The Forrester Wave GRC

Making Leaders Successful Every Day

July 1, 2009

The Forrester Wave™: Enterprise Governance, Risk, And Compliance Platforms, Q3 2009by Chris McCleanfor Security And Risk Professionals

www.forrester.com

© 2009, Forrester Research, Inc. All rights reserved. Unauthorized reproduction is strictly prohibited. Information is based on best available resources. Opinions reflect judgment at the time and are subject to change. Forrester®, Technographics®, Forrester Wave, RoleView, TechRadar, and Total Economic Impact are trademarks of Forrester Research, Inc. All other trademarks are the property of their respective companies. To purchase reprints of this document, please email [email protected]. For additional information, go to www.forrester.com.

For Security And Risk ProfessionalsIncludes a Forrester Wave™

ExECuTivE SuMMARyThe enterprise governance, risk, and compliance (GRC) market is still relatively young, populated primarily by small but solid pure-play vendors. Growing corporate concerns have raised market expectations, however, bringing new competition from startups as well as industry giants into an already-crowded space. Forrester evaluated 14 enterprise GRC platform vendors using 80 criteria. BWise, OpenPages, and Thomson Reuters earned the highest scores overall due to their comprehensive capabilities and strong market strategies. MetricStream and AXENTIS made impressive showings in the Leader category as well. The Strong Performers included Archer Technologies, Cura Software Solutions, and Strategic Thought Group near the top, followed by Protiviti, MEGA, and Methodware. Meanwhile, SAI Global, SAP, and Trintech finished as GRC Contenders.

TAblE oF ConTEnTSThe Business Case For GRC Has Never Been Clearer

Enterprise GRC Platforms Evaluation Overview

Evaluation Analysis

Vendor Profiles

Supplemental Material

noTES & RESouRCESForrester conducted product evaluations in February 2009 and interviewed 14 vendors: Archer Technologies, AxEnTiS, bWise, Cura Software Solutions, MEGA, Methodware, MetricStream, openPages, Protiviti, SAi Global, SAP, Strategic Thought Group, Thomson Reuters, and Trintech.

Related Research Documents“The GRC Technology Puzzle: Getting All The Pieces To Fit”February 3, 2009

“Trends 2009: Governance, Risk, And Compliance Hit The big Time”December 23, 2008

“best Practices: implementing A Governance, Risk, And Compliance Program”october 7, 2008

July 1, 2009

The Forrester Wave™: Enterprise Governance, Risk, And Compliance Platforms, Q3 2009bWise, openPages, And Thomson Reuters Take The Top Spots, With MetricStream And AxEnTiS Rounding out The leadersby Chris McCleanwith Robert Whiteley, Khalid Kark, and Alissa Dill

2

3

6

10

13

mailto:[email protected]

www.forrester.com

www.forrester.com

http://www.forrester.com/go?docid=45772&src=47911pdf






© 2009, Forrester Research, inc. Reproduction ProhibitedJuly 1, 2009

The Forrester Wave™: Enterprise Governance, Risk, And Compliance Platforms, Q3 2009 For Security And Risk Professionals

2

THE BuSiNESS CASE FOR GRC HAS NEVER BEEN ClEARER

The economic downturn is taking its toll on IT spending across the board. However, the frankly appalling corporate failures witnessed over the past year will help GRC projects shoot to the top of the priority list when purse strings start to loosen.

There has rarely been so much agreement across industries and geographies that corporate governance must improve, that risk management practices have grossly underperformed, and that regulatory compliance is going to be a vastly more complicated endeavor in the very near future. Shareholders, regulators, rating agencies, business partners, and customers are all watching with heavy cynicism as companies strive to show that they are under control. This extreme level of scrutiny is putting the pressure on GRC professionals to better coordinate and demonstrate their efforts.

GRC Platforms Provide A Central Point Of Control

Most GRC products were originally built to address specific requirements for financial controls management, quality management, risk assessments, or policy management. However, to meet growing market demands, they have evolved into flexible, configurable platforms that support programs spanning many risk and compliance domains at once.

