortList is determined by client inquiries, partner conversations, customer references, vendor selection projects, market share, and internal research.
- EMC/RSA Archer Platform
- LockPath Keylight
- MetricStream Enterprise GRC
- NAVEX Global Ecosystem
- Refinitiv GRC
- Resolver GRC Cloud
- SAI Global Compliance 360
- ServiceNow GRC
Frequency of Evaluation
Each Constellation ShortList evaluation will be updated every 180 days as needed.
Constellation clients may work with the analyst and research team to conduct a more thorough discussion of this ShortList. Constellation can also provide guidance in vendor selection and contract negotiation.