Magic Quadrant for Enterprise Governance, Risk and

Compliance Platforms
12 August 2009

French Caldwell, Tom Eid, Carsten Casper

Gartner RAS Core Research Note G00169604

The market for EGRC platforms is shifting from a focus on regulatory compliance to a focus on enterprise risk management. Vendors also are adding
support for audit and legal professionals, particularly audit management, policy management, and content.

What You Need to Know Vendors Added or Dropped

This Gartner Magic Quadrant for enterprise governance, risk and compliance (EGRC) platforms presents a We review and adjust our inclusion criteria for
global view of Gartner's assessment of the main software vendors that should be considered by organizations Magic Quadrants and MarketScopes as markets
change. As a result of these adjustments, the
seeking a technology solution to support the oversight and operation of enterprisewide risk management and mix of vendors in any Magic Quadrant or
compliance programs. Buyers should evaluate vendors in all four quadrants. Those from the Niche Players and MarketScope may change over time. A vendor
Visionaries quadrants are driving innovation in areas such as business process modeling of controls and risks, appearing in a Magic Quadrant or MarketScope
one year and not the next does not necessarily
business rules for compliance, policy training and certification, and knowledgebases for risk management and indicate that we have changed our opinion of
compliance. Challengers often have reasonable functionality and good pricing, but may lag the leaders in that vendor. This may be a reflection of a
advancing their range of GRC functions for specific industries or professional roles. Leaders have proven GRC change in the market and, therefore, changed
evaluation criteria, or a change of focus by a
functionality in all four primary GRC management (GRCM) functions — audit management, compliance vendor.
management, risk management and policy management — and they have executed across several industries
Evaluation Criteria Definitions
with support for multiple professional roles.
Ability to Execute
The scores and commentary in this Magic Quadrant (see Figure 1) are based substantially on multiple sources.
Customer perceptions of each vendor's strengths and challenges are derived from GRC-related inquiries with Product/Service: Core goods and services
Gartner and an e-mail survey of vendor customers conducted in May 2009, with follow-up reference phone offered by the vendor that compete in/serve
discussions. The evaluators also have drawn from observations of products, a vendor-completed questionnaire the defined market. This includes current
product/service capabilities, quality, feature
about their EGRC platform strategies and operations, and question-and-answer sessions with vendors. sets, skills and so on, whether offered natively
or through OEM agreements/partnerships as
Return to Top defined in the market definition and detailed in
the subcriteria.

Overall Viability (Business Unit, Financial,

Magic Quadrant Strategy, Organization): Viability includes
an assessment of the overall organization's
financial health, the financial and practical
Figure 1. Magic Quadrant for Enterprise Governance, Risk and Compliance Platforms success of the business unit, and the likelihood
of the individual business unit to continue
investing in the product, to continue offering
the product and to advance the state of the art
within the organization's portfolio of products.

Sales Execution/Pricing: The vendor’s

capabilities in all pre-sales activities and the
structure that supports them. This includes
deal management, pricing and negotiation,
pre-sales support and the overall effectiveness
of the sales channel.

Market Responsiveness and Track Record:

Ability to respond, change direction, be flexible
and achieve competitive success as
opportunities develop, competitors act,
customer needs evolve and market dynamics
change. This criterion also considers the
vendor's history of responsiveness.

Marketing Execution: The clarity, quality,

creativity and efficacy of programs designed to
deliver the organization's message to influence
the market, promote the brand and business,
increase awareness of the products, and
establish a positive identification with the
product/brand and organization in the minds of
buyers. This "mind share" can be driven by a
combination of publicity, promotional, thought
leadership, word-of-mouth and sales activities.

Customer Experience: Relationships,

products and services/programs that enable
clients to be successful with the products
evaluated. Specifically, this includes the ways
Source: Gartner (July 2009) customers receive technical support or account
Return to Top support. This can also include ancillary tools,
customer support programs (and the quality
thereof), availability of user groups, service-
level agreements and so on.

Market Overview Operations: The ability of the organization to

meet its goals and commitments. Factors
include the quality of the organizational
The EGRC platform market derives from the need for many entities to improve the oversight of corporate structure including skills, experiences,
programs, systems and other vehicles that
governance — including financial reporting compliance, enterprise risk management and related audits. Many enable the organization to operate effectively
organizations also want to consolidate other GRC activities into a common platform. Therefore, an EGRC and efficiently on an ongoing basis.
platform must solve immediate GRCM needs associated with corporate governance and also enable an
enterprise to pursue future consolidation and integration of GRC activities. Completeness of Vision