The platforms themselves share common underlying technologies that allow this flexibility, including:

· Data mapping to identify the relationships of risks and controls to the business. GRC platforms enable users to document that vast array of regulatory requirements, risks, and controls and associate them with all the relevant business processes, assets, financial accounts, business partners, and risk and control owners.

· Workflow management to coordinate the activities necessary for a GRC program. GRC platforms offer capabilities to define workflows to conduct key tasks, such as policy distribution, risk and control assessments, or incident response. Reminder and escalation capabilities help keep required GRC processes on track.

· Content management to ensure accurate GRC documentation. GRC platforms provide capabilities to create and track content, such as internal policies, control documentation, or evidence relating to an investigation. Change management and time-stamp capabilities provide an audit trail of risk and compliance documentation as well.

· Reporting to track and evaluate GRC status. GRC platforms provide flexible reports and dashboards to present users with high-level as well as front-line information on key metrics, such as control effectiveness, risk exposure, loss history totals, or remediation progress. This analysis is critical to ensuring the overall effectiveness of the GRC program as well as supporting more intelligent strategic decisions that account for risk and compliance factors.

© 2009, Forrester Research, inc. Reproduction Prohibited July 1, 2009


3

On top of these platform technologies, vendors offer custom or packaged applications for a range of functions relevant to GRC, such as business continuity management or supply chain compliance. However, the most common focus areas for GRC platforms are still financial controls management, operational risk management, IT GRC, and audit management.1 In addition, GRC platforms are just one piece in a large technology ecosystem that supports various elements of GRC automation.2

GRC improves Business Efficiency, Risk Posture, And Corporate Strategy

Companies that have implemented GRC platforms report results that generally fit into three high-level categories:

· Greater efficiency. It is assumed that all corporations have compliance obligations and uncertain levels of risk. GRC platforms streamline the processes required to document, measure, and respond to these obligations and risks. A substantial part of this value is the ability to replace tools such as spreadsheets and emails, which are still the most commonly used risk and compliance management applications.

· Reduced risk. GRC platforms help organizations measure risk, monitor losses, and facilitate remediation, which in turn drives risk reduction efforts. The products themselves may only work to reduce risk in a few ways — such as through policy awareness or training initiatives — but they provide additional value by helping justify mitigation efforts and tracking their results.

· Improved strategy. GRC platforms support better corporate strategy and decision-making, an elusive but potentially significant area of value. Specifically, by showing how risk and compliance factors affect corporate strategy and performance (and vice versa), executives have more supporting data to steer their companies in the right direction.

ENTERPRiSE GRC PlATFORMS EVAluATiON OVERViEw

To assess the state of the enterprise GRC platform market and see how the vendors stack up against each other, Forrester evaluated the strengths and weaknesses of top enterprise GRC vendors.

Evaluation Criteria Focused On Comprehensive GRC Capabilities And Value Propositions

Based on customer inquiries and advisories, requests for proposal, and extensive interviews with GRC users and thought leaders, Forrester developed a comprehensive set of evaluation criteria against which to evaluate the leading enterprise GRC platforms. We have provided a recommended set of criteria weightings that emphasize the combined needs of governance, risk management, and compliance management professionals. Clients are encouraged to adjust the weightings in the spreadsheet to best fit their own requirements. We evaluated vendors against 80 criteria, which we grouped into three high-level buckets:



4

· Current offering. A vendor’s position on the vertical axis of the Forrester Wave graphic indicates the strength of its current GRC platform offering. The specific evaluation criteria include the product’s capabilities for policy and procedure management, risk and control management, event and loss management, GRC management and analytics, technical functionality, GRC domain support, and client reference scores.

· Strategy. A vendor’s position on the horizontal axis indicates the strength of its go-to-market strategy, with specific criteria including company strategy and vision, product strategy and vision, value to governance professionals, value to risk professionals, and value to compliance professionals.

· Market presence. The size of the vendor’s dot on the chart indicates its market presence. Forrester measures a vendor’s market presence by the company’s financial viability, customer base, staff size, and partner ecosystem.

