Analyst firms provide value as well as harm to markets. What they define, model, and predict affects billions of dollars and influences the course of organizations of all sizes and industries. I’ve had a unique perspective on this during my nine years in the market research and analyst world and for seventeen years of professional life.
I have particular frustration with the major analyst firms (such as Gartner and Forrester) when it comes to governance, risk, and compliance (GRC) issues. This is particularly meaningful viewed through the lens of my seven years at Forrester Research, Inc. where I was a vice president, and was recognized as a ”Top Analyst” the day before I resigned. I was the original analyst to define and model a market for GRC technology and consulting services.
Today’s release of The Forrester Wave™: Enterprise Governance, Risk, And Compliance Platforms, Q3 2009 made me throw my hands up in despair. I can see one organization after another making bad technology choices, based on where a vendor’s icon falls on an analyst’s graphic. My experience with this speaks for itself – I authored four Waves in my tenure at Forrester, two of them being the predecessor to this third-generation GRC Wave.
Before I get too critical, some positive thoughts: The Forrester Wave process is stronger than Gartner’s Magic Quadrant. The criteria for evaluation and measurement are much more transparent. I never had a vendor tell me they prefer Gartner’s process. I also have deep respect for Chris McClean, the author of the current GRC Wave. Chris and I have known each other for years. I trained Chris on GRC on his entry into Forrester, and my transition from Forrester went smoothly because we are like-minded. Chris is a respected thought leader on business GRC issues and solutions, particularly when it relates to Corporate Social Responsibility. However, Chris’ handicap, like mine was, is Forrester itself.
Further, several of the vendors in the Wave deserve their placement. I have respect and agreement for the leadership position of BWise, OpenPages, and Thomson Reuters. Axentis has the best policy management solution on the market, and a competitive investigations platform – though their high placement baffles me, as they do not come close to the others on deeper risk and audit management capabilities. However, MetricStream does surprise me in their leader position.
The current version of the GRC Wave concerns me because:
- It is out-of-date the day it is published. This particular Wave process took six months. Several of the platforms evaluated have new and improved versions on the market, some of which have been available for several months. The Wave process takes much too long to be relevant to buyers.
- The Wave criteria have not evolved. The GRC market and technology changes rapidly. There was a significant difference in criteria between the first GRC Wave and the second, which I authored while at Forrester. This time, however, the criteria remain nearly identical to what I authored on the last Wave, despite how dynamic the market and technology have been during the last 18 months. In this new Wave, several vendors were hurt on their positions because they are moving beyond the box assigned to them by the Wave criteria. In the second Wave, I broke the Wave into four graphics to represent different areas of GRC – with vendors plotting differently, based on buyer needs. This latest GRC Wave should have expanded, not eliminated that feature. The Wave should have broken into several independent Waves to measure specific buyer roles of GRC solutions such as risk, audit, IT, finance, corporate compliance, and legal.
- It reaches the wrong audience. It is interesting to note that some vendors in previous GRC Waves are not in the current one – even when they scored high in the previous Wave. Why did they not participate? For a few it was because the Wave takes a tremendous amount of time and resources and reaches the wrong buyer. Companies like Compliance 360 and Mitratech are doing well reaching buyers who are not in IT, where Forrester is focused. In fact, some vendors report that reference to the previous Wave(s) did not come up with prospects and clients. This is one of two reasons why I left Forrester: They fail to reach the business buyer of GRC. Forrester is successful at reaching the IT-GRC buyer focused on IT risk and compliance issues, and to some degree the finance buyer. However, Forrester fails to get its research in front of enterprise buyers focused on risk, corporate compliance, legal, audit, quality, environmental, health and safety, and corporate social responsibility (which is Chris’ sweet spot).
- It misses major GRC vendors. It is alarming that the current Wave misses significant GRC vendors such as Oracle and CA, as well as smaller players such as Neohapsis (formerly Certus). Some declined because of bad timing; others, if I understand it correctly, were simply not invited. Oracle and CA are coming up regularly in competitive GRC deals – more so than several of the small and poorly performing players in the Contender and Strong Performer categories. Even if a vendor refuses to participate, Forrester still has a process to plot a vendor and note that they did not willingly participate in the Wave.
This is bad news for a GRC buyer. While it gives them some perspective of players in the GRC market, the perspective is out-of-date and incomplete. Specifically, beside the vendors that do not appear in the Wave, I feel the following are poorly represented: read full article by Michael Rasmussen, J.D.
Source: Corporate Integrity, 02.07.2009
Filed under: Data Management, News, Risk Management , Compliance, Data Management, Governance, Regulation, Risk Management