Market Understanding: Ability of the vendor

GRCM is defined as the automation of the management, measurement, remediation, and reporting of controls to understand buyers' wants and needs and to
and risks against objectives, in accordance with rules, regulations, standards and policies. Many enterprises translate those into products and services.
typically consider a GRCM application to satisfy a specific requirement, such as Sarbanes-Oxley compliance, an Vendors that show the highest degree of vision
listen and understand buyers' wants and
industry-specific regulation or operational risk management for a business process. However, enterprises often needs, and can shape or enhance those with
have other GRCM activities in mind, such as audit management, additional regulations, IT governance, their added vision.
remediation management and policy management, which they eventually may integrate into a more
consolidated EGRC approach. Marketing Strategy: A clear, differentiated
set of messages consistently communicated
throughout the organization and externalized
Most enterprises are also looking for solutions that support their strategies for more controls automation, through the website, advertising, customer
which falls outside the scope of GRCM, but the reporting from continuous controls monitoring of ERP and other programs and positioning statements.

controls automation in the IT infrastructure need to be integrated into the EGRC platform. Although they may
Sales Strategy: The strategy for selling
have an immediate, specific GRCM requirement in mind, many enterprises are concerned that point solutions product that uses the appropriate network of
will impede their holistic visions. direct and indirect sales, marketing, service
and communication affiliates that extend the
scope and depth of market reach, skills,
"Governance," "risk management" and "compliance" are general terms that can apply to a wide range of expertise, technologies, services and the
products, IT initiatives and business requirements. These three terms have many valid definitions throughout customer base.
the Gartner client base. These definitions illustrate the relationship of the three terms:
Offering (Product) Strategy: The vendor's
approach to product development and delivery
 Governance — The process by which policies are set and decision making is executed. that emphasizes differentiation, functionality,
 Risk Management — The process for addressing risk with a balance of mitigation through the methodology and feature set as they map to
application of controls, transfer through insurance and acceptance through governance mechanisms. current and future requirements.

 Compliance — The process of adherence to policies and decisions. Policies can be derived from internal
Business Model: The soundness and logic of
directives, procedures and requirements, or external laws, regulations, standards and agreements. the vendor's underlying business proposition.

Gartner, as aligned to both a supply- and demand-based market perspective, has developed a specific market Vertical/Industry Strategy: The vendor's
structure for these general terms — GRC. GRC as a marketplace can be broadly divided between GRCM strategy to direct resources, skills and
offerings to meet the specific needs of
products for the oversight and operation of risk management and compliance programs, and other GRC individual market segments, including
products for the automation and monitoring of controls. For a comprehensive description of the GRC verticals.
marketplace, see "A Comparison Model for the GRC Marketplace, 2008 to 2010," which addresses the EGRC
platform and its relationship to other GRCM markets, such as IT GRCM, operational risk management and Innovation: Direct, related, complementary
financial governance. Each of these markets demands functionality that is inherent in the EGRC platform. and synergistic layouts of resources, expertise
or capital for investment, consolidation,
Instead of acquiring separate solutions for finance, IT and other business units, many enterprises are choosing defensive or pre-emptive purposes.
to use a single EGRC platform and, when necessary, integrating the many point and functional solutions to
satisfy specific GRC needs. Reporting and managing through a single platform gives executives, auditors and Geographic Strategy: The vendor's strategy
managers a holistic view of the enterprise's risk and compliance postures, as well as views sorted by to direct resources, skills and offerings to meet
requirement, entity and geography. the specific needs of geographies outside the
"home" or native geography, either directly or
through partners, channels and subsidiaries as
The GRC marketplace is undergoing a transition from U.S.-centric to global. Demand for GRC solutions is appropriate for that geography and market.
highest in the U.S., where corporate governance regulations are the most stringent. However, as other
countries such as Canada, Japan, India and members of the European Union, have begun to enforce similar
regulations, demand has increased globally. Another market trend that is driving buying decisions is enterprise
risk management (ERM). Many companies are responding to the ERM emphasis by Standard & Poor's in its
credit ratings, increased attention to risk management by regulators and closer scrutiny of risks to business
objectives by boards of directors. Interest in risk management in government agencies is also increasing, and
in the U.S., the White House Office of Management and Budget has issued requirements to government
agencies for risk reporting related to the distribution of funds from the American Recovery and Reinvestment
Act of 2009 (ARRA; stimulus spending).

Consolidation in the EGRC platform market is picking up pace significantly. Paisley was acquired by Thomson
Reuters early this year, and in the third week of July 2009 alone, three acquisitions were announced: IDS
Scheer by Software AG, Cura by SoftPro Systems, and Axentis by Wolters Kluwer. None of these acquisitions
will have any immediate impact on their current customers, although product improvements and new
capabilities made possible from capital infusions by acquirers are likely.

