About This Constellation ShortList™
While often tracked as distinct platforms, enterprise risk management (ERM) and governance, risk and compliance (GRC) platforms have been overlapping more and more in recent years as policy, risk, regulatory, safety and compliance tracking have combined to become one top-level function in most publicly traded companies and many private firms. This trend is es- pecially important as new regulatory regimes, such as GDPR, have become top compliance concerns.
The industry is currently at a crossroads with today’s industry solutions for ERM and GRC, which are moving out to the public cloud and becoming easier to use. Yet many specialized legacy and emerging vendors address only particular segments and scenarios or focus either on key IT or business functions. These can range widely from policy management suites for guiding global corporate strategy and content management of risk data to reporting on compliance posture and conducting automated audits for identifying and managing IT vulnerabilities.
As a result, a mix of old and new ERM/GRC platforms exist today with very different capabilities and sensibilities, with few covering every type of fea- ture. However, many are increasingly heading in the direction of becoming comprehensive suites with some already offering robust feature sets. Given the wide variety of capabilities represented by ERM/GRC products, buyers should be prepared to carry out detailed comparisons of the many different features and capabilities when comparing vendors to ensure their needs will be met.
Constellation considers the following criteria for these solutions:
- Ability to track key ERM/GRC data types (e.g., policies, risks, controls, procedures) in an inte- grated data model or document framework
- Features to carry out audits risk assessments as well as collect evidence
- Robust reporting and analytics with common ERM/GRC templates
- Effective training and education materials for users and admins
- Ability for most key ERM/GRC features to be configured (as opposed to customized)
- Support for Active Directory and HRM integration
- Workflow management capabilities for common ERM/GRC tasks
- Vendors with a sufficient customer base and revenue for stability
The Constellation ShortList™
Constellation evaluates over 50 solutions categorized in this market. This Constellation ShortList is determined by client inquiries, partner conversations, customer references, vendor selection projects, market share and internal research.
- RSA ARCHER PLATFORM
- GALVANIZE HIGHBOND
NAVEX ONE AND IRM
- RECIPROCITY ZENGRC
- REFINITIV GRC
- RESOLVER GRC CLOUD
- SAI360 GRC
- SERVICENOW GRC
Frequency of Evaluation
Each Constellation ShortList is updated at least once per year. Updates may occur after six months if deemed necessary.
Constellation clients can work with the analyst and the research team to conduct a more thorough discussion of this ShortList. Constellation can also provide guidance in vendor selection and contract negotiation.