Rethinking GRC: Analyst Rant, Gartner's 2012 EGRC Magic Quadrant

Yes, the latest Gartner EGRC Magic Quadrant is out and I am left questioning what value it provides.  My first impression is that it is best for the compost pile to be used as fertilizer for the garden next spring and not used in organizations that may rely on it to make misinformed GRC technology decisions.

NOTE: this rant is not a reflection of individual vendors in the EGRC Magic Quadrant.  Though I have issues with how some vendors are represented and placed (good night, one in the leaders quadrant almost never comes up in RFPs), my rant is because of Gartner’s flawed understanding of the market and broken process for doing Magic Quadrants.  If you want my analysis on individual vendors then give me an email or call.

For historical purposes, I first defined and modeled the GRC (governance, risk management, and compliance) market back in February 2002 while at GiGa Information Group soon to be acquired by Forrester Research, Inc.  I published the first two Forrester Waves on GRC.  What is important to note is that the 2nd Wave had four different Wave graphics as the market was too complex to represent in a single graphic to compare vendors with integrity.  Some solutions were stronger in audit, other stronger in risk, while others are stronger in compliance. The market has only grown more distributed and complex.  In fairness to Gartner, they recognize this and reference doing a Market Scope next year instead of a Magic Quadrant.

My single greatest issue with the 2012 Gartner EGRC Magic Quadrant is that the Magic Quadrant is very much as it states – MAGIC.  There is no transparency or clarity on how vendors are scored.  It is as if Gartner has a giant Magic Quadrant dartboard and hurls a vendor dart against it to see where they land – yes there is some aim involved but it is not really precise and objective.

The current Magic Quadrant is a mile wide and an inch deep.   I am left asking the question – what practical purpose does it serve?  Right now the graphic itself is misleading.  Those in the upper right quadrant – the leaders quadrant – are often short-listed to RFPs/RFIs but others get very little to no attention even though some have outstanding capabilities and can compete feature for feature with the Leaders.  Then there are those that are not even in the Magic Quadrant that have excellent capabilities, but perhaps they do not have the right revenue or are only operating in a single geography.

The truth is, the MQ does not really help you identify and select GRC vendors that are the right fit for your business.

  • If your need is audit – how do you get a detailed comparison of the audit management features of workpaper management, calendaring, audit planning/scheduling, offline audit capabilities?
  • If your need is compliance – how do you get an understanding of which vendors have the best content, can manage policies and investigations, track regulations, and conduct assessments?
  • If your need is risk management – which vendors support your risk analytics needs?  Some just do heat maps, others do scenario modeling, bow-tie analysis, monte carlo simulations.  Are the risk management features built for risk management at a department level or can they scale because they have risk normalization and aggregation capabilities?
  • If you need policy management – which vendors support versioning of policies and content management?  Which have integrated learning management systems to deliver courses, and which make you work with external systems?
  • If you need regulatory change management – which vendors integrate with content providers for regulatory content?  Do they truly integrate or do they just take in RSS feeds?  What content do they have in the system itself?  How can this content be effectively mapped to policies and other items in the GRC system?  Is this mapping at a document level or can you map statements or paragraphs across documents?

Even basic information such as deployment models – on-premise, hosted, software as a service – are not transparent in the MQ. At least not consistently.  There are gems of insight that can be gathered from the summaries of the vendors, but what you learn about one vendor you have no way to objectively compare it to another vendor as it is not discussed or measured for the other vendor.

If your need is compliance management (or specific issues of compliance like anti-bribery and corruption), I can tell you how one of the vendors in the challengers quadrant can run circles around nearly everyone in the leaders quadrant.  Though if you wanted to do offline audits this vendor should not be in your RFP. If you want deep functionality in risk management how the same vendor will not perform where others in the visionaries quadrant excel at risk management and in many cases do it better than those in the leaders quadrant.