Return to Top

Market Definition/Description

The primary purpose of the enterprise GRC platform is to automate much of the work associated with the
documentation and reporting of the risk management and compliance activities that are most closely
associated with corporate governance. The primary end users include internal auditors and the audit
committee, risk and compliance managers, and accountable executives. The key functions of importance to
these groups are:

 Audit management — Supports internal auditors in managing work papers, and scheduling audit-
related tasks, time management and reporting.
 Policy management — A specialized form of document management that enables the policy life cycle
from creation to review, change and archiving of policies.
 Compliance management — Supports compliance professionals with the documentation, workflow,
reporting and visualization of control objectives, controls and associated risks, surveys and self-
assessments, testing and remediation. At a minimum, EGRC management not only will include financial
reporting compliance (Sarbanes-Oxley compliance), but also can support other types of compliance,
such as ISO 9000, Payment Card Industry, industry-specific regulations, service-level agreements,
trading partner requirements and compliance with internal policies.
 Risk management — Supports risk management professionals with the documentation, workflow,
assessment and analysis, reporting, visualization, and remediation of risks. This component focuses on
operational risk management but may collect credit and market risk information from other risk
management tools to provide a consolidated view of enterprise risk management. There will be specific
industry-focused risk management requirements. For example, for banking, it can include highly
specialized capabilities for Basel II compliance.

The EGRC platform can integrate with business applications, business intelligence, enterprise content
management, controls automation, monitoring solutions (such as segregation of duties), IT technical controls
and continuous controls monitoring. The EGRC platform also integrates with specialized GRCM solutions, such
as environmental, health and safety (EH&S) compliance; quality management; and industry GRCM
applications.

For a comprehensive market description, see "The Enterprise Governance, Risk and Compliance Platform
Defined."
 Return to Top

Inclusion and Exclusion Criteria

Vendors were included in this Magic Quadrant if they met these criteria:

 Ability to deliver three of the four primary GRCM functions: audit management, compliance
management, risk management and policy management.
 Credible presence in the marketplace: defined as at least $7.5 million in annual revenue from EGRC
platform software, at least 50 customers, and customers able to be referenced for corporate-
governance-related GRC activities such as financial reporting compliance and ERM.

Vendors were excluded if they did not meet the functional, revenue, and implementation criteria; did not have
adequate referenceability; or were an industry-specific or highly specialized solution.

EGRC platform vendors that did not meet the revenue requirement, did not have the required number of
customers or were not rated due to the other criteria, but offer a platform that supports at least three of the
four primary GRCM functions, are:

 CA — U.S. company. Its platform supports compliance management, risk management and policy
management. CA is a late entry to the market and has not yet reached the threshold of 50
implementations for inclusion. CA's EGRC offering is based on its Clarity PPM platform, offering the
potential for a portfolio approach to risk management and compliance, plus good project management
features for complex GRC activities or remediation.
 Compliance 360 — U.S. company with a software as a service (SaaS) solution. Its platform supports
compliance management, risk management and policy management. Compliance 360 is a pioneer in
linking content from LexisNexis feeds and other sources to specific compliance requirements. It markets
functionality for general financial reporting compliance and risk management. Because the Compliance
360 strategy is tightly focused on the healthcare and insurance industries, it was on the borderline for
inclusion. Because the vendor did not respond to the questionnaire, the references were limited, and
Gartner inquiries related to Compliance 360's experience and offerings in corporate-governance-related
GRC activities were also limited, we decided that there was not enough information available publicly
and within Gartner to justify inclusion.
 DoubleCheck — U.S. company. Its platform supports audit management, compliance management, risk
management and policy management. DoubleCheck has worked to target larger customers. At this time
it does not meet the minimum revenue criterion for inclusion.
 Neohapsis — U.S. company. It has acquired the EGRC platform technology of the former vendor Certus,
and plans to revitalize the offering with a new release in 3Q09. At this time, it does not meet the
minimum criteria for revenue and implementations for inclusion.
 List Group — Italian company. Its platform supports audit management, compliance management, risk
management and policy management. List has several large implementations in banks, and supports
advanced risk analytics. It does not meet the minimum criterion for number of implementations.
 Optial — U.K. company. Its platform supports audit management, compliance management, risk
management, and limited policy management. Optial has several implementations with financial services
organizations, and supports advanced risk analytics. It does not meet the minimum criteria for revenue
and implementations.
 SAP — German company. Its platform supports compliance management and risk management. It has
made significant progress during the past year at developing an integrated platform, and has shown
innovation in integration of risk management and performance management. However, the integrated
platform was not announced until May 2009, too late for consideration in this year's Magic Quadrant.
 Sword Achiever — Part of Sword Group of France. Its platform supports audit management, compliance
management, risk management and policy management. It has a strong focus on ISO compliance and
quality management, particularly with life sciences, fast-moving consumer goods (FMCG), and energy. It
was included in the 2008 Magic Quadrant, but was removed this year due to limited referenceability for
corporate-governance-related GRC functions, such as financial reporting compliance and risk
management.
 Trintech — U.S. company. In 2008, Trintech acquired EGRC platform vendor Movaris. It has integrated
Movaris' risk management, compliance management, and policy management functionality with account
reconciliation and financial close software to create its Unity Financial Governance, Risk and Compliance
Platform. The revenue from its EGRC platform does not meet the minimum criterion for inclusion.
 Xactium — U.K. company. It is less than a year old and is a small, venture-capital- backed company. Its
platform is offered as SaaS and supports risk management, compliance management, audit
management and policy management. It uniquely bases its EGRC platform on the salesforce.com
platform, giving customers the advantage of a nonproprietary platform that has solid support from a
large company, salesforce.com, and a broad community of other users.

