WAVE 

REPORT

The Forrester Wave™: Governance, Risk, And

Compliance Platforms, Q3 2021
The 15 Providers That Matter Most And How They Stack Up
September 22, 2021

AV Alla Valente

with Amy DeMartine, Isabelle Raposo, Peggy Dostie

Summary

In our 25-criterion evaluation of governance, risk, and compliance (GRC) platform providers, we identified
the 15 most significant ones — Archer (an RSA business), AuditBoard, Camms, Diligent, IBM, LogicGate,
LogicManager, MetricStream, NAVEX Global, OneTrust, Reciprocity, Riskonnect, SAI Global, ServiceNow,
and Workiva — and researched, analyzed, and scored them. This report shows how each provider
measures up and helps risk and compliance professionals select the right one for their needs.

Topics

GRC Platforms Help Firms T… Evaluation Summary Vendor Offerings Vendor Profiles 

GRC Platforms Help Firms Take On The Right Risks And

Improve Resilience
In a business world characterized by interconnectedness, complexity, and uncertainty, GRC
platforms are a risk manager’s Swiss Army knife for protecting the brand and bottom line. If there
was any doubt that today’s GRC platforms have evolved beyond workflow-enabled document
repositories for automating compliance checklists, the confluence of risks and disruptive events
surrounding the COVID-19 pandemic has shattered that fallacy.

Right now, firms are under extreme pressure to mitigate emerging risks, innovate at breakneck
speed, keep pace with changing regulatory requirements, identify areas for growth, and shift to
digital business practices. And risk professionals lean more heavily on their GRC platforms to drive
faster and better strategic decisions; support detailed and timely analysis on the impact of risk on
multiple areas of the business; and provide insight and agility required for business resilience.
Today, 59% of risk and compliance pros cite risk visibility and transparency as a key driver for
investing in GRC, according to the data from our customer references.

As a result of these trends, GRC customers should look for providers that:

About Forrester Reprints https://go.forrester.com/research/reprints/

 Are dedicated to platform flexibility and usability. For risk and compliance pros to navigate risk
and help steer their business through the changing dynamics, they must have greater control
and wider adoption of their GRC technologies. According to the customer references, platform
flexibility (the ability to make changes to process, workflow, and reporting) and ease-of-use are
the two most critical criteria when evaluating a GRC platform, even outweighing price. GRC
vendors that are dedicated to empowering administrators and engaging business users also
saw higher scores for overall business value among reference customers.

Prioritize integrations with internal and external tools. Risks are inherently dynamic and require
a combination of assessment results, internal data, external risk intelligence, real-time event
data, and predictive analytics to continuously monitor, review, and adapt to risk and threats. As
new sources of data become available to augment traditional GRC assessment data, risk and
compliance pros push vendors to create seamless integrations with these tools, not just for
better risk visibility to identify but also to enable workflow to triage, treat, and mitigate risks
proactively.

Invest in frictionless reporting and visualization. There’s a risk management saying: “If a GRC
process has been completed but you can’t report on it, did it actually happen?” To influence
decisions, satisfy regulators, and demonstrate ROI of GRC efforts to executives and board
members, risk and compliance pros must report on and visualize status, process, and trends.
Sadly, for nearly a quarter (24%) of GRC end-user reference customers, reporting capabilities
of their current platform don’t meet their expectations — nearly double (13%) what we saw in
The Forrester Wave™: Governance, Risk, And Compliance Platforms, Q1 2020. Platforms that
combine out-of-the-box (OOTB) reports with ease and flexibility for users to edit or create their
own empower their customers to tell a contextual and tailored risk narrative for their business.

Evaluation Summary
The Forrester Wave™ evaluation highlights Leaders, Strong Performers, Contenders, and
Challengers. It’s an assessment of the top vendors in the market and does not represent the entire
vendor landscape. You’ll find more information about this market in our reports including the Now
Tech: Governance, Risk, And Compliance Platforms, Q2 2021, and the adjacent market in The
Forrester Wave™: Third-Party Risk Management Platforms, Q4 2020.

We intend this evaluation to be a starting point only and encourage clients to view product
evaluations and adapt criteria weightings using the Excel-based vendor comparison tool (see
Figure 1 and see Figure 2). Click the link at the beginning of this report on Forrester.com to
download the tool.

