Winston Churchill said it best — “Never let a good crisis go to waste” — and governance, risk, and compliance (GRC) vendors have heeded the advice not once but twice. In 2002, after the Sarbanes-Oxley Act intended to protect investors from fraudulent accounting activities by corporations, vendors turned GRC technologies into a Maslow’s hammer of checkboxes, where every nail of risk could be pounded into place by more efficient compliance. Now, two decades and a global pandemic later, vendors are ready to let GRC platforms shine as the risk manager’s Swiss Army knife for balancing emerging risks with new opportunities and protecting the brand and bottom line.

The Forrester Wave™ Evaluation For GRC Platforms Is Live!

I’m excited to announce the publication of The Forrester Wave™: Governance, Risk, And Compliance Platforms, Q3 2021, which looks at the 15 most important GRC platform vendors in the market today. To be sure, these platforms are very different from the legacy GRC tools that preached the gospel of “the compliance burden.” How so? Today’s GRC platforms manage enterprise, ecosystem, and systemic risks and align risk management to strategic goals and business objectives. What makes up a GRC platform has also changed over the years. Forrester defines today’s GRC platforms as:

Technologies that offer a cumulation of content, analysis, workflow, visualization, and reporting, supported by predictive analytics, artificial intelligence, machine learning, and native integrations with internal systems and external technologies to automate GRC efforts across a broad range of risk domains, sectors, and vertical markets.

For vendors, Forrester Wave evaluations are a tremendous amount of work. The process requires a level of preparation, dedication, and transparency that’s in no way trivial — and I would personally like to thank every vendor that participated in this research.

Three Interesting Findings Not In The Report

Beyond the full analysis in the report of where the GRC platform market is going and how risk pros can leverage the many features these platforms offer to execute on their business priorities, here are a few interesting findings from the Wave analysis:

  1. Flexible, easy-to-use interfaces are a differentiator. Setting up reporting, registers, and questionnaires that meet a specific organization’s needs should be possible out of the box, with limited services or support from the vendor required. Business value for GRC platforms is partly driven by empowering administrators while at the same time engaging business users.
  2. GRC pros are now looking for more than a GRC provider; they want a partner. Software development is no longer the differentiator it once was: Vendors can change the game for their customers by acting as a risk management partner. Saying “no” when a customer requests something that the software provider knows is a mistake is better for customer success than agreeing to every request, not worse.
  3. Risk is edging out compliance in terms of customer priorities. Fifty-nine percent of the risk and compliance pros who served as customer references for this research cited risk visibility and transparency as a key driver for investing in GRC. Customer references also mentioned “risk” nearly twice as often as “compliance” when describing their business priorities for their GRC platform.

For more on the GRC market and vendor capabilities, please check out the full evaluation, The Forrester Wave™: Governance, Risk, And Compliance Platforms, Q3 2021, and schedule an inquiry to talk to me about it.