Return to Top

Added

Aline (formerly BI International) — Aline has met the minimum revenue and number of implementation
requirements to be added to this Magic Quadrant.

Return to Top

Dropped

Sword Achiever — While it has the functionality for an EGRC platform, most customers are using it primarily
for compliance with ISO standards, and not for GRC activities related to corporate governance.

Qumas — Its primary value is in managing the life cycle and communication of policy documents for regulatory
compliance, and it does not have an integrated operational risk component as part of its platform. The Qumas
compliance solution, DocCompliance, is embedded in Thomson Reuters' Paisley Enterprise GRC offering.

Return to Top
Evaluation Criteria

Ability to Execute

Vendors are assessed on their ability and success in making their vision a market reality. Four of the seven
Gartner criteria for ability to execute are the most significant at this early stage of the EGRC platform market:

 Product/Service — Core goods and services offered by the provider that competes in/serves the defined
market. This includes current product/service capabilities, quality, feature sets and skills, whether
offered natively or through OEM agreements/partnerships as defined in the market definition and
detailed in the subcriteria.
 Overall Viability — Includes an assessment of the overall organization's financial health, the financial and
practical success of the business unit, and the likelihood of the business unit to continue to invest in the
product, offer the product and advance the state of the art in the organization's portfolio of products.
 Market Responsiveness and Track Record — Ability to respond, change direction, be flexible and achieve
competitive success as opportunities develop, competitors act, customer needs evolve and market
dynamics change. This criterion also considers the provider's history of responsiveness.
 Sales Execution/Pricing — The technology providers' capabilities in all presales activities and the
structure that supports them. This includes deal management, pricing and negotiation, presales support,
and the overall effectiveness of the sales channel.
 Customer Experience — Relationships, products and services/programs that enable customers to be
successful with the products evaluated. This includes the ways customers receive technical or account
support. This can also include ancillary tools, customer support programs (and the quality thereof),
availability of user groups and service-level agreements.
 Operations — The ability of the organization to meet its goals and commitments. Factors include the
quality of the organizational structure — including skills, experiences, programs, systems and other
vehicles that enable the organization to operate effectively and efficiently on an ongoing basis.

In 2009, the weighting for market responsiveness and track record was doubled, and criteria for sales
execution/pricing and operations were added. These changes were made to account for the increased maturity
of the market, which is at a point where we are seeing some consolidation; that resulted in significant shifts in
the Ability to Execute position of some vendors (see Table 1).

Table 1. Ability to Execute Evaluation Criteria

Evaluation Criteria Weighting

Product/Service High
Overall Viability (Business Unit, Financial, Strategy, Organization) Standard
Sales Execution/Pricing Low
Market Responsiveness and Track Record High
Marketing Execution No rating
Customer Experience Standard
Operations Low

Source: Gartner (July 2009)

Return to Top

Completeness of Vision

Vendors are rated on their understanding of how market forces can be exploited to create value for customers
and opportunity for themselves. Five of the eight criteria for completeness of vision (see Table 2) were
considered significant for the EGRC platform market:

 Market Understanding — Ability of the provider to understand buyer needs and translate these needs
into products and services. Vendors that show the highest degree of vision listen to and understand
buyer wants and needs, and can shape or enhance those wants with its added vision.
 Offering (Product) Strategy — A provider's approach to product development and delivery that
emphasizes differentiation, functionality, methodology and feature set as they map to current and future
requirements.
 Vertical/Industry Strategy — The provider's strategy to direct resources, skills and offerings to meet the
specific needs of individual market segments, including vertical industries.
 Innovation — Direct, related, complementary and synergistic layouts of resources, expertise or capital
for investment, consolidation, and defensive or pre-emptive purposes.
 Geographic Strategy — The provider's strategy to direct resources, skills and offerings to meet the
specific needs of geographies outside its native geography — directly or through partners, channels and
subsidiaries — as appropriate for that geography and market.

At this early stage, marketing and sales strategies do not vary significantly among the vendors. Although not
yet a major factor, vendor business models could become significant differentiators as vendors try to take
advantage of the next stage of market growth.

