[PDF] [PDF] Competitive Landscape: Integrated Risk Management

integration with enterprise risk management (ERM) relating to strategic risks impacting (see “Magic Quadrant for Integrated Risk Management Solutions” and 



Previous PDF Next PDF





[PDF] Magic Quadrant for IT Risk Management

3 juil 2019 · Gartner defines the ITRM solution market as software and services that solutions have been focused on enterprise risk management for 



[PDF] Gartner Reprint

16 juil 2018 · Integrated risk management (IRM) solutions combine technology, Enterprise legal management software applications are focused on 



[PDF] Magic Quadrant for Enterprise Governance, Risk - nexDimension

13 juil 2011 · U S Foreign Corrupt Practices Act, are emerging as new drivers of GRC solutions Enterprise Risk Management: ERM has emerged as the 



[PDF] RISK MANAGEMENT FRAMEWORK ENHANCES SECURITY AND

Gartner Magic Quadrant for Operational Risk Management Continuity Management Planning Software, RISKS APPEAR ACROSS THE ENTERPRISE



[PDF] Magic Quadrant for IT Risk Management Solutions - RSA Security

19 mai 2016 · normalizing, organizing and reporting IT-related risks into enterprise risk dashboards Market Definition/Description The IT risk management 



[PDF] Magic Quadrant for IT Vendor Risk Management - RSA Security

28 avr 2016 · IT VRM solutions support enterprises that have to assess, monitor and manage their exposure to risks arising from their use of third parties, which 



[PDF] Competitive Landscape: Integrated Risk Management

integration with enterprise risk management (ERM) relating to strategic risks impacting (see “Magic Quadrant for Integrated Risk Management Solutions” and 



[PDF] Magic Quadrant for Integrated Risk Management Solutions

15 juil 2019 · risk management leaders should use this Magic Quadrant to identify Archer Platform and separate solutions for enterprise risk management



[PDF] Magic Quadrant for Enterprise Governance, Risk and Compliance

1 fév 2013 · Instead of acquiring separate solutions for finance, IT and other business units, many enterprises are choosing to use a single EGRC platform and 

[PDF] enterprise social responsibility disney

[PDF] entertainment partners cast and crew

[PDF] entire software abn

[PDF] entity recognition training data

[PDF] entrepreneurial decision making process

[PDF] entrepreneurship best business books pdf

[PDF] entrepreneurship books pdf

[PDF] entrepreneurship in portugal

[PDF] entry 2 lesson plans

[PDF] entry level international business jobs

[PDF] enum starts with 0 or 1 java

[PDF] envie d'en savoir davantage

[PDF] environ égal symbole

[PDF] environment project slideshare

[PDF] environmental challenges in turkey

Competitive Landscape: Integrated Risk

Management

Published: 18 December 2019 ID: G00450383

Analyst(s): Elizabeth Kim

The integrated risk management landscape has been rapidly evolving. This has created greater urgency for technology and service providers to reevaluate how they are strategically positioned in the market and how to uniquely position themselves for the future.

Key Findings

Technology provider consolidation has accelerated over the past year. Risk management technology providers will continue to expand their capabilities through acquisitions to support the integrated risk management (IRM) mindset. Risk management technology providers are adopting a more modular approach to IRM implementation by offering scalable product packaging and pricing that allows customers to gradually expand functionalities. The modular approach supports different customers in their respective risk management journeys.

For cybersecurity, delivering support for risk quantiification models that are traditionally used for

communicating operations risk is a short-term opportunity. Growing scrutiny on cyberexposures will drive demand for security-related business risk quantiification beyond the banking, ifinancial services and insurance (BFSI) vertical as means for chief information security ofificers (CISOs) to improve risk communication in the mid to long term. Risk management technology providers focused on providing visibility and assessment of risks in information security, privacy, resilience and new technology are emerging.

Recommendations

Technology and service providers in the risk management marketplace should: Identify potential partnerships and integrations with technology providers that offer little or no overlap in capabilities, risk domain or the primary buyers of your solution. centric, operation-centric and business-outcome-centric use cases. Additionally, take a modular approach to product pricing and packaging to accommodate the different use cases. Assess your offering against the critical capabilities (including risk quantiification and analytics capabilities) and the IRM vision of providing a set of capabilities supporting the integration of strategic, operational and tactical risk to align your product roadmap accordingly. Evaluate current IRM solution in helping customers integrate and utilize data, such as tactical security vulnerability/threat assessment data, more effectively.

