You may have heard that Gartner's latest Magic Quadrant for Enterprise GRC (EGRC) was released this month (see a summary here, or go buy a full copy over here). There's been a ton of press releases and media coverage since Gartner's announcement, as well as some interesting responses. However, if you look at the MQ graphic itself, what you'll find is a melange of random tech companies providing solutions in a wide range of areas that may or may not qualify as "EGRC."
According to their summary report, Gartner says that they define EGRC around four (4) key functions: risk management, audit management, compliance and policy management, and regulatory change management. However, as much as this might sound like a coherent set of criteria, their application of this definition is odd and inconsistent. For example, SAP and SAS both show up in the "Leaders" quadrant, yet SAS appears to barely meets these four functions, and certainly not in the comprehensive way you might expect, and SAP is even weaker at meeting these criteria (their "EGRC" solution is just one plugin module in their overall ERP framework). In both cases you would be far more likely to look to these technologies for financial risk management, and not for enterprise risk management. It's rare to encounter either of these products in the GRC RFPs and bake-offs we're seeing every month, and yet they're supposedly "Leaders" in the space? The same can in fact be said for 7 of the 9 products listed in that quadrant; they're simply not seen in routine GRC competitive situations much, if at all.
Michael Rasmussen, who by most accounts invented the "GRC" monicker to describe the market space, has posted a vitriolic rant about this latest Gartner report, highlighting many of the discrepancies that the report and associated research process contain. Of his complaints, I think the most important one is that the report is "a mile wide and an inch deep." In his retort, French Caldwell (co-author of the MQ report) even agrees that this is a shortcoming of the process and marketspace. This is curious to me... if you, as the authoring analyst, realize that you've defined the space too broadly, why would you then move forward with publishing a report at all? It seems to me that EGRC is ripe for re-segmenting, such as around Financial GRC, Legal GRC, etc.
The Core Problem
At the heart of the matter is this: The report doesn't make sense and isn't useful for differentiating products! Just looking at the "Leaders" quadrant, are prospective customers really expected to compare SAP vs. SAS vs. bWise vs. RSA Archer vs. MetricStream?! Let's be really, truly honest here... just this quadrant alone is woefully inconsistent and incoherent. Unlike the IT GRC Magic Quadrant (a new market scope is expected out by end of year, with a new MQ out early next year), or the similar Forrester Wave for IT GRC, where we at least have a reasonably clear understanding of the types of data and functionality involved, as well as the placement in IT and executive reporting, EGRC has no clear sense of space or placement. Who are the customers and stakeholders? What business requirements are being met? What problem is being solved?
Perhaps most disconcerting about Gartner's report is that it effectively misrepresents the capabilities of products that aren't even necessarily competing in the same space. For example, if you're looking to do better financial governance and risk management, you would almost certainly look to SAP or SAS or a similar company, and not to one of the providers who also have strong roots within IT GRC. On the other hand, if you're looking for a platform to aggregate, report on, and manage enterprise risk management across the board, then you might have cause to look more broadly. However, ultimately it's going to depend on business requirements and - more importantly - business stakeholders.
One Platform to Rule Them All?
One thought that this situation brings to mind is whether or not the end goal is to have one GRC platform to "rule them all" (so to speak). At the end of the day, do you need or want a single GRC solution to which everything is aggregated, and from which all reporting is done? I'm not convinced that the answer here is "yes." Rather, I think what we're finding is that there is a limit to how far you can aggregate and reduce data into single reports or super-metrics (a point I speak to in a recent piece over on GovTech). Over-aggregating data into super-metrics is a dangerous practice that can obscure much-needed detail and insight. One need only look at the 2008 credit crisis to see the potential outcome of such practices.
Rather, I think it's far more logical to conclude that organizations (especially large orgs) will need 2-3 different platforms to help manage the different aspects of their business governance and risk management. For instance, a good segmentation could be Financial, Legal, and IT GRC, wherein all three are integrated to provide cross-feeds on key reports, but that are targeted to different audiences (e.g., CEO, CFO, CIO, COO, General Counsel). There are ways to pull reports into disparate platforms (usually), which means that executives would not need to whine about having to login to multiple systems, while the producers and managers of these datasets and reports could work within their respective systems to ensure that their respective areas of concern are properly managed. All of this is reasonable and rational; more so than defining some ill-fitting, nebulous area like Gartner has done with this absurd EGRC Magic Quadrant.
