The Forrester GRC ‘Ripple’ (OOOPS . . . I Mean, ‘Wave’)

The GRC PunditWritten by
Published onDiscussionLeave a Comment on The Forrester GRC ‘Ripple’ (OOOPS . . . I Mean, ‘Wave’)
Analyst firms provide value as well as harm to markets. What they define, model, and predict affects billions of dollars and influences the course of organizations of all sizes and industries. I’ve had a unique perspective on this during my nine years in the market research and analyst world and for seventeen years of professional life.
 
I have particular frustration with the major analyst firms (such as Gartner and Forrester) when it comes to governance, risk, and compliance (GRC) issues. This is particularly meaningful viewed through the lens of my seven years at Forrester Research, Inc. where I was a vice president, and was recognized as a ”Top Analyst” the day before I resigned. I was the original analyst to define and model a market for GRC technology and consulting services.
 
Today’s release of The Forrester Wave™: Enterprise Governance, Risk, And Compliance Platforms, Q3 2009 made me throw my hands up in despair. I can see one organization after another making bad technology choices, based on where a vendor’s icon falls on an analyst’s graphic. My experience with this speaks for itself – I authored four Waves in my tenure at Forrester, two of them being the predecessor to this third-generation GRC Wave.
 
Before I get too critical, some positive thoughts: The Forrester Wave process is stronger than Gartner’s Magic Quadrant. The criteria for evaluation and measurement are much more transparent. I never had a vendor tell me they prefer Gartner’s process. I also have deep respect for Chris McClean, the author of the current GRC Wave. Chris and I have known each other for years. I trained Chris on GRC on his entry into Forrester, and my transition from Forrester went smoothly because we are like-minded. Chris is a respected thought leader on business GRC issues and solutions, particularly when it relates to Corporate Social Responsibility. However, Chris’ handicap, like mine was, is Forrester itself.
 
Further, several of the vendors in the Wave deserve their placement. I have respect and agreement for the leadership position of BWise, OpenPages, and Thomson Reuters. Axentis has the best policy management solution on the market, and a competitive investigations platform – though their high placement baffles me, as they do not come close to the others on deeper risk and audit management capabilities. However, MetricStream does surprise me in their leader position.
 