Table of Contents

Strategic Planning Assumption...................................................................................................

............3 ..........................3

Competitive Situation and Trends.....................................................................................................7

The IRM Market Will Continue to Consolidate as Technology Providers Seek to Provide Support

for Multiple Objectives and Risk Domains................................................................................... 7

More IRM Technology Providers Are Adopting a Modular Approach to Support Varying Levels of

Customer's Risk Maturity............................................................................................................9

Risk Quantiification Analysis Is a Growing Interest, but the Opportunity Outside the Financial

Services Vertical Is More Mid to Long Term.................................................................................9

IRM Vendor Landscape Will Be Impacted by Organizations' Need for Improved Visibility and

Assessment of Emerging Risks.................................................................................................10

Competitive Proifiles........................................................................................................................10

..........11 ...........11

NAVEX Global....................................................................................................................

.......12 ...........13

SAI Global......................................................................................................................

.......... 14 ........15 ......16

References and Methodology.........................................................................................................17

Gartner Recommended Reading.....................................................................................................

.....17

List of Figures

Figure 1. IRM Objectives and Risk Domains...........................................................................................4

Figure 2. Magic Quadrant and Critical Capabilities for IRM Solutions, 2019............................................5

Page 2 of 19Gartner, Inc. | G00450383

Figure 3. IRM Software and Consulting Implementation Service Forecast...............................................6

Figure 4. IRM Global Forecast by Region................................................................................................7

Figure 5. IRM Technology Provider Consolidation, 2019.........................................................................8

Strategic Planning Assumption

By 2021, 50% of large organizations will have two or more IRM use cases that leverage automated worklflows through IRM vendors, up from 30% in 2017.

Analysis

To understand and manage the full scope of risk, organizations require a comprehensive view across business units and risk and compliance functions as well as key business partners, suppliers and outsourced entities. As a result, new technology solutions are emerging to increase the collaborative nature of risk management, inside and outside an organization. Gartner deifines IRM as practices and processes supported by a risk-aware culture and enabling technologies that improve decision making and performance through an integrated view of how well

an organization manages its unique set of risks. A key distinction in Gartner's deifinition of IRM is the

integration with enterprise risk management (ERM) relating to strategic risks impacting operational and IT risk management objectives. IRM excludes the broader management of risks beyond operational and IT. Figure 1 shows the current primary IRM objectives and risk domains. As IRM technology providers look to enhance their coverage of these objectives and risk domains, opportunities for consolidation and strategic partnerships continue to emerge (see "Top Use Cases and Capabilities for Integrated Risk Management").

Gartner, Inc. | G00450383Page 3 of 19

Figure 1. IRM Objectives and Risk Domains

Figure 2 shows the IRM scope, critical capabilities and the use cases evaluated by Gartner in 2019 (see "Magic Quadrant for Integrated Risk Management Solutions" and "Critical Capabilities for

Integrated Risk Management Solutions").

Page 4 of 19Gartner, Inc. | G00450383

Figure 2. Magic Quadrant and Critical Capabilities for IRM Solutions, 2019 Gartner forecasts the IRM software market to grow at an 8% compound annual growth rate (CAGR) through 2023 to reach $6.3 billion (see "Forecast: Information Security and Risk Management, Worldwide, 2017-2023, 2Q19 Update"). Additionally, the total IRM solution spending, including consulting services and implementation services, is expected to reach $9.3 billion by 2023, representing a 9% CAGR. Figure 3 shows the IRM spending forecast. While a signiificant portion of the current IRM spending is coming from North America, the IRM market is ripe for growth in other regions. Figure 4 depicts the current IRM spending and the projected growth by regions.

Gartner, Inc. | G00450383Page 5 of 19

Figure 3. IRM Software and Consulting Implementation Service Forecast

Page 6 of 19Gartner, Inc. | G00450383

Figure 4. IRM Global Forecast by Region

The impact of the growing adoption of IRM on the competitive landscape is threefold: 1. Net new technology providers entering the IRM market 2.

Consolidation and expansion of IRM providers

3. Technology providers traditionally from outside IRM (and in niche areas such as security rating or privacy management) adopting an IRM use case and approach Risk management technology providers need to closely analyze their existing competitor's strategic movements and better identify new competitors.

Competitive Situation and Trends

The IRM Market Will Continue to Consolidate as Technology Providers Seek to Provide

Support for Multiple Objectives and Risk Domains

Risk management technology providers will continue to expand their capabilities to support IRM, and they will achieve this either organically or through acquisitions. Gartner has already observed