Table 2. Completeness of Vision

Evaluation Criteria

Evaluation Criteria Weighting

Market Understanding Standard
Marketing Strategy No rating
Sales Strategy No rating
Offering (Product) Strategy High
Business Model No rating
Vertical/Industry Strategy Standard
Innovation Standard
Geographic Strategy Low

Source: Gartner (July 2009)

Return to Top

Leaders

The EGRC platform market is still evolving, but the vendors in this market have had time to develop their
products and strategies in other precursor markets. Because they have developed with a focus on corporate
governance and executive reporting requirements, vendors with experience in the finance GRCM market have
an advantage in the EGRC platform market. Of the four leaders, Thomson Reuters, Oracle and OpenPages
were leaders in last year's "Magic. Quadrant for Enterprise Governance, Risk and Compliance Platforms."
BWise is a newcomer, and its progress is attributable mostly to continued good execution of its road map,
which helped to close the gap on product functionality, particularly reporting. Customers will be looking for
leaders to provide additional functionality such as support for ERM, integration with advanced business
intelligence and corporate performance management applications, more-flexible and ad hoc reporting, and
more support for the internal audit organization. They will also expect support across multiple geographies.
The large vendors are best positioned for these requirements, yet smaller vendors are in the Leaders quadrant
because of continued viability, more-advanced functionality and market understanding.

Vendors in the Leaders quadrant are:

 OpenPages
 Thomson Reuters
 BWise
 Oracle
 MetricStream

Return to Top

Challengers

Challengers have proven viability, demonstrated market performance and the ability to exceed customer
expectations on technical functionality. Challengers need to focus on their product road maps, as well as their
sales, marketing, geographic and vertical industry strategies to move into the Leaders quadrant.

While there were several vendors in the Challengers quadrant last year, the market has been changing rapidly
to more of a focus on ERM and audit support. To capture that shift, the weighting for market responsiveness
and track record was doubled, and criteria for sales execution/pricing and operations were added this year.
This new weighting on market-performance-related criteria lowered the position on the Ability to Execute axis
for several vendors. Some vendors that were challengers last year have modified their road maps and began
to add new product capabilities to address these market shifts. They moved into the Visionaries quadrant.

Methodware is the only vendor in the Challengers quadrant.

Return to Top

Visionaries

Visionaries have a solid understanding of the market, as demonstrated by domain expertise and
responsiveness to customer expectations. They are actively executing against an aggressive product road map
that expands support to additional regulatory and nonregulatory compliance and risk management needs.

Vendors in the Visionaries quadrant are:

 Cura Software Solutions

 Archer Technologies
 Protiviti
 Mega

Return to Top

Niche Players

Niche vendors have specialized capabilities for a particular market subsegment, but are missing some primary
or secondary functions that make for a complete platform. Vendors could also be in the Niche Players quadrant
because they have a novel business model. Only time can tell whether the models will succeed. Niche players
may also target a specific industry vertical or the needs of particular professionals.

Vendors in the Niche Players quadrant are:

 Aline
 Axentis
 IDS Scheer

Return to Top

Vendor Strengths and Cautions

Aline
Aline is a U.S.-based vendor with 52 employees. It has effectively targeted the midmarket, and also has a few
large business customers. Led by former Cognos management, it has developed a good relationship with
Cognos-IBM.

Aline delivers all four GRCM primary functions — audit management, compliance management, risk
management and policy management. However, the lack of survey functionality is a major deficit. The
platform is based on .NET and is delivered 100% as SaaS.

Return to Top

Strengths

 It shows innovation. Its integration of risk management and performance management is an advanced
and visionary feature for this market.
 It bundles a lot of knowledge transfer into its implementation.

Return to Top

Cautions

 It does not have survey functionality or policy training and certification.

 It does not maintain 24/7 global support; support is available during U.S. East Coast business hours.

Return to Top

Archer Technologies

Archer Technologies is headquartered in the U.S. and has 125 employees. Basing its platform on the Archer
SmartSuite Framework, originally developed for the IT GRCM market, the company has made a sustained
commitment to the EGRC platform customer. Besides IT GRCM, the platform supports financial management
compliance, audit management, risk management, policy management, incident management, business
continuity and other functions.

Archer delivers all four GRCM primary functions — audit management, compliance management, risk
management and policy management. It is based on .NET.

Return to Top

Strengths

 IT GRCM is a core installed base.

 It has an intuitive Web-based interface and navigation.
 Archer Community is a social network for customers to share the applications, content and services they
develop.
 It has a set price for an enterprise annual license per module with an unlimited number of users.

Return to Top

Cautions

 Ongoing support for Archer's breadth of modules and add-ons creates potential for overstretching its
resources.
 With nine modules and many add-ons from which to select, customers must be diligent that the
capability sought is in the modules they buy. Additional modules or add-ons could add to the price.

Return to Top

Axentis

Axentis is based in the U.S. and has 100 employees. It was acquired recently by Wolters Kluwer. The Axentis
GRC platform is most suitable for organizations needing strong support for legal compliance issues that are
policy based, such as policy training and certification of employees for regulatory compliance issues, or for a
corporate integrity agreement with a regulator. This training and certification capability is extensible beyond
the enterprise to subcontractors and suppliers — an important feature since vendor risk management is
increasingly an application for EGRC platforms.