I had one major financial services firm tell me that they never want to see a heat map again as their GRC vendor in the leaders quadrant could not aggregate and normalize risk data properly as it was built for a departmental risk solution and is flawed (in the release they were using) to do proper risk normalization and aggregation.

Friends, the Gartner EGRC Magic Quadrant does not give you the objective detail you need to make informed decisions on the vendors to engage on an RFP/RFI let alone acquire.  It gives you little quips, but not the detail to save you time and money on an RFP/RFI.  In fact, several times this year I have been engaged by organizations after they went through the RFP process using vendors that performed well from last year’s EGRC MQ. Only after spending a lot of time and effort to realize that the vendors they looked at were too expensive, did not serve their industry, or did not have the capabilities they needed.

If Gartner made public their criteria and grading scale then users could dig into the details and see how vendors scored on individual criteria.  If a vendor is not on the MQ then the same criteria can be used to evaluate other vendors objectively. Forrester discloses their criteria.  You can download an entire spreadsheet of everything Forrester evaluated, how each vendor scored on each item, and what the scale was to score the vendor.  Gartner has never provided anything like this. So we are left with a lot of subjectivity instead of objectivity.  The issue is that any organization’s understanding and need for a GRC solution varies from others.  What Gartner has produced is absolutely useless in helping a organization select a vendor for an RFP as these solutions vary greatly in depth and breadth and there are major areas of functionality that are not revealed objectively in the MQ.

Gartner has a script and gives a vendor a short time period to demo their GRC product to Gartner.  They do not allow you to go off script – I have heard this from multiple vendors frustrated with the process.  A vendor may have an absolutely amazing differentiator but if it is off script you have to kick and scream to get even passing attention.  In other words, Gartner has their rigid view of the GRC capabilities of EGRC vendors and if you approach it differently then you are outside their myopic vision.

I also take issue with how Garter defines and presents the GRC market.  While they give lip service to a lot of areas of GRC throughout the document they assume that an EGRC platform is comprised of only the four categories of risk management, audit management, compliance and policy management, and regulatory change management.  I see a much broader definition of the GRC market and define it across 29 categories: with 9 categories being components of enterprise GRC that span across the business and 21 categories being role/function specific GRC areas.  GRC is a broad market – a macro market – with many micro marke
ts that it is comprised of.  EGRC puts several of these micro market segments together into an integrated technology and information architecture platform. There is not a single vendor that can bring all the components of GRC to your organization.

Gartner states that there are many businesses implementing a single EGRC platform.  My market research tells me that 80% of the buying activity in GRC the buying organization is trying to solve specific problems.  Less than 20% have an EGRC strategy, but even those have multiple vendors.  I would state it is less than 5% that are truly trying to consolidate on one platform.  In fact, one large retailer I spoke to a month back stated they have four GRC platforms (in this case Archer, SAP, SAS, and Enviance).  A defense contractor at the same event stated they had all those platforms plus two more (Thomson Reuters and MetricStream).  A financial services firm I have worked with has four different GRC vendors in their environment (Archer, SAI Global, Mitratech, and Wolters Kluwer).

What it means (a term Forrester uses in their research reports):  If you are looking for an objective understanding of how vendors stack up to each other the Forrester Wave process is much better than the Gartner MQ (though Forrester does not consistently update the GRC Wave so organizations are often left with out of date comparisons).  The MQ is fit for the compost pile.  However, what is really needed is objective comparisons that go deeper than either the Forrester Wave and Gartner MQ.  If you need audit functionality – here is how the vendors stack up on audit features (objective and open, not hidden).  If you need compliance – here is a detailed comparison of how the vendors compare on compliance features.  If you want to know which vendors support which type of risk modeling – here is a comparison.  That is the vision I am aiming for.  Objective, open, and straightforward comparisons of feature areas of GRC so organizations do not waste time and money in the vendors they look at.  If you have core requirements that are essential you should be able to mark those requirements and find which vendors support those features.

 

No comments yet.

Leave a Reply