Each year, they publish a Magic Quadrant (MQ) that is presented as addressing organizations’ needs for GRC software. Their 2011 Magic Quadrant for ‘Enterprise Governance, Risk and Compliance Platforms’ * (EGRC) is available from Gartner or one of the included software vendors. (I haven’t seen the 2013 MQ).

The purpose of the MQ is to present their “assessment of the main software vendors that should be considered by organizations seeking a technology solution to support the oversight and operation of enterprisewide risk management and compliance programs, with the overall objective being improvements in corporate governance and the ability to achieve business objectives”.

It is good to see my former employer, SAP, in the top quadrant. This means that Gartner considers them visionaries with a high ability to execute.

Also included are players with whose products I have some familiarity: Archer, BWise, IBM, Thomson Reuters, MetricStream, and Oracle.

But does this mean anything? Does it actually have value and relevance for organizations seeking to improve their governance, risk management, and compliance programs?

I have so many criticisms, it is difficult to know where to start:

1. Gartner assesses software solutions against a defined set of required functionality. That set of functionalities is highly unlikely to be the same as your prioritized needs and requirements! While they talk most prominently about risk management and compliance programs, and these are typically the areas with the greatest need and potential ROI, they include requirements for internal audit, policy management, and more. How many companies would give significant weight, when considering solutions for risk management, to the needs of the (typically small) internal audit function? At the same time, they exclude critical functionality (in my opinion) around the capabilities to link strategy and risk, perform risk monitoring, and support risk workshops. How can you run an effective risk management program without the ability to continuously monitor risks in this turbulent business environment? When you are assessing the effect of uncertainty on objectives (i.e., risk), how do you do that when you have no way to identify the risks to each objective?

2. They talk about governance, but their assessment includes next to nothing that supports governance. Even their definition of governance is limited and, in my opinion, wrong. It doesn’t include board communications, for example.

3. Gartner assumes that you need a single platform for risk management and compliance. I believe that compliance-related risks should be included in the risk management program, and that a risk-based approach to compliance is generally wise. However, I find it difficult to believe that all the requirements for a compliance program (e.g., ethics certification and training, investigation case management, legal case management, whistleblower services, anti-money laundering and FCPA compliance, and more) can be found in a single solution – let alone one that supports risk management as well.

4. Gartner assumes value in the integration of these various functionalities. However, that integration has much less value in practice than they consider. I would prefer to see integration between strategy and risk management than risk management and internal audit!

5. They don’t consider the need to integrate risk and performance (and strategy) reporting. If we are to integrate risk management into the fabric of the organization, you need combined reporting on both performance and risk indicators.

6. Few organizations have a ‘GRC’ organization, one that combines (as Gartner sees it) risk management, compliance management, policy management, internal audit, and some limited aspects of governance. So why should we think about a GRC solution?

I will stop there, that looking for a ‘GRC solution’ is (IMHO) short-sighted and likely to lead to selecting the wrong software for your organization.

I might use the MQ to make sure I am considering all the vendors that might have solutions to meet your needs.

But, I would define my requirements based on my needs, my requirements, my potential ROI, and not the needs of the fictional organization considered by Gartner.

I would also be concerned if a vendor presented their solution as addressing the requirements of an EGRC platform, as they may be designing a solution to get better grades from Gartner instead of satisfying their real customers.

What are your needs? If your priority is risk management, look for a risk management solution that has the functionality to meet your current and anticipated needs. If you are looking for compliance solutions, pick the solutions (probably more than one) that will work effectively as a combination.

If you need to address needs in multiple areas, where is the value from integration? Is it better to get separate solutions that are optimal for each area than one that perhaps is good in one or two but less so in others?

As I look back at my former companies where I was chief risk officer, ethics and compliance officer, and led internal audit, I would not have acquired one of these EGRC solutions. I would have acquired separate solutions for risk management, legal case management, SOX compliance, ethics management, and so on. The integration I would have prioritized would have been between risk management and strategy/performance management, and I would also have given significant weight to risk monitoring (using the sophisticated analytics tools now available from SAP, IBM, and Oracle).

I welcome your views.

* 2011 Magic Quadrant for ‘Enterprise Governance, Risk and Compliance Platforms’:
http://www.intersoftconsulting.hu/wp-content/uploads/2013/05/mq_2011_op.pdf

Norman Marks, CPA, is vice president, governance, risk, and compliance for SAP's BusinessObjects division, and has been a chief audit executive of major global corporations for more than 15 years. He is the contributing editor to Internal Auditor’s “Governance Perspectives” column.
normanmarks.wordpress.com/