Evaluated Vendors Exhibit The Most Current Activity And long-Term Competitiveness

Forrester included 14 vendors in the assessment: Archer Technologies, AXENTIS, BWise, Cura Software Solutions, MEGA, Methodware, MetricStream, OpenPages, Protiviti, SAI Global, SAP, Strategic Thought Group, Thomson Reuters, and Trintech. Each of these vendors has (see Figure 1):

· Broad GRC capabilities. While some vendors may tend to focus on certain functions of GRC more than others, all the vendors in this evaluation have the capabilities to meet the requirements of broad governance, risk management, and compliance management programs.

· A substantial number of GRC customers. All the evaluated vendors have reported more than 50 GRC customers, provided examples of customers using the platform for multiple functions of GRC, and submitted at least five reference customers to participate in the Forrester Wave customer survey.

· Significant thought leadership and mindshare. All the evaluated vendors have established themselves as GRC thought leaders, and they continue to show up in requests for proposal, Forrester customers’ inquiries, and other competitive situations.

The enterprise GRC platform vendor landscape is extremely broad, with a large number of diversified software vendors and niche providers winning deals to support GRC programs. While many of these vendors show strong potential, they generally do not have the same comprehensive focus, current activity, or customer base as those that Forrester evaluated. Additional vendors include Achiever Business Solutions, CA, Compliance 360, Neohapsis, Optial, Oracle, and QUMAS.



5

Figure 1 Evaluated vendors: Product information And Selection Criteria

Source: Forrester Research, Inc.

Vendor

Archer Technologies

AXENTIS

BWise

Cura Software Solutions

MEGA

Methodware

MetricStream

OpenPages

Protiviti

SAI Global

SAP

Strategic Thought Group

Thomson Reuters

Trintech

Product evaluated

Archer SmartSuite Framework

AXENTIS Enterprise

BWise

Cura Enterprise GRC

MEGA GRC Suite

Enterprise Risk Assessor

MetricStream Enterprise GRC Platform

OpenPages

Governance Portal

SAI Global GRC Platform

SAP BusinessObjects Risk ManagementSAP BusinessObjects Process Control SAP BusinessObjects Access Control SAP BusinessObjects Global Trade Services SAP EHS Management (comprised of SAP Environmental Health and Safety, SAP Environmental Compliance, and SAP REACH) SAP Nota Fiscal Electronia SAP Cisco Data Privacy

Active Risk Manager

Paisley Enterprise GRC Paisley GRC on Demand (SaaS Version)

Trintech Unity ReconNETAssureNET GL

Product versionevaluated

v4.3.2

Release 18

4.0

v3.x

v3.1

v7.0

v5.5

v5.5.0.2

v3.3

v7.3

2.02.55.37.2

1.01.0

v3.1

3.5

10.2 7.5 4.1



6

Figure 1 Evaluated vendors: Product information And Selection Criteria (Cont.)


Vendor selection criteria

Broad GRC capabilities. While some vendors may tend to focus on certain functions of GRC more than others, all the vendors in this evaluation have the capabilities to meet the requirements of broad governance, risk management, and compliance management programs.

A substantial number of GRC customers. All the evaluated vendors have reported more than 50 GRC customers, provided examples of customers using the platform for multiple functions of GRC, and submitted at least five reference customers to participate in the Forrester Wave customer survey.

Significant thought leadership and mindshare. All the evaluated vendors have established themselves as GRC thought leaders, and they continue to show up in requests for proposal, Forrester customers’ inquiries, and other competitive situations.

EVAluATiON ANAlySiS

The evaluation uncovered a market in which (see Figure 2):

· AXENTIS, BWise, MetricStream, OpenPages, and Thomson Reuters are Leaders. These vendors all continue to make impressive improvements in their technology offerings and are winning large customer deals. Most are seeing dramatically more customer wins to support comprehensive GRC programs, although many customers still prefer to start with small initial implementations to address more immediate pain points. In addition to the technical strength of their products, these vendors are also actively shaping the GRC market through thought leadership and strategic guidance.