Figure 1

Forrester Wave™: Governance, Risk, And Compliance Platforms, Q3 2021

About Forrester Reprints https://go.forrester.com/research/reprints/

 Figure 2

Forrester Wave™: Governance, Risk, And Compliance Platforms Scorecard, Q3 2021

About Forrester Reprints https://go.forrester.com/research/reprints/

 Vendor Offerings
Forrester included 15 vendors in this assessment: Archer (an RSA business), AuditBoard, Camms,
Diligent, IBM, LogicGate, LogicManager, MetricStream, NAVEX Global, OneTrust, Reciprocity,
Riskonnect, SAI Global, ServiceNow, and Workiva. Archer and NAVEX Global opted not to
participate and are included as nonparticipating vendors due to their market presence (see Figure
3).

Figure 3

Evaluated Vendors And Product Information

About Forrester Reprints https://go.forrester.com/research/reprints/
 Vendor Profiles
Our analysis uncovered the following strengths and weaknesses of individual vendors.

Leaders

Workiva tackles GRC’s data problem head on, yet audit/SOX is still their sweet spot. Workiva
might be best known for business data management and reporting but can support GRC use
cases as well as any traditional GRC vendor. Its straightforward mission to “simplify complex
work” aims to solve GRC’s greatest pain points of collaboration, reporting, and benchmarking.
It does so with a single-license commercial model with unlimited user access to anyone in the
organization, a focus on connecting financial and nonfinancial data for collaboration and
reporting, and a GRC center of excellence that can benchmark customers’ utilization and value
metrics against other Workiva customers. Workiva’s strengths include a productivity suite that
can upload documentation in its native format through copy and paste, and “autonomous
workflow” that recommends remediation and compensating controls based on historical data.
However, there is no dedicated incident management module, and third-party risk
management is the vendor’s least-mature offering. While it has been slow to invest in AI/ML
capabilities relative to other vendors, the newly released audit analytics capability should put
Workiva on par with the market. Customers praised speed of implementation but cited cost
and complexity of implementation as areas for improvement. Workiva is a good fit for firms
with a controls-centric approach to GRC, or those in industries with data-heavy requirements
such as financial services, energy, government, healthcare, and manufacturing.

OneTrust stakes a claim to GRC by prioritizing solution breadth over platform depth. OneTrust
debuted its GRC platform with a mission to help customers, employees, and partners leverage
trust to solve complex, cross-functional business problems. An ambitious growth strategy is
supported by aggressive hiring, rapid product development, and a flurry of M&A activity,
including recent acquisitions of Integris, DocuVision, and Convercent. Its philosophy to never
lose on price comes with a “try before you buy” free version of the platform with limited
About Forrester Reprints https://go.forrester.com/research/reprints/
 capabilities or a 30-day trial of the full platform. OneTrust’s platform leverages a single code
base and common UI to support all standard GRC use cases, plus third-party risk, ethics, ESG,
data governance, and privacy, placing it among the most comprehensive platforms in this
evaluation. Innovations including AI and robotic automation help onboard customers quickly,
drive regulatory change management, and provide control suggestions but stop short of
enhancing risk identification, classification, or workflow. The platform lacks risk-centric
dashboards and reports and mature risk management features such as correlation, impact
analysis, and forecasting. Customers appreciate the scalability and ease of integration but
underscore the need for a flexible risk model. OneTrust is a solid choice for customers just
starting their GRC journey, those that prioritize compliance over risk, and firms already
leveraging OneTrust’s other products.

Strong Performers

ServiceNow continues innovation, but new features come at a price. ServiceNow is a power
player in GRC due to its combination of strategy, execution, and innovation, demonstrated by
launching new use cases (privacy and ESG), continued investment in user experience, growth
of its partner ecosystem, and acquisition of several AI/ML start-ups it plans to integrate in
2022. It has also streamlined the packaging and pricing of its GRC product down to three
SKUs (IRM, VRM, business continuity) with IRM sold at three tiers (standard, professional, and
enterprise). While this simplifies the purchasing process, it also restricts customers from
buying only the modules they need to support their use case and requires them to level up
from standard to professional to access features such as data analytics, which can become
expensive. Among its strengths are its strong IT risk, risk mitigation, and remediation
capability, and an NLP-enabled chatbot available on both desktop and mobile app that gauges
intent to direct users. Customers noted a greater degree of customization than anticipated
and the complexity of integrating GRC products with the vendor’s SecOps and other
applications. ServiceNow defers 90% to 95% of implementations to partners, which customers
describe as “hit or miss depending on the partner,” and impacted the vendor’s scores for
implementation experience. ServiceNow is a good fit for firms leveraging its other products,
those looking for a complete GRC bundle versus individual modules, and those that are not
constrained by budget.

