About This Constellation ShortList™

While often tracked as distinct platforms, enterprise risk management (ERM) and governance, risk and compliance (GRC) platforms have been overlapping more and more in recent years as policy, risk, regulatory, safety and compliance tracking have combined to become one top-level function in most publicly traded companies and many private firms. This trend is especially important as new regulatory regimes, such as GDPR, have become top compliance concerns.

The industry is currently at a crossroads with today’s industry solutions for ERM and GRC, which are moving out to the public cloud and becoming easier to use. Yet many specialized legacy and emerging vendors address only particular segments and scenarios or focus either on key IT or business functions. These can range widely from policy management suites for guiding global corporate strategy and content management of risk data to reporting on compliance posture and conducting automated audits for identifying and managing IT vulnerabilities.


As a result, a mix of old and new ERM/GRC platforms exist today with very different capabilities and sensibilities, with few covering every type of feature. However, many are increasingly heading in the direction of becoming comprehensive suites with some already offering robust feature sets. Given the wide variety of capabilities represented by ERM/GRC products, buyers should be prepared to carry out detailed comparisons of the many different features and capabilities when comparing vendors to ensure their needs will be met.

Threshold Criteria

Constellation considers the following criteria for these solutions:

  • Ability to track key ERM/GRC data types (e.g., policies, risks, controls, procedures) in an integrated data model or document framework
  • Features to carry out audits risk assessments as well as collect evidence
  • Robust reporting and analytics with common ERM/GRC templates
  • Effective training and education materials for users and admins
  • Ability for most key ERM/GRC features to be configured (as opposed to customized)
  • Support for Active Directory and HRM integration
  • Workflow management capabilities for common ERM/GRC tasks
  • Vendors with a sufficient customer base and revenue for stability

The Constellation ShortList™

Constellation evaluates over 60 solutions categorized in this market. This Constellation ShortList is determined by client inquiries, partner conversations, customer references, vendor selection projects, market share and internal research.

  • SAI360 GRC

Frequency of Evaluation

Each Constellation ShortList is updated at least once per year. Updates may occur after six months if deemed necessary.

Evaluation Services

Constellation clients can work with the analyst and the research team to conduct a more thorough discussion of this ShortList. Constellation can also provide guidance in vendor selection and contract negotiation.

Download Research Click to Download Report