· Archer, Cura, MEGA, Methodware, Protiviti, and Strategic Thought are Strong Performers. Vendors in this category have generally shown dramatic improvements in the enterprise GRC market in the past two years. They can all point to strong customer successes and impressive technology solutions across multiple areas of GRC. While they may not exhibit the broad GRC implementations and market reach of the vendors in the Leaders category, they continue to maintain a strong competitive position in a crowded market.

· SAI Global, SAP, and Trintech are Contenders. The three vendors in the Contenders category have not been in the GRC platform market as long as most of the other vendors evaluated, although they have offered solutions relevant to compliance and risk management for some time. Continued integration of their GRC platform products with their other product offerings will quickly increase their value and ability to compete for broad GRC deals.

This evaluation of the enterprise GRC market is intended to be a starting point only. We encourage readers to view detailed product evaluations and adapt the criteria weightings to fit their individual needs through the Forrester Wave Excel-based vendor comparison tool.



7

Figure 2 Forrester Wave™: Enterprise Governance, Risk, And Compliance Platforms, Q3 ’09


Go online to download

the Forrester Wave tool

for more detailed product

evaluations, feature

comparisons, and

customizable rankings.

RiskyBets Contenders

Currentoffering

StrategyWeak

Weak

Strong

Strong Market presenceLeaders

StrongPerformers

Full vendorparticipation

Incomplete vendorparticipation

MetricStream

Strategic Thought Group

BWise

ThomsonReuters

OpenPages

Cura Software Solutions

Archer Technologies

MEGA

ProtivitiMethodwareSAP

TrintechSAI Global

AXENTIS



8

Figure 2 Forrester Wave™: Enterprise Governance, Risk, And Compliance Platforms, Q3 ’09 (Cont.)


CURRENT OFFERING Policy and procedure management Risk and control management Event and loss management GRC management and analytics Technical functionality GRC domain support Client reference scores and feedback

STRATEGY Company strategy and vision Product strategy and vision Value proposition for corporate governance Value proposition for ERM Value proposition for corporate compliance

MARKET PRESENCE Financial viability Installed base Staff size Strategic alliances

Arc

her T

echn

olog

ies

3.995.002.804.702.954.903.404.70

2.813.003.201.802.303.30

2.712.951.902.305.00

Forr

este

r’sW

eigh

ting

50%20%20%20%20%10%

5%5%

50%30%25%15%15%15%

0%40%30%20%10%

AX

ENTI

S

3.745.002.804.002.753.954.004.70

3.764.403.702.602.505.00

2.501.802.802.205.00

BWis

e

4.103.604.404.404.353.404.203.95

4.134.304.404.504.103.00

3.462.654.602.605.00

Cur

a So

ftw

are

Solu

tion

s

3.492.404.003.903.403.403.604.60

3.453.304.502.204.102.60

3.222.954.002.703.00

MEG

A

3.102.603.303.103.552.453.203.75

2.543.002.402.202.102.60

3.023.502.203.303.00

Met

hodw

are

2.861.003.603.803.052.502.603.75

2.583.302.501.003.601.80

2.742.804.401.001.00

Met

ricSt

ream

3.934.603.304.203.703.704.004.00

3.654.403.902.502.504.00

2.622.103.002.903.00

All scores are based on a scale of 0 (weak) to 5 (strong).



9

Figure 2 Forrester Wave™: Enterprise Governance, Risk, And Compliance Platforms, Q3 ’09 (Cont.)