Diligent simplifies UX, reporting, but some customers still lean on the legacy app. This
Vancouver-based vendor, a product of ACL’s acquisition of Rsam in 2019, was acquired by
Diligent in 2021 (a governance software vendor that also purchased Steele, an ethics and
compliance platform) to create the largest SaaS GRC company — at least for now. Generally,
technology integration of ACL and Rsam has been successful, and many Rsam features were
replicated in ACL’s HighBond, but not all made the cut — specifically, ease of customizing
questionnaires and scoring, and many prebuilt connectors to security tools — forcing some
Rsam customers to retain the legacy app or use a combination of both. The vendor also has a
new CEO, and some of the Rsam expertise responsible for product and customer success
have since left the company. Time will tell if this accelerates the vendor’s core GRC vision and
strategy or distracts from it. Diligent’s HighBond platform has many strengths, including
advanced capabilities in AI and RPA to automate workflow, slick dashboards, and ease of
creating meaningful visualizations. However, customers we spoke with were disappointed in
the lack of migration strategy, challenges of connecting data between the two platforms, and
limits on number of risks in the risk register, forcing some to create subregisters. Customers
confirmed that reporting is easier in HighBond but cited difficulty customizing questionnaires
and blending their data with HighBond content — which drives their decision to hold onto the

About Forrester Reprints https://go.forrester.com/research/reprints/

 Rsam platform. Customers looking for a FedRAMP or DISA Impact Level 5 authorized platform
or those seeking a streamlined user experience with powerful reporting should consider
HighBond.

MetricStream doubles down on enhancements, but the platform is still services heavy.
MetricStream is on a quest with an aggressive growth strategy focused on market presence,
innovation, and customer engagement and is supported by new executive leadership, a new
brand, and an ambitious product roadmap with planned enhancements to features such as the
UI, risk quantification, and regulatory intelligence. Since the last Forrester Wave report, the
vendor has improved the quality of delivery and platform reliability. But much has changed in
GRC, and full-suite implementations with significant customization are the exception, not the
rule. MetricStream will need to balance innovation with simplicity to meet the needs of a
market leaning toward agility and user experience. MetricStream’s strengths include
integration and consistency across modules and multidimensional hierarchy for a global and
local view of the organization. The vendor remains strong in IT risk and uses AI/ML to support
a variety of use cases, although a minority of customers use the advanced capabilities.
Customers point to reporting as an area in need of improvement, citing insufficient flexibility,
interactivity, and extensibility of OOTB reports. Those with smaller teams find it expensive to
use the workflow manager and develop their own reports. MetricStream is good for firms
looking for a full GRC suite and that have the budget and resources to manage the feature-
rich platform.

IBM OpenPages includes a long-awaited GRC use case featuring Watson. IBM OpenPages is
an end-to-end GRC platform across the three lines of defense with a comprehensive offering
for ERM, audit, operational risk, and regulatory compliance. Until recently, the IBM OpenPages
with Watson was a marketing message rather than capability description, but its new
regulatory change management and natural language translator that translates application
text into various supported languages is now powered by the vendor’s famous asset. Although
IBM has made progress in multiple areas — a 30-day free trial of its regulatory compliance
product, alignment of GRC with IBM’s cloud business strategy, and long-awaited investment
customer engagement programs — it faces an uphill climb to reclaim superiority in this market.
Much of OpenPages’ advanced analytics capabilities, including risk modeling, forecasting, and
scenario analysis, leverages sophisticated conditional logic. Even though the vendor’s “data
science in a box” is impressive, it requires resources with expertise in this area. AI/ML is not
leveraged meaningfully in support of all GRC use cases, and not to the same extent as other
vendors in this market. Reference customers still advocate for a more flexible and intuitive
interface, and are challenged by limitations of reporting and visualization, including their native
BI tool, Cognos. IBM OpenPages continues to be a good choice for firms with complex
operational risk and compliance requirements, especially those leveraging other IBM
products.