Axentis delivers effectively three of four GRCM primary functions — compliance management, risk
management and policy management. The platform is based on .NET and is delivered 100% as SaaS.

In July 2009, Wolters Kluwer acquired Axentis for its CCH division, which also has other audit management,
risk management and compliance software offerings. The Axentis position in the Magic Quadrant reflects the
improved financial viability brought by the acquisition. Due to publication being so close to the acquisition, the
rating and our comments cannot reflect any changes in strategy, technology or business plans.

Return to Top

Strengths

 It has strong vertical market support for healthcare, insurance and life sciences — including corporate
integrity agreement compliance.
 It has a broad set of offerings integrating GRCM with content.
 It received very good customer references.
 It is very well-suited for employee policy training and certification with integrated e-learning.

Return to Top
Cautions

 There is no road map for internal audit, but it does have an adapter for CCH TeamMate.
 Significant customization of workflow requires vendor support.
 It does not support quantitative risk analysis, which could be important to banks.

Return to Top

BWise

BWise is headquartered in the Netherlands and has 117 employees. Its next version, which is scheduled to be
released in 2H09, is expected to have enhanced ERP integration, automatically evidencing ERP process and
access controls into the BWise GRC platform. BWise has overcome problems with data extraction for ad hoc
reporting and offers a backwardly compatible module for older versions.

BWise delivers all four GRCM primary functions — audit management, compliance management, risk
management and policy management. It is based on Java Platform, Enterprise Edition (Java EE).

Return to Top

Strengths

 Its financial services industry compliance — including banking and investment regulations, financial
reporting compliance, and IT GRCM.
 Its business process modeling capabilities enable mapping of processes against risks and controls —
enabling business process improvements.
 Its support personnel and those deployed for implementation were noted by customers as having solid
business domain knowledge.

Return to Top

Cautions

 There have been some reports of bugs in releases, but they were resolved in a timely manner.
 Although the ability to extract data for ad hoc reporting has been improved, customers note that the
product's reporting is not "board level" and not very flexible.

Return to Top

Cura Software Solutions

Cura Software Solutions moved its headquarters from Australia to the U.S. two years ago, and now U.S. sales
account for more than half its business, although it maintains a strong base in Australia and South Africa. It
also has a strategy for the U.K., but does not focus on continental Europe. It has 100 employees.

Cura delivers a highly configurable platform and supports the four GRCM primary functions — audit
management, compliance management, risk management and policy management. It has a new content
partnership with LexisNexis, which should help with support to corporate compliance officer and general
counsel. Cura is based on a combination of C# and .NET.

In July 2009, SoftPro Systems acquired Cura. The Cura position in the Magic Quadrant reflects the improved
financial viability brought by the acquisition. Due to publication being so close to the acquisition, the rating and
our comments cannot reflect any future changes in strategy, technology, or business plans.

Return to Top

Strengths

 It has a quick-start module for enterprise risk management, called BridgeWork.

 It has market support for financial services, energy and utilities, and mining industries — particularly
within the U.S., South Africa, and Australia.
 It has extensive best-practice knowledgebases, especially with regard to operational risk management,
and support for risk management frameworks AS/NZS 4360 and ISO 31000.

Return to Top

Cautions

 Its audit management capability has just recently been launched and has not been fully market-tested.
Cura also has an adapter for CCH TeamMate.
 It has limited native document management, which limits policy management, including policy training
and certification, and audit management capabilities. However, it comes with SharePoint integration and
has proven integration with Documentum.
 A European market focus is lacking, with the exception of significant headway in the U.K.

Return to Top

IDS Scheer

IDS Scheer is a large business process management (BPM) vendor headquartered in Germany. It has 3,000
employees worldwide. The ARIS Solution for Governance, Risk and Compliance Management supports
compliance management and risk management. It is most suitable for organizations seeking to design risks,
controls and key performance indicators (KPIs) in the context of an operational process, and analyze the
effects of changes in any of those objects on the others. During the past year, IDS Scheer has added improved
survey capability and policy management. It has plans this year to close gaps in audit management and add
an operational risk management module.

IDS Scheer delivers two of four GRCM primary functions directly — compliance management and risk
management — and audit management can be built on ARIS Business Architect. The IDS Scheer GRC solution
is developed on the ARIS Platform, which is based on Java EE.

In July 2009, Software AG announced it is acquiring IDS Scheer. Due to publication being so close to the
acquisition announcement, the rating and our comments do not reflect any future changes in strategy,
technology, or business plans.

Return to Top

Strengths

 It is the largest BPM vendor delivering a GRCM solution on a robust platform.

 Its business process analysis capabilities enable mapping of processes against risks and controls —
aligning risks with process steps and enabling business process improvements.
 It is useful for organizations with a strategic approach and seeking to align GRC activities to business
processes and objectives.