CURRENT OFFERING Policy and procedure management Risk and control management Event and loss management GRC management and analytics Technical functionality GRC domain support Client reference scores and feedback

STRATEGY Company strategy and vision Product strategy and vision Value proposition for corporate governance Value proposition for ERM Value proposition for corporate compliance

MARKET PRESENCE Financial viability Installed base Staff size Strategic alliances

Forr

este

r’sW

eigh

ting

50%20%20%20%20%10%

5%5%

50%30%25%15%15%15%

0%40%30%20%10%

Op

enPa

ges

4.164.004.304.103.904.604.604.25

3.764.703.503.003.803.00

3.112.702.903.305.00

Prot

iviti

3.072.403.603.003.002.903.404.15

2.873.402.603.302.502.20

3.364.852.003.601.00

SAI G

lob

al

2.031.402.101.902.152.102.603.65

2.803.202.002.702.204.00

3.244.702.802.101.00

SAP

2.381.403.102.702.152.202.003.75

2.882.903.603.501.802.10

4.464.703.605.005.00

Stra

tegi

c Th

ough

t Gro

up

3.292.003.804.403.202.653.403.45

3.604.403.902.904.201.60

2.772.503.502.103.00

Thom

son

Reut

ers

3.694.203.803.003.553.903.804.05

3.894.004.803.802.104.00

3.784.553.003.803.00

Trin

tech

Gro

up

2.351.402.702.402.202.802.404.10

2.883.003.604.301.301.60

2.783.501.603.003.00

All scores are based on a scale of 0 (weak) to 5 (strong).



10

VENDOR PROFilES

leaders Show Strength in All Technical GRC Components And An Ability To Execute Strategy

· AXENTIS. A perennial Leader in the GRC space, AXENTIS exhibits especially strong competitive advantages in criteria related to compliance, with top scores for policy and procedure management as well as its value proposition for corporate compliance. Compared with other Leaders, its capabilities for risk and control management are not as strong. AXENTIS continues to be one of the few GRC vendors to offer a true single-instance, multitenant software-as-a-service (SaaS) delivery model. The company typically targets fewer, more comprehensive GRC deals than most of its competitors, with many deployments reaching tens of thousands of users as well as partners. Customer satisfaction scores for AXENTIS were among the highest of any vendor. Overall, however, the company’s revenues and customer base make it one of the smaller GRC platform leaders in the market.

· BWise. The BWise platform remains one of the most impressive products in the GRC platform market, with strong technical capabilities in all the categories evaluated. Additional functionality for board and entity management as well as proprietary process modeling features are unique among the GRC platform leaders. Risk and control management was the strongest technical category for BWise, although the platform earned strong scores in the other areas as well. The company’s value proposition for enterprise risk management (ERM) was among the highest of the vendors evaluated, and its value proposition for corporate governance earned top scores. BWise has a very strong customer base, two-thirds of which is headquartered in Europe. The company shows strong thought leadership and corporate strategy and continues to extend its global presence.

· MetricStream. MetricStream targets a wide range of GRC professionals, recently winning deals on the strength of its new audit management capabilities. With a substantial peer network and content delivered through its ComplianceOnline.com business, MetricStream presents a strong value proposition to compliance professionals. Policy and procedure management was its best category among the core technical GRC criteria. It is still one of the smaller GRC vendors in the market, but the company’s vision and capabilities across all major components of GRC are raising its ability to compete. The company may struggle to maintain its strong growth rate, however, as it competes more often with larger, more established vendors.

· OpenPages. OpenPages shows consistent leadership in both technology and strategy, and the company’s brand is still one of the most recognizable in the GRC market. Since the previous Forrester Wave of enterprise GRC, OpenPages has made some of the most significant strides in the overall functionality of its GRC platform, which earned strong scores in all areas evaluated. In the core technical current offering categories, its scores were especially high for risk and control management. OpenPages also earned top marks for its comprehensive and clear company strategy and vision. The company’s growth percentage in 2008 was low compared with



11

its competitors; however, the company reports significant growth and progress in broad GRC deals as opposed to its historic focus on financial controls management implementations.

· Thomson Reuters. Thomson Reuters is a brand-new competitor in the GRC market, following its acquisition of Paisley in late 2008. Paisley was one of the top brand names in GRC and offered one of the industry’s premier audit management platforms as well. The Paisley GRC solution earned solid scores across all current offering categories, with especially strong improvement in policy and procedure management due to its OEM relationship with leading compliance management vendor QUMAS. The Thomson Reuters acquisition provides Paisley GRC customers with high value in compliance content and complementary applications in tax and accounting. This will pull the Paisley GRC products further into the realm of finance, but could potentially decrease their focus on other domains, such as operational risk management.