Not Really "Enterprise" Risk Management
Another key consideration here is whether any current "GRC" product truly does "enterprise" risk management (ERM). The short answer is: absolutely not! For a brief reminder, enterprise risk management is the overarching umbrella that includes all the subsets of risk management, such as financial, legal, credit, market, and operational risk (which itself includes IT/infosec/info risk). Today, no GRC solutions are really oriented toward aggregating these values up. More importantly, there's a strong case to be made that "enterprise risk management" is itself not an appropriate level of aggregation.
At the end of the day, business leaders are not looking for a single magic ERM number. Instead, they're looking at the next layer down to analyze datasets around each of the respective verticals. In this way, ERM serves to define a discipline, but it is not ideally intended as a roll-up reporting level. Moreover, reporting at this level would be irresponsible and deceptive. How can you effectively manage risk in your organization if all you're seeing is a single gauge? You certainly wouldn't steer a vehicle in this manner, would you? Imagine if your car only had one magic gauge, with no external visibility. Would you trust it? Of course not!
Closing Thoughts
The best advice I can give you here is this: Ignore this latest report from Gartner on EGRC; this Magic Quadrant is not helpful, and will only serve to generate considerable confusion going forward (in fact, it already has). It's very clear that "EGRC" is not a coherent, well-defined market space, and as such we need to stop perpetuating it. Instead, it is better to continue what was already started when IT GRC was spun off into its own space. Similar changes need to be made, such as in spinning off Financial and Legal GRC, as well possibly several other spaces, along with reasonable, coherent definitions of each of these spaces.
The challenge, however, will come in how to pull together all of these products. Toward that end, I think we need to go back to the drawing board. Each GRC sub-sector serves a valuable purpose, but we still need to see how they fit together in the big picture. I do not believe that there is, or should be, a single platform to rule them all. Instead, I believe that we need to find ways to integrate GRC platforms so that reporting can be cross-fed to provide the right views to each respective part of the business. Half of the challenge is getting reasonable reports created from various disparate - but related - datasets. The other half of the challenge is ensuring that we have not over-aggregated these datasets to the point of being meaningless super-metrics that obscure the truth about our environments (again, as reflected in the faulty risk models revealed in the fall-out of the 2008 credit crisis).
Toward this end, we need to stop perpetuating myths, such as "EGRC," such as single "how compliant are we?" reports/metrics, such as single super-metrics around enterprise risk, and so on. We have good tools in given spaces already; we need only improve how bring them together. That should be our overarching directive in defining these markets, and not some farcical attempt to over-simplify and dilute one super-set market space, which results in an outcome like the 2012 EGRC MQ.
Just say no to EGRC and demand something better.
The question at the back of mind now is: How then do we truly define the standards? from what I read here, it simply means there are no standards at all, and once the standards do not exist, then there is no way to even draw out a road map for a wholistic GRC strategy that would encompass the varous subsectors - Fin GRC, IT GRC etc.
I hope that it's not so dire. I think there is room - and need - to produce standard definitions within each of the appropriate spaces. Where I think things fall down is in believing that the enterprise is truly a pyramid structure, and that at the tippy top there is only one standard. Instead, I believe that there are really a couple to a handful of roles at the top, such as CEO, COO, CFO, GC. These people are really all peers, and the areas for which they're responsible are, in many ways, standardized (e.g., standard accounting practices, business management and governance standards, legal standards, operational management standards including operational risk management standards).
We should not over-aggregate to values that become less useful. We should only aggregate to the point where we can maximize reporting without losing value. EGRC and, really, ERM seem to me to be over-aggregating. You don't roll-up all your risk analyses into a single magic number, right? Few, if any, decisions are made on a single value, but will consider financial risk, legal risk, and operational risk. That's really my main point in the post.
Thanks for the comment!