Return to Top

Cautions

 It is not for organizations looking for a rapidly implemented documentation and reporting application — a
business process orientation to risk management and compliance is required.
 It requires competency in the ARIS process-modeling tools.

Return to Top

Mega

Mega is headquartered in France, and has 274 employees. The BPM vendor has reoriented its market
positioning toward GRC. It acquired its EGRC platform technology from another vendor and added business
process modeling functionality that supports the design and modeling of risks and controls in the context of a
business process. Having entered the market relatively late, many of its sales have been driven by risk
management, more than compliance. It is adding more risk analytics to support ERM.

Mega delivers all four primary GRCM functions — audit management, compliance management, risk
management and policy management. It is based on Java EE.

Return to Top

Strengths

 It has good business process analysis capabilities. Its architecture tool enables mapping of processes
against risks and controls — thus enabling business process improvements.
 Customers have noted good responsiveness for development as well as support — geographically
focused on continental Europe but with sales and support in North America and elsewhere.
 It has good support for operational risk management.

Return to Top

Cautions

 It does not have much presence in the U.S. market, which has been the biggest market for EGRC
platforms.
 It is still best known as a BPM vendor, although it is marketing its GRC capability heavily.

Return to Top

Methodware (Jade)

Methodware was acquired in 2008 by Jade, a more than $20 million software company based in New Zealand.
Methodware is a no-frills EGRC platform solution that has proven to be popular with midsize companies and
departmental implementations in larger companies.

Methodware delivers all four GRCM primary functions — audit management, compliance management, risk
management and policy management. The current platform has proprietary middleware architecture with a
Java EE interface and a standard Structured Query Language database interface. The next version (v.8) is
scheduled to be a .NET product.

Return to Top

Strengths

 For a small vendor from New Zealand, it has very good support in Europe and the U.S.
 It has a long track record of proven risk management — good qualitative and quantitative analytic
features.
 It focuses on the midsize business marketplace, as well as financial services, higher education, national
government and manufacturing vertical markets.
 Return to Top

Cautions

 Its policy management is limited because of a lack of content management.

 It has no native content management, but limited workflow and process automation functionality.

Return to Top

MetricStream

MetricStream is headquartered in the U.S., and has a large development team in India. It has 200 employees.
Originally focused on quality management implementations, MetricStream has expanded to support EGRC
platform customers with implementations for financial compliance, audit management and risk management.
The platform is highly configurable, and MetricStream has worked with customers to develop workflows and
reporting specific to their needs.

The MetricStream Enterprise Compliance Platform supports solutions for audit management, compliance
management, risk management, policy management and quality management. It is based on Java EE.

Return to Top

Strengths

 It offers rapid customization — it has a strong reputation for working with customers to deliver a
platform specific to their environments.
 Having started in quality management, it understands the GRC environment of companies with heavy
physical infrastructure investments and a strong process orientation.
 It manages a community portal — ComplianceOnline.com — and uses that community as a key resource
to help with development.

Return to Top

Cautions

 In some instances, a high degree of customization has resulted in significantly higher than normal
implementation costs.
 As a small vendor with a growing number of large customers, it has a wide variety of specialized needs.
There could be growing pains in the future with ongoing support.

Return to Top

OpenPages

OpenPages is headquartered in the U.S., and has 140 employees. It has a focus on large customers and good
brand recognition in the U.S., Europe and other regions. It has partnered with the Operational Riskdata
eXchange Association (ORX), which host loss event benchmarking data for large banks, and provided ORX with
the platform for hosting the data. This partnership has raised its visibility with large banks globally. OpenPages
has a steady development program; it introduced new modules for privacy and EH&S compliance during the
past year, and it plans to release modules for vendor risk management and business continuity in 2H09.

OpenPages delivers all four GRCM primary functions — audit management, compliance management, risk
management and policy management. It is based on Java EE.

Return to Top

Strengths

 Its viability is a strength. It has a strong management team with good domain knowledge, and a large
customer base with high retention.
 It has good functionality to make associations among mandates, policies, procedures and requirements
(its taxonomy contains a risk statement, control objectives and control descriptions).
 Reporting and its ability to get to useful data are strengths. It has a Cognos reporting engine and proven
integration with Hyperion for advanced financial management reporting.

Return to Top

Cautions

 Enterprises must contract separately with content providers for Deloitte and other content for IT risks
and controls.
 While its self-assessment function is broad and complete, the advanced self-assessment is awkward for
the casual user.