Strong Performers Have Proven Capabilities, Customer Successes, And upward Momentum

· Archer Technologies. Archer is a newcomer to this evaluation of enterprise GRC platforms, having earned impressive scores as a Leader in the Forrester Wave of IT risk and compliance platforms in Q2 2008.3 The company further strengthened its position in the IT GRC market with its acquisition of top competitor Brabeion in early 2009. While all Archer customers have implemented the product to address some aspects of IT risk and compliance management, a number of impressive implementations for enterprise GRC functions at some of the world’s largest companies have earned the vendor a spot in this enterprise GRC evaluation as well. The Archer platform performed impressively in nearly all aspects of technical functionality, due in large part to the product’s flexibility. It earned top marks in policy and procedure management, very strong scores across the event and loss management criteria, and some of the highest customer reference scores. The company does not exhibit the same broad GRC strategy and vision as some of the Leaders, but it has established itself as a top vendor to watch.

· Cura Software Solutions. With some of the most substantial improvements since the previous Forrester Wave of enterprise GRC, Cura is well positioned among the Strong Performers to compete for comprehensive GRC deals. The company primarily targets enterprise risk management professionals, with strong thought leadership and product capabilities. The Cura platform performed well across all the current offering categories except for policy and procedure management. The company earned especially high marks for its product strategy and vision, with a strong road map of new product releases slated for 2009. A globally distributed customer base and large number of comprehensive deployments also stood out as strong points. Momentum was on Cura’s side in 2008, with the vendor showing strong growth and new customer numbers.

· MEGA. MEGA offers many unique advantages to customers as one of the few GRC platforms with a proprietary risk engine and a leading product in the business process analysis market.4 The company’s GRC and modeling suites are still not fully integrated, however, but the two



12

products together offer impressive capabilities for mapping risks, controls, and policies to all aspects of the business. Policy and procedure management was something of a weak point for MEGA, but its capabilities for GRC management and analytics were strong compared with most competitors. We expect it will further leverage its size and diverse product offerings to compete more strongly against its GRC competitors.

· Methodware. The small and medium-size business (SMB) market is Methodware’s core target, and it has built an impressive global customer base in that segment. Methodware’s capabilities are geared toward enterprise risk management, with strong scores in both risk and control management and event and loss management. Policy and procedure management was an area of noticeable weakness, however. Forrester expects the company to retain its competitive advantage in the SMB market based on its pricing and customer successes, but it will have to strengthen its product road map to compete more directly for large enterprise GRC deals.

· Protiviti. Protiviti has built a strong name for itself as a consulting firm with expertise in the risk management field.5 The company has shown substantial improvement since the previous Forrester Wave of enterprise GRC, executing on a strategy to deliver solutions for broad GRC programs beyond just financial controls management. The product’s capabilities for audit management as well as risk and control management earned strong scores. Protiviti has tremendous resources and expertise to bring to its GRC offering, but it will have to improve its product road map and comprehensive GRC functionality even further to move up another level to the Leader category.

· Strategic Thought Group. Strategic Thought demonstrated the deepest capabilities for risk management among the vendors evaluated. The company’s compliance portal, built on SharePoint Services, has also helped increase its policy and procedure management capabilities to target compliance professionals. Broad use of other common Microsoft technologies improves the usability of the product, but the lack of integration between the compliance portal and the Active Risk Manager product was a negative in the usability category. Overall, Strategic Thought has the best value proposition for ERM, supported by a proprietary risk engine, strong thought leadership, and customers managing both the positive and negative aspects of risk. The company articulates a strong company strategy and vision, and its improved compliance capabilities move it closer to a position of GRC Leader.

Contenders Offer Value in Core Elements Of GRC And will improve with Further integration

· SAI Global. SAI Global is a compliance content and service provider with a number of GRC product offerings. In addition to its GRC platform, the company offers a learning management system, an ethics hotline system, and a board management portal. Although the company did not earn strong scores in any category for its current offering, the eventual integration of these products and content will provide an impressive solution set, especially for governance and compliance professionals. While the company also distributes risk content, including the ASNZ



13

4360 standard, the product will need more sophisticated risk quantification and analytics to compete for more comprehensive GRC deals.

