Key Criteria for Evaluating Governance, Risk, and Compliance Solutionsv2.0

An Evaluation Guide for Technology Decision-Makers

Table of Contents

  1. Summary
  2. GRC Primer
  3. Report Methodology
  4. Decision Criteria Analysis
  5. Evaluation Metrics
  6. Key Criteria: Impact Analysis
  7. Analyst’s Take
  8. About Paul Stringfellow

1. Summary

Governance, risk, and compliance (GRC) is an approach to the assessment and measurement of business or operational risk. It includes the ability to report on what can and can’t be controlled and whether an organization is meeting its governance and compliance objectives. Accomplishing this level of sophistication, however, can be time consuming and resource intensive.

GRC software solutions provide an integrated suite of capabilities to help enterprises implement and manage their GRC programs. They are designed to help a company unify its approach to assessing, managing, and mitigating risk, and then using the results to guide stakeholders with information that supports better decision making.

Initially, these solutions served as a way of bringing together processes and a central repository for information required to meet GRC needs. However, the scale of such operations pushed solutions into developing capabilities to automate the process of discovery and assessment, to reduce the time and cost impact often associated with these functions.

The demand for solutions in this space will continue to grow, as will the functionality that is demanded of them. Organizations are increasingly aware of the importance of robust governance and compliance plans, but it is not just governance and compliance that is driving demand. Organizations also see the role that good processes and controls can play when it comes to resilience, agility, and threat management. This brings CIOs to the center of corporate decisions, which means they need to be able to quantify and accurately share the likelihood of threats manifesting and the cost of risk with all departments of a business and its leadership. Doing so accurately and efficiently is possible only with the appropriate tools.

Organizations continue to become more complex, and ensuring they have robust GRC management is essential not only to meet audit and regulatory demands, but also to ensure they are resilient and secure. This is not only important to an organization, it is also increasingly important to its customers and suppliers, who for their own GRC reasons must verify that everyone in their supply chain is meeting robust standards. Doing all of this manually, or not at all, is untenable for the modern organization. It must meet its GRC obligations, and finding the right GRC tools is an essential part of doing so.

The GigaOm Key Criteria and Radar reports provide an overview of the GRC market, identify capabilities (table stakes, key criteria, and emerging technology) and evaluation metrics for selecting a GRC solution, and detail vendors and products that excel. These reports give prospective buyers an overview of the top vendors in this sector and help decision makers evaluate solutions and decide where to invest.

How to Read this Report

This GigaOm report is one of a series of documents that helps IT organizations assess competing solutions in the context of well-defined features and criteria. For a fuller understanding, consider reviewing the following reports:

Key Criteria report: A detailed market sector analysis that assesses the impact that key product features and criteria have on top-line solution characteristics—such as scalability, performance, and TCO—that drive purchase decisions.

GigaOm Radar report: A forward-looking analysis that plots the relative value and progression of vendor solutions along multiple axes based on strategy and execution. The Radar report includes a breakdown of each vendor’s offering in the sector.

Solution Profile: An in-depth vendor analysis that builds on the framework developed in the Key Criteria and Radar reports to assess a company’s engagement within a technology sector. This analysis includes forward-looking guidance around both strategy and product.