LogicManager differentiates with a nonmodular approach to GRC, lags in innovation. The

flexibility of LogicManager’s “modularless,” multitenant GRC platform offers the best value for
the money, but its “all-in” licensing, which includes ongoing professional services, data
retrofitting, and virtual training at no additional cost, hasn’t translated to leaps in market share.
The Boston-based vendor now offers three implementation tiers including the customer-led
FastTrack ideal for SMBs, professional for firms rolling out a few use-cases, and enterprise for
larger implementing the full GRC suite or those who want a bit more handholding through the
process. Although its market strategy is on par, the product roadmap, if executed, could give
LogicManager the much-needed boost with cohort-based benchmarks and suggestions from
“like-customers,” automated control monitoring, and enabling nonlicensed users to complete
About Forrester Reprints https://go.forrester.com/research/reprints/
 tasks in the platform. Strengths include ability to bring in risk management information system
(RMIS) data for ERM, easy-to-use Vizio workflow editor, and visualization at no extra cost with
OpenTextBI that sits on top of the platform. However, the vendor has virtually no AI/ML
capabilities, lacks a mobile app, and needs to focus on building a strategic partnership
network. Echoing the sentiment of previous Forrester Wave reports, customers cite challenges
around reporting and want more integration options with external tools and better user
training at implementation. LogicManager is a sound choice for firms that prioritize
functionality over frills and those who are seeking a flexible platform but don’t want to sacrifice
customer support.

LogicGate is a GRC platform that’s good at everything but lacks differentiation. LogicGate is a
user-friendly, highly configurable tool that deploys quickly and allows users to build what they
need to meet changing market and business requirements. This vendor’s vision to elevate risk
and compliance to a strategic advantage is supported by a Graph database, Risk Cloud
Exchange, and as of July 2021, a Series C $113 million investment. The pricing model is
transparent, with five packages ranging from basic to professional, and bundles the number of
modules, users, success plan, and core integrations for a set price. Unlike other vendors, there
are no restrictions on which modules can be purchased together or additional tiers of
functionality that come at an additional cost. It forgoes an industry-specific market approach
for needs-based alignment based on company maturity and size. The current offering is good,
not great, but if it can execute in its aggressive product roadmap, LogicGate has the potential
to differentiate and compete with the larger players both on capabilities and strategy. Among
LogicGate’s strengths are a visual workflow editor, platform configurability, and cross-modular
integration; however, reporting is still evolving, visualization is basic, and there are reliability
and performance issues with the platform. Customer references request more integration
options, active directory integration, and autofill functionality among enhancements to
prioritize. LogicGate is a good fit for lean teams with few FTEs but that don’t want to sacrifice
platform configurability and control.

Camms’ feature-rich GRC platform is virtually unknown outside the UK, APAC. Showing
customers how GRC help firms meet goals, influences business decisions, and board strategy
is in Camms’ DNA. As the only APAC-headquartered vendor in this report, this Australian
company’s platform leans more toward ERM, but its well-balanced partner ecosystem of
content, intelligence, TVM, and SIEM/SOAR providers brings its IT risk capability on par with
others in this report. It differentiates with use cases like strategic and operational planning, risk
project management and execution, strategy mapping, and KPI scorecard for board reporting.
The workplace health and safety module is particularly timely. Plans for global expansion will
need to focus on brand-building, as Camms is virtually unknown in North America. Strengths
include flexible risk registers, risk mitigation and remediation, trend analysis reporting, and a
simple and intuitive UI. Integration with UIPath — an RPA tool — automates workflow and
requires customers to license directly from the third party, although Camms will do the
integration. The policy module is still on the roadmap, and customer references unanimously
identify rigidity and complexity of reporting as an area in need of improvement. Camms works
well for firms with enterprise risk and operational risk requirements, especially those seeking
to link risk to business strategy.