· SAP. SAP’s GRC Suite consists of four core applications: Access Control, Global Trade Services, Process Control, and Risk Management. The company has primarily focused on helping customers improve the segregation of duties controls in existing SAP implementations, but the flexibility of the Process Control and Risk Management applications help it target a wider range of GRC deals. Risk and control management is the GRC Suite’s strongest area of technical capabilities overall, and policy and procedure management is its weakest. Upcoming product releases and further integration among the GRC Suite applications will add substantial value for customers. SAP has taken a unique approach to the GRC market compared with the other vendors evaluated, with greater focus on automated controls and less focus on documentation. The company’s vision of GRC is somewhat narrowly centered on its existing product capabilities; however, the company presents an impressive product road map that will further increase its broad GRC value. Large investments from top consulting firms that partner with SAP are also evidence of the company’s market potential.

· Trintech. Trintech entered the GRC market with its acquisition of Movaris in early 2008, a move that complemented the company’s existing financial process management applications. The company currently offers a strong value proposition for professionals responsible for financial compliance, and it plans additional integration among these applications that will bolster the product offering even more. Trintech has historically focused its product strategy on the financial compliance market, although lately it has started to target and win deals for broader GRC as well. Trintech will need additional content and functionality, however, before it can compete successfully against the top GRC vendors for these deals on a regular basis.

SuPPlEMENTAl MATERiAl

Online Resource

The online version of Figure 2 is an Excel-based vendor comparison tool that provides detailed product evaluations and customizable rankings.

Data Sources used in This Forrester wave

Forrester used a combination of three data sources to assess the strengths and weaknesses of each solution:

· Vendor surveys. Forrester surveyed vendors on their capabilities as they relate to the evaluation criteria. Once we analyzed the completed vendor surveys, we conducted vendor calls where necessary to gather details of vendor qualifications.



14

· Product demos. We asked vendors to conduct demonstrations of their product’s functionality. We used findings from these product demos to validate details of each vendor’s product capabilities.

· Customer reference surveys. To validate product and vendor qualifications, Forrester also conducted reference calls with at least five of each vendor’s current customers.

The Forrester wave Methodology

We conduct primary research to develop a list of vendors that meet our criteria to be evaluated in this market. From that initial pool of vendors, we then narrow our final list. We choose these vendors based on: 1) product fit; 2) customer success; and 3) Forrester client demand. We eliminate vendors that have limited customer references and products that don’t fit the scope of our evaluation.

After examining past research, user need assessments, and vendor and expert interviews, we develop the initial evaluation criteria. To evaluate the vendors and their products against our set of criteria, we gather details of product qualifications through a combination of lab evaluations, questionnaires, demos, and/or discussions with client references. We send evaluations to the vendors for their review, and we adjust the evaluations to provide the most accurate view of vendor offerings and strategies.

We set default weightings to reflect our analysis of the needs of large user companies — and/or other scenarios as outlined in the Forrester Wave document — and then score the vendors based on a clearly defined scale. These default weightings are intended only as a starting point, and we encourage readers to adapt the weightings to fit their individual needs through the Excel-based tool. The final scores generate the graphical depiction of the market based on current offering, strategy, and market presence. Forrester intends to update vendor evaluations regularly as product capabilities and vendor strategies evolve.

ENDNOTES1 Forrester evaluated leading IT risk and compliance software vendors across 88 criteria through scripted

product demonstrations and found that Agiliance, Archer Technologies, and Brabeion have established early IT risk and compliance leadership thanks to their workflow, risk, and compliance management capabilities and product strategy focus. Vendors CA, Modulo, Relational Security, and Symantec are Strong Performers but lack either key risk management capabilities or breakout product strategies. eIQnetworks still has work ahead but is successfully making the transition from an enterprise security management vendor to an IT risk and compliance vendor. Overall, Relational Security has the most balanced IT risk and compliance capabilities, Archer the strongest strategy, and Symantec the dominant market presence. See the June 30, 2008, “The Forrester Wave™: IT Risk And Compliance Software, Q2 2008” report.

