This report contains Chartis’ updated view of the market and vendor landscape for enterprise governance, risk and compliance (EGRC) solutions, along with a brief summary of the key trends in this market1.
GRC is a diverse area of risk, and while its various sub-segments are united by a focus on process rules and controls, they are becoming increasingly standalone functional areas. Spending by financial institutions (FIs) on most areas of GRC is driven largely by business factors, such as boosting efficiency, improving the utilization of IT assets, and a desire to meet service-level agreements reached with third parties. The influence of regulation has been much more indirect – regulators rarely define specific rules for GRC subsegments, and even when they do (as in the case of the General Data Protection Regulation [GDPR]), they seldom provide details.
At Chartis we consider the main areas of GRC to be operational2 and conduct risk, model risk governance (MRG), internal audit management, third-party risk management (3PRM), and IT risk management (ITRM). Following our last update3, three GRC segments in particular – 3PRM, MRG and ITRM – have enjoyed considerable growth (in terms of actual spend and from a methodological and technological perspective). This has occurred across a variety of vendors: GRC vendors, vendors of operational risk quantification solutions, and vendors that focus on operations control.
Increasingly, FIs are diverting portions of their compliance budgets to analytics and quantification, and ongoing digitalization4 is progressively transforming the availability and type of data necessary for this to happen. In fact, the focus on quantification, in each of the sub-segments and across the overall GRC landscape, has been strong enough for us to call out a new sub-segment: ‘GRC analytics’.
This development highlights an interesting paradox. Traditional GRC analytics (i.e., operational risk quantification steered by regulation) has become much less important for FIs, and overall budgets allocated to it have fallen across the board. However, this decline has also been marked by a ‘renaissance’ in broad operational analytics (such as IT resiliency analytics, cyber risk quantification [CRQ], and settlement systems), enabled by digitalization. And as banks and FIs increasingly look for efficiency in the face of a regulatory-driven slowdown in profits, GRC analytics are increasingly moving to the heart of their strategic and operational planning.
Indeed, as firms have moved toward analytics, there has been a more general trend toward ‘quantifying everything’. Within this, FIs are developing an understanding of the financial trade-offs and performance analytics of operational processes, as well as process quantification and control in various operational areas. Quantification can even extend to areas including IT systems and networks, cyber risk, process risk (within operational risk), data privacy risk, and model risk quantification.
In light of the new growth framework, in which most of the growth is coming from areas traditionally considered outside the core GRC market, vendors must reconsider their offerings. Those that stick to their traditional GRC offerings risk missing out.
The quantification trend could be a big opportunity, although while large quantification budgets at FIs are a possibility in theory, in reality they may not always materialize. Vendors may also find themselves competing with FIs’ in-house development teams. Well-placed vendors will be able to offer expertise in areas where they have identified a high demand for quantification, and where they have sufficiently in-depth analytics.
For traditional platform GRC vendors, meanwhile, improving the depth of analytics can be challenging without significant investment or strategic acquisition.
Firms that service standard GRC requirements continue to dominate the vendor landscape. Traditional established GRC platform vendors’ core strength still tends to be in the area of GRC with which they initially specialized and penetrated the market.
Nevertheless, reflecting the trend toward integrated GRC, there is a continual and considerable effort to strengthen and expand competencies across the GRC landscape.
Finally, our 2019 update reveals a sparser vendor landscape, reflecting continued market consolidation.
To explain the structure of the market this report uses Chartis’ RiskTech Quadrant®. The RiskTech Quadrant® uses a comprehensive methodology of in-depth independent research and a clear scoring system to explain which technology solutions meet an organization’s needs. The RiskTech Quadrant® does not simply describe one technology solution as the best risk-management solution; it has a sophisticated ranking methodology to explain which solutions would be best for buyers, depending on their implementation strategies.
In this report we feature the following vendors of EGRC solutions: The Analytics Boutique, Aravo, BitSight, BWise (SAI Global), Chase Cooper, CIMCON, ClusterSeven, FIS, Governor Software, IBM, IHS Markit, MEGA, MetricStream, Refinitiv, RSA, SAS, Thomson Reuters, Wolters Kluwer and Workiva.5
We aim to provide as comprehensive a view of the vendor landscape as possible within the context of our research. Note, however, that not all vendors we approached responded to our requests for briefings, and some declined to participate in this research.
1 For definitions and a broader discussion of the GRC areas we cover in our research, please refer to our earlier GRC reports, such as ‘Enterprise GRC Solutions: Market Update 2017’.
2 Operational risk continues to decline sharply from a regulatory standpoint, as it undergoes a structural simplification. In our analysis we have double-counted operational risk in a regulatory context, as it is a component of both operational/conduct risk and GRC analytics.
4 The ability to represent every activity and process as a digital object or artefact. This is the main driver for quantification, since it allows vast quantities of data to be collected about every process.
5 Note that references to specific vendors within the text of this report do not constitute endorsements of their products by Chartis.