About This Constellation ShortList™
While often tracked as distinct platforms, enterprise risk management (ERM) and governance, risk and compliance (GRC) platforms have been overlapping more and more in recent years as policy, risk, regulatory, safety and compliance tracking have combined to become one top- level function in most publicly traded companies and many private firms. This trend is especially important as new regulatory regimes, such as GDPR, have become top compliance concerns.
The industry is currently at a crossroads with today’s industry solutions for ERM and GRC, which are moving out to the public cloud and becoming easier to use. Yet many specialized legacy and emerging vendors address only particular segments and scenarios or focus either on key IT or business functions. These can range widely from policy management suites for guiding global corporate strategy and content management of risk data to reporting on compliance posture and conducting automated audits for identifying and managing IT vulnerabilities.
As a result, a mix of old and new ERM/GRC platforms exist today with very different capabilities and sensibilities, with few covering every type of feature. However, many are increasingly heading in the direction of becoming comprehensive suites with some already offering robust feature sets. Given the wide variety of capabilities represented by ERM/GRC products, buyers should be prepared to carry out detailed comparisons of the many different features and capabilities when comparing vendors to ensure their needs will be met.
Constellation considers the following criteria for these solutions:
- Ability to track key ERM/GRC data types (e.g., policies, risks, controls, procedures) in an integrated data model or document framework
- Features to carry out audits risk assessments as well as collect evidence
- Robust reporting and analytics with common ERM/ GRC templates
- Effective training and education materials for users and admins
- Ability for most key ERM/GRC features to be configured (as opposed to customized)
- Support for Active Directory and HRM integration
- Workflow management capabilities for common ERM/GRC tasks
- Vendors with a sufficient customer base and revenue for stability
The Constellation ShortList™
Constellation evaluates over 50 solutions categorized in this market. This Constellation ShortList is determined by client inquiries, partner conversations, customer references, vendor selection projects, market share and internal research.
- RSA Archer Platform
- Galvanize Highbond
- LockPath Keylight
- NAVEX One
- Reciprocity ZenGRC
- Refinitiv GRC
- Resolver GRC Cloud
- SAI Global Compliance 360
- ServiceNow GRC
Frequency of Evaluation
Each Constellation ShortList will be updated at least once per year. There could be an update after six months, should the analyst deem it necessary.
Constellation clients may work with the analyst and research team to conduct a more thorough discussion, vendor selection and contract negotiation.