Return to Top

Oracle

Oracle is a software megavendor that is headquartered in the U.S. Oracle GRC Manager is based on technology
acquired from Stellent. It supports solutions for audit management, compliance management, risk
management and policy management. GRC Fusion Intelligence provides advanced reporting beyond that found
in GRC Manager, and it is based on Oracle Business Intelligence Enterprise Edition. Oracle is seeking to provide
a full spectrum of GRC products that can be integrated with GRC Manager, including continuous controls
monitoring. Some of the offerings that Oracle provides under its GRC umbrella, such as content management
and IT security products, are stretching that umbrella too far. However, setting that aside, Oracle has the most
complete set of GRC offerings for audit, financial compliance and governance, and ERM of any vendor.
Integration of GRC Manager to Oracle Hyperion Financial Management is available via published application
programming interfaces (APIs).

Oracle delivers all four GRCM primary functions — audit management, compliance management, risk
management and policy management. It is based on Java EE.

Return to Top

Strengths

 Its suite of controls products, such as Oracle Application Access Controls Governor and Oracle
Transaction Controls Governor, can be integrated into the GRC Manager platform.
 Using Oracle Fusion GRC Intelligence enables easier integration of reporting with other Oracle
applications.
 It has a very knowledgeable Oracle consulting services arm, as well as effective partnerships with large
consultancies for extensive engagements.

Return to Top

Cautions

 For improved reporting, customers must pay for a separate license for Fusion GRC Intelligence.
However, some enterprises find they have excess Fusion Intelligence licenses from other Oracle
applications that can be applied to GRC.
 Banks should be careful to discriminate between Oracle GRC Manager and other Oracle risk management
and compliance products that are managed by a distinct and separate Oracle business unit.

Return to Top

Protiviti

Protiviti is based in the U.S., and is a 3,000-person global risk consultancy. The Risk Technology Solutions
group that is responsible for the Protiviti Governance Portal has 75 employees. During the past year, Protiviti
has improved its support for internal audit and added an offline audit workbench. For ad hoc analysis and
reporting, it has also integrated Microsoft Excel directly with the platform, enabling population of Excel-based
models directly from data in the platform.

It delivers all four GRCM primary functions — compliance management, risk management and policy
management; it also demonstrated audit management. The platform is based on .NET.

Return to Top

Strengths

 Support for internal audit is a strength.

 It has abundant GRC domain expertise and content. It is a well-known risk management and compliance
consultancy.
 Its good search function enhances navigation within the application.

Return to Top

Cautions

 Customers looking for the software only may find that Protiviti will want to follow up with risk
management and compliance consulting, or for internal audit support.
 Software revenue is a small portion of Protiviti's overall revenue.

Return to Top

Thomson Reuters

In early 2009, the large media and publishing company Thomson Reuters acquired Paisley. Paisley is
integrated into the tax and accounting business division, which also owns Check Point Software. Thomson
Reuters offers Paisley Enterprise GRC and a SaaS version — GRC on Demand. Since the acquisition, Thomson
Reuters has invested in several enhancements that are scheduled to be generally available in the next version
slated for release early in 3Q09, including an improved role-based graphical user interface (GUI); in-context
links to Thomson Reuters regulatory, legal and audit content; and a fully integrated controlled document
management capability from Qumas.

Paisley delivers all four GRCM primary functions — audit management, compliance management, risk
management and policy management. It is based on Java EE.

Return to Top

Strengths

 There is an opportunity for integration of Thomson Reuters content, which can improve the role and
industry configuration of the platform.
 It integrates with Check Point Software and audit content for a specialized internal audit version.
 It has strong audit management with offline capability — it is the chief competitor to CCH TeamMate in
that market. It has good planning capabilities for audits and testing.
 Return to Top

Cautions

 Thomson Reuters' strategy for risk management and compliance markets is evolving, and the role of
Paisley in that strategy needs more clarity.
 When Thomson Reuters bundles subscription content with Paisley, the pricing component of the software
will be less transparent.

Return to Top

The Magic Quadrant is copyrighted 12 August 2009 by Gartner, Inc. and is reused with permission. The Magic Quadrant is a graphical
representation of a marketplace at and for a specific time period. It depicts Gartner's analysis of how certain vendors measure against
criteria for that marketplace, as defined by Gartner. Gartner does not endorse any vendor, product or service depicted in the Magic
Quadrant, and does not advise technology users to select only those vendors placed in the "Leaders" quadrant. The Magic Quadrant is
intended solely as a research tool, and is not meant to be a specific guide to action. Gartner disclaims all warranties, express or implied, with
respect to this research, including any warranties of merchantability or fitness for a particular purpose.

© 2009 Gartner, Inc. and/or its Affiliates. All Rights Reserved. Reproduction and distribution of this publication in any form without prior
written permission is forbidden. The information contained herein has been obtained from sources believed to be reliable. Gartner disclaims
all warranties as to the accuracy, completeness or adequacy of such information. Although Gartner's research may discuss legal issues
related to the information technology business, Gartner does not provide legal advice or services and its research should not be construed or
used as such. Gartner shall have no liability for errors, omissions or inadequacies in the information contained herein or for interpretations
thereof. The opinions expressed herein are subject to change without notice.