2 At a time when the global business community struggles to enhance internal controls and maintain long-term viability, improvements in governance, risk, and compliance (GRC) programs can be well worth the investment. Technology plays an integral role in the success of such programs by providing much-needed




15

consistency, efficiency, and insight. But as software vendors target the growing GRC market, it becomes increasingly difficult to distinguish what they offer. Forrester’s GRC Technology Ecosystem provides a foundation for identifying how various GRC technologies fit into existing programs and the important roles they can play. See the February 3, 2009, “The GRC Technology Puzzle: Getting All The Pieces To Fit” report.

3 Forrester evaluated leading IT risk and compliance software vendors across 88 criteria through scripted product demonstrations and found that Agiliance, Archer Technologies, and Brabeion have established early IT risk and compliance leadership thanks to their workflow, risk, and compliance management capabilities and product strategy focus. Archer is the strongest of the Leaders in terms of compliance functionality. Archer comes out ahead in overall vision and product strategy due mainly to key technology partnerships. For market presence in this group, Archer gets the overall top spot due to its install base. See the June 30, 2008, “The Forrester Wave™: IT Risk And Compliance Software, Q2 2008” report.

4 In this second release of Forrester’s assessment of enterprise architecture and business process analysis (BPA) tools, Forrester assessed nine leading vendors in a 93-criteria evaluation. We found that IDS Scheer, Casewise, MEGA, Metastorm, and Troux Technologies lead the pack for general EA tool usage. For the more specific IT planning usage category, these Leaders are joined by the most powerful vendor in this specific category: alfabet. The Leaders are followed by: IBM, a Strong Performer in all three categories; iGrafx, a Strong Performer in the business process analysis category and the general EA category; and Sybase, a Contender in all three categories. See the January 7, 2009, “The Forrester Wave™: Business Process Analysis, EA Tools, And IT Planning, Q1 2009” report.

5 Forrester evaluated the risk consulting market across approximately 80 criteria and found that Deloitte, KPMG, and PricewaterhouseCoopers are the top Leaders in end-to-end risk consulting because of their comprehensive service offerings and thought leadership. Ernst & Young is solid in these areas but plays most competitively in enterprise risk strategy engagements. Oliver Wyman and Protiviti are significant Leaders when it comes to risk organization and process design. BearingPoint and IBM enter the leadership fray with the deepest technology development and systems integration to embed risk into business applications. See the June 25, 2007, “The Forrester Wave™: Risk Consulting Services, Q2 2007” report.






Forrester Research, Inc. (Nasdaq: FORR)

is an independent research company

that provides pragmatic and forward-

thinking advice to global leaders in

business and technology. Forrester

works with professionals in 19 key roles

at major companies providing

proprietary research, consumer insight,

consulting, events, and peer-to-peer

executive programs. For more than 25

years, Forrester has been making IT,

marketing, and technology industry

leaders successful every day. For more

information, visit www.forrester.com.

Australia

Brazil

Canada

Denmark

France

Germany

Hong Kong

India

Israel

Japan

Korea

The Netherlands

Switzerland

United Kingdom

United States

Headquarters

Forrester Research, Inc.

400 Technology Square

Cambridge, MA 02139 USA

Tel: +1 617.613.6000

Fax: +1 617.613.5000

Email: [email protected]

Nasdaq symbol: FORR

www.forrester.com

M a k i n g l e a d e r s S u c c e s s f u l E v e r y D a y

For a complete list of worldwide locations,visit www.forrester.com/about.

Research and Sales Offices

47911

For information on hard-copy or electronic reprints, please contact Client Support

at +1 866.367.7378, +1 617.613.5730, or [email protected].

We offer quantity discounts and special pricing for academic and nonprofit institutions.

www.forrester.com

mailto:[email protected]