The current version of the GRC Wave concerns me because:
  • It is out-of-date the day it is published. This particular Wave process took six months. Several of the platforms evaluated have new and improved versions on the market, some of which have been available for several months. The Wave process takes much too long to be relevant to buyers.
  • The Wave criteria have not evolved. The GRC market and technology changes rapidly. There was a significant difference in criteria between the first GRC Wave and the second, which I authored while at Forrester. This time, however, the criteria remain nearly identical to what I authored on the last Wave, despite how dynamic the market and technology have been during the last 18 months. In this new Wave, several vendors were hurt on their positions because they are moving beyond the box assigned to them by the Wave criteria. In the second Wave, I broke the Wave into four graphics to represent different areas of GRC – with vendors plotting differently, based on buyer needs. This latest GRC Wave should have expanded, not eliminated that feature. The Wave should have broken into several independent Waves to measure specific buyer roles of GRC solutions such as risk, audit, IT, finance, corporate compliance, and legal.
  • It reaches the wrong audience. It is interesting to note that some vendors in previous GRC Waves are not in the current one – even when they scored high in the previous Wave. Why did they not participate? For a few it was because the Wave takes a tremendous amount of time and resources and reaches the wrong buyer. Companies like Compliance 360 and Mitratech are doing well reaching buyers who are not in IT, where Forrester is focused. In fact, some vendors report that reference to the previous Wave(s) did not come up with prospects and clients. This is one of two reasons why I left Forrester: They fail to reach the business buyer of GRC. Forrester is successful at reaching the IT-GRC buyer focused on IT risk and compliance issues, and to some degree the finance buyer. However, Forrester fails to get its research in front of enterprise buyers focused on risk, corporate compliance, legal, audit, quality, environmental, health and safety, and corporate social responsibility (which is Chris’ sweet spot).
  • It misses major GRC vendors. It is alarming that the current Wave misses significant GRC vendors such as Oracle and CA, as well as smaller players such as Neohapsis (formerly Certus). Some declined because of bad timing; others, if I understand it correctly, were simply not invited. Oracle and CA are coming up regularly in competitive GRC deals – more so than several of the small and poorly performing players in the Contender and Strong Performer categories. Even if a vendor refuses to participate, Forrester still has a process to plot a vendor and note that they did not willingly participate in the Wave.
This is bad news for a GRC buyer. While it gives them some perspective of players in the GRC market, the perspective is out-of-date and incomplete. Specifically, beside the vendors that do not appear in the Wave, I feel the following are poorly represented:
  • Archer Technologies: Archer is the most disruptive force in the GRC market today. They are entering and consistently winning deals against many of the leaders in the GRC Wave. They offer, in my opinion, the most versatile and easily customizable platform on the market that can be swiftly tailored to meet any GRC process and content issue. During the past 18 months I have seen them come up consistently in GRC RFP/RFIs and win, and their clients have moved them into a position where they have one of the broadest arrays of unique GRC uses. Forrester overlooked Archer’s unique approach to integrating content (Archer Exchange), users (Archer Community), wide array of GRC solutions modules (Archer Solutions), all on a flexible platform (Archer SmartSuite Framework). Archer’s clients speak for themselves, having received top honors in the Wave for client references (which I noted a few months back on my blog). I expected Archer to appear in the Leader category.
  • MEGA: MEGA has an excellent platform for risk, control, and audit management – one, in my opinion, that has become very competitive in its feature functionality. They are wanting on the content management side, which impacts their ability to meet the needs of corporate compliance around policy management and communication, but they have deep risk, audit, and control functionality. Their greatest weakness is slow momentum in North America, though they are making significant market progress in Europe. I would have expected MEGA to have a higher position in the
    Strong Performer category.
  • SAP: SAP is the innovation thought-leader for GRC. Their position as a Contender is a slap in the face and illustrates just how the GRC Wave in its current version misses the target. On one side, SAP could have declined to be involved, as the dated criteria did not fare well for them – but they have built a leading GRC brand in this space and are committed to seeing it move forward — which requires their participation in the WAVE. SAP should have been a Leader (if the criteria had evolved to where it should be) because they are focused on the integration of GRC into business processes and transactions. No other vendor in the Wave is as deeply focused on business issues of GRC and delivering integration and control complex business areas such as global trade compliance, supply-chain risk, environmental GRC, and segregation of duties within business applications. SAP has the best story out there on the integration of GRC, particularly risk management, into corporate performance and strategy. When GRC means business is where SAP excels. The Wave did not address this, which is unfortunate for SAP. Where the other Wave vendors provide an oversight band-aid and audit layer to GRC, SAP delivers value to the core of business through its GRC solutions.
My greatest concern about technology market-analyst firms is that there is too much focus on the IT department and technology. Don’t get me wrong; technology is the backbone that enables GRC. However, the analyst firms have it wrong because they focus on IT and the technology instead of business processes, and the business buyer and user of technology.
 
My recommendations to Forrester:
  • Streamline the Wave process to make it more relevant to the product versions on the market.
  • Split the Wave into several smaller Waves that target unique business-buyer roles of GRC.
  • Focus on the business: IT is already in the bag. Stretch your GRC thought leadership into business roles. Chris McClean has what it takes to shine in this area.
If you have specific questions on GRC vendor solutions or professional service firm offerings in this space please submit an [email protected]. You may also be interested in the following discussion on the Corporate Integrity LinkedIN Group: Do industry analysts have too much influence on software vendors, who call their products GRC or CCM/T – terms used by analysts.

Leave a Reply

Your email address will not be published. Required fields are marked *