It’s once again time to tear open the GRC platform market and uncover all its amazing technical innovations, vendor successes, and impact on customer organizations. This afternoon, we published our latest iteration of the Forrester Wave: Governance, Risk, And Compliance Platforms.

My esteemed colleagues Renee Murphy and Nick Hayes joined me in a fully collaborative, marathon evaluation of 19 of the most relevant GRC platform vendors; we diligently pored through vendor briefings, online demos, customer reference surveys and interviews, access to our own demo environment of each vendor’s product, and as per Forrester policy, multiple rounds of fact checking and review. The sheer amount of data we collected is incredible.

No Longer Two Separate Waves

Many of you may remember that we published two Forrester Waves last time around: one for Enterprise GRC platforms and one for IT GRC platforms. As discussed in previous research, the lines between these distinct submarkets have been eroding for some time, and now it’s no longer worth separating the two.

Organizations are asking for and adopting GRC platforms that are robust, scalable, and flexible enough to meet their unique needs. Certainly, some vendors have more content and expertise in domains such as IT compliance, financial controls, environmental management, operational risk, third party assessments, business continuity, health and safety, policy management, audit management, etc. than others, and that will continue to be an important factor. However, much more important for strategic GRC programs is a platform’s ability to mold and stretch to support a multitude of use cases in a single instance.

What Did We Learn This Time Around?

The vendors and customers involved in this report deserve strong commendation for their huge commitment in time and information; we learned a lot about how the GRC platform market is currently operating and where it is likely going. Among the most interesting things we learned:

·         GRC technical decisions are growing more difficult. While vendor technologies are shouldering wider and heavier loads, organizations still often find themselves with several different GRC platforms, having to decide whether to integrate or consolidate their various platforms; nearly half of customers surveyed fit this category. This will be the case for years to come.

·         Customers have high praise for GRC platforms and vendors, but give low marks for product usability. Not surprisingly, two-thirds of the companies chosen to be customer references responded with the highest satisfaction scores for their vendor relationship; however, less than one-third gave that level of positive feedback for their product’s user experience. The business value is there, but the technologies must become more user-friendly to reach higher levels of enterprise adoption.

·         The level of vendor competition keeps increasing. Once again, Forrester considered a list of roughly 60 GRC vendors before whittling the final list of participants down to 19. Six of these performed well enough to be called Leaders, but every vendor in the Forrester Wave has a strong GRC offering and can point to customer successes that highlight a number of different use cases. In this report, we provide examples of how to modify the criteria weightings in Forrester’s Wave model to help you identify the most relevant vendors for your unique GRC needs; don’t assume the Leaders are always the best fit for every shortlist and use case.

Make sure you read through the entire GRC Wave and download the detailed Wave model to get our full analysis of each of the 19 vendors across 43 criteria, covering current offering, strategy, and market presence.

Finally, we’d like to thank each of the vendors and customers who participated in the Wave – they should all be proud of the tremendous work they’re doing to make the corporate world more ethical, secure, safe, and reliable.

As always, we welcome your comments and questions.