Contenders

Reciprocity laser focuses on midmarket CISOs but overlooks risk pros, enterprise firms. With
the launch of risk management capabilities in 2020, Reciprocity has entered the GRC market,
although its product, ZenGRC, self-admittedly focuses exclusively on IT risk. One of few GRC
vendors
About Forrester offering
Reprints benchmark data, Reciprocity plans
https://go.forrester.com/research/reprints/ to launch an industry benchmark
 information product at the end of 2021. ZenGRC is a cloud-native, streamlined, and user-
friendly platform whose average implementation takes just 45 days. The pricing model
focuses on number of users as a proxy for size of the organization to target midmarket firms or
organizations outgrowing spreadsheets as their GRC tool of choice. Primary use cases for the
platform are as a system of record for risks, controls, and assessments, to simplify security
audits, and as a risk register with enterprise and cyber risk assessments. Ease of use and
platform flexibility play a key role in making it an attractive option for infosec-led GRC teams;
however, to appeal to risk teams, Reciprocity will need more risk-based capabilities to balance
its controls-centric approach, risk scoring that can better accommodate use cases beyond
information security, and better risk mitigation and remediation workflow and reporting. The
platform has several strengths, including a highly intuitive UI that can be customized without
being too abstract, a relational data structure where users model aspects of their program and
map across programs, and a tags feature that works like a social media mention. However, the
API is limited, customer satisfaction around implementation and training were mixed, and
reporting came up several times as an area in need of improvement. Customer references
divulged that although innovation is trailing, the vendor’s responsiveness keeps them from
looking at other firms. Customers with IT risk requirements looking for simplicity and ease of
use should consider Reciprocity.

Riskonnect commits to customer experience but deprioritizes innovation. Riskonnect blends

an RMIS with GRC data and processes atop a Force.com platform to help customers improve
transformational resilience by connecting operational, strategic, and digital risks within their
enterprise. The vendor targets firms with large, dynamic risk exposures focusing on financial
services, manufacturing, healthcare, and retail organizations and wins multiuse case
opportunities especially when the organization wants to link risk, insurance, and GRC.
Riskonnect has doubled down on customer success and engagement with a series of
educational and networking events designed to foster collaboration and information sharing
and profiles risk all-stars within its customer community. The vendor trails in innovation, and
aside from a correlation engine, the platform’s few AI capabilities are still in beta; customers
revealed that the tool is not on the cutting edge of new ERM trends. Among its strengths are
Domo for insights and data visualization, the ability to map and contextualize
interdependencies of relationships, and the ability to assign criticality at the risk register level.
The vendor is light on IT risk and third-party risk. Other weaknesses include risk assessment
that lacks flexibility, basic reporting that needs an upgrade, and a product roadmap with
features that only get Riskonnect on par with the GRC market. The vendor is a good fit for
customers with ERM requirements or those seeking an RMIS combined with GRC.

NAVEX Global’s Lockpath offers flexibility if you’re looking to build GRC yourself. NAVEX
Global’s suite of GRC solutions is a result of acquisition and offered through three technology
platforms: NAVEX One, the legacy platform for ethics and compliance; Lockpath, acquired in
2019 for integrated risk management; and NAVEX ESG, acquired from CSRware in 2020. To
support core GRC requirements, customers must toggle between Lockpath’s operational and
IT risk, business continuity, compliance, and third-party risk modules, and NAVEX One’s third-
party due diligence, incident management, and policy management. This isn’t seamless, as
these are separate technologies with their own code base, but it doesn’t appear to impact
user experience, and users find the UIs intuitive. Still, the vendor lags in innovation and is slow
to adopt AI/ML capabilities on pace with the market. NAVEX’s Lockpath is a flexible,
configurable platform that customers can tailor to their specific needs and scale to meet new
or changing requirements. The content library of controls cross-mapped to multiple regulatory
frameworks and standards is robust and, overall, the platform is one of the more cost-effective
About Forrester Reprints https://go.forrester.com/research/reprints/
 options for GRC. However, satisfaction with OOTB reports and dashboards, analytics, and
visualization leave room for improvement. Also, customers describe complexity of
implementation and wanting more/better guidance on how to set up the platform most
effectively from the get-go. Customers say this is offset by highly responsive support and
professional services teams. Price-conscious firms that don’t need prescriptive guidance, are
not put off by substantial configuration, or are looking to build custom GRC solutions should
consider Lockpath. NAVEX Global declined to participate in the full Forrester Wave evaluation
process.

Challengers

SAI Global pauses innovation while it completes long-overdue SaaS rollout. SAI’s GRC
solutions are a product of multiple acquisitions — Compliance360 in 2012, Strategic BCP in
2018, and BWise in 2019 — whose technologies are in different stages of integration. The
good news is that since the last Forrester Wave report, SAI has shifted its vision from bespoke,
on-prem solutions to an OOTB, SaaS offering and divested its Global Assurance business in
May 2021 to focus on its GRC and e-learning technologies. The bad news is that launching a
cloud offering in 2021 has SAI Global catching up and siphoned vendors’ attention away from
innovative and differentiated features in a crowded market. With its new pricing model
launched in May 2021, SAI solutions are packaged in four tiers, essentials, professional,
enterprise, and enterprise +, but only enterprise has an option for professional services, and
implementation is 100% of annual cost, making it among the highest-priced of the vendors in
this evaluation. Evaluation of SAI360 in this report focused on the product that was formerly
known as BWise and still has lingering references in product documentation and artifacts to
the BWise platform and wholly separate from the Compliance360 platform for healthcare orgs.
Strengths include a strong partner ecosystem, integration with Power BI and e-learning, and
helpful templates and suggestions for increasing usability and adoption. However, customer
references reveal that the product has too many interfaces, and response time for technical
issues and reporting remain shortcomings. This vendor is a fit for large enterprises, customers
that don’t require advisory and professional services, or those willing to spend in the top tier to
get the support.

AuditBoard’s positioning as a complete GRC platform is marketing gymnastics. Founded in

2014, this Los Angeles-based vendor combines industry expertise with modern UX and a
unified platform to improve collaboration around risk and compliance processes, boasting
25% of the Fortune 500 as customers. Calling it a complete GRC solution is a stretch. As the
name suggests, AuditBoard is a controls-based, audit-first product that wins over internal audit
and SOX teams with its sleek interface, workflow, and attractive value-based pricing model
that includes unlimited stakeholder users. The platform “built by practitioners” is a favorite
among firms looking for an OOTB approach to audit and compliance, but those seeking to
bundle IT or enterprise risk will be disappointed. AuditBoard is a streamlined platform for
workflow and collaboration with internally developed content for audit, but customers must
license the rest directly from UCF or other sources. Simply put, although the vendor has many
enhancements on the roadmap, most features would only bring it on par with the market.
Customers report that innovation is moving faster on internal audit than the rest of the product
and express disappointment with the vendor’s nonaudit readiness. This product is a good fit
for standalone SOX audit and compliance use cases or for customers who are budget
conscious and willing to sacrifice functionality for cost.

Archer, now just “an RSA business,” invests in risk quantification and not much else. Archer
could have been returned to its former glory as an IT GRC powerhouse when Dell divested of
RSA inReprints
About Forrester 2020, but instead, its new owners — a private
https://go.forrester.com/research/reprints/ equity consortium — are not making the
 right innovation investments in a highly competitive market filled with new entrants. It’s unclear
if RSA Security plans to spin off its GRC business as it did with its fraud and risk intelligence
business, but, having dropped RSA from its name, Archer is now trademarked as an RSA
business. Earlier this year the vendor launched Archer Insight, a suite of risk quantification
capabilities, and Archer Engage, a portal to communicate with internal and external
stakeholders and board members without having to add them as named users, but its core
GRC offering has a lot of work ahead to catch up with the streamlined and agile platforms.
Archer holds its own in policy management, incident management, and IT risk capabilities,
which are on par with the market. However, compared with other vendors, Archer’s customer
satisfaction scores with transparency, commitment to innovation, and responsiveness of
services/consulting teams are concerning. Customers highlight that administrator training isn't
sufficient for new developers, and that the retired reporting capabilities had more functionality
and should be brought back to the platform. Archer platform works best for organizations with
dedicated, Archer-certified resources to manage the GRC program. Archer (an RSA business),
declined to participate in the full Forrester Wave evaluation process.

Evaluation Overview
We evaluated vendors against 25 criteria, which we grouped into three high-level categories:

Current offering. These 16 criteria allow us to assess the breadth and depth of each vendor’s
GRC platform capabilities. Each vendor's position on the vertical axis of the Forrester Wave
graphic indicates the strength of its current offering. Key criteria for these solutions include
risk assessment and control effectiveness, content delivery and mapping, risk correlation and
impact analysis, advanced capabilities such as AI, ML, and NLP, risk mitigation and
remediation, interoperability, workflow, reporting and visualization, and user experience.

Strategy. Placement on the horizontal axis indicates the strength of the vendors' strategies. We
evaluated the vendors’ GRC vision, market strategy and innovation, implementation approach,
product roadmap and ability to execute against it, approach to onboarding and
implementation, customer retention, partnership strategy, and customer engagement and
community.

Market presence. Represented by the size of the markers on the graphic, our market presence
scores reflect each vendor's share of the GRC market, based on number of customers, global
presence, and local languages capabilities to support a global customer base.

Vendor Inclusion Criteria

Forrester included 15 vendors in the assessment Archer (an RSA business), AuditBoard, Camms,
Diligent, IBM, LogicGate, LogicManager, MetricStream, NAVEX Global, OneTrust, Reciprocity,
Riskonnect, SAI Global, ServiceNow, and Workiva. Each of these vendors has:

Breadth and depth to support a range of GRC use cases and advanced risk analysis. Every
vendor in this Forrester Wave has a substantial breadth of capabilities to address the needs of
risk and compliance professionals across industries, domains, and risk management use
cases. Additionally, these platforms provide advanced risk management capability to evaluate
the impact of risks on strategic objectives, performance goals, and business resilience.

Aligns GRC efforts of various business functions across the enterprise. These GRC platforms
have a cumulation of content, analysis, workflow, visualization, and reporting, supported by
predictive analytics, artificial intelligence, machine learning, and native integrations with
internal systems and external technologies to automate GRC efforts across a broad range of
risk domains, sectors, and vertical markets. We consider solutions that only offer some, but not
all, of these
About Forrester capabilities
Reprints to be point solutions, not GRC
https://go.forrester.com/research/reprints/ platforms.
 Mindshare, market presence, and relevance to the market. All vendors evaluated in this
Forrester Wave maintain at least 250 active customers as measured by individual logos, not
number of deployments, and had a minimum of at least $15 million in annual revenue from
their GRC offering as of fiscal year end of 2020. Inclusion in this Forrester Wave also means
that the vendor actively competes in the GRC market, showing up in competitive situations
and discussions among Forrester clients.

Supplemental Material
Online Resource
We publish all our Forrester Wave scores and weightings in an Excel file that provides detailed
product evaluations and customizable rankings; download this tool by clicking the link at the
beginning of this report on Forrester.com. We intend these scores and default weightings to serve
only as a starting point and encourage readers to adapt the weightings to fit their individual needs.

The Forrester Wave Methodology

A Forrester Wave is a guide for buyers considering their purchasing options in a technology
marketplace. To offer an equitable process for all participants, Forrester follows The Forrester
Wave™ Methodology Guide to evaluate participating vendors.

In our review, we conduct primary research to develop a list of vendors to consider for the
evaluation. From that initial pool of vendors, we narrow our final list based on the inclusion criteria.
We then gather details of product and strategy through a detailed questionnaire, demos/briefings,
and customer reference surveys/interviews. We use those inputs, along with the analyst’s
experience and expertise in the marketplace, to score vendors, using a relative rating system that
compares each vendor against the others in the evaluation.

We include the Forrester Wave publishing date (quarter and year) clearly in the title of each
Forrester Wave report. We evaluated the vendors participating in this Forrester Wave using
materials they provided to us by June 7, 2021 and did not allow additional information after that
point. We encourage readers to evaluate how the market and vendor offerings change over time.

In accordance with The Forrester Wave™ And New Wave™ Vendor Review Policy, Forrester asks
vendors to review our findings prior to publishing to check for accuracy. Vendors marked as
nonparticipating vendors in the Forrester Wave graphic met our defined inclusion criteria but
declined to participate in or contributed only partially to the evaluation. We score these vendors in
accordance with The Forrester Wave™ And The Forrester New Wave™ Nonparticipating And
Incomplete Participation Vendor Policy and publish their positioning along with those of the
participating vendors.

Integrity Policy
We conduct all our research, including Forrester Wave evaluations, in accordance with the Integrity
Policy posted on our website.

© 2022,
Forrester Research, Inc. and/or its subsidiaries. All rights reserved.

About Forrester Reprints https://go.forrester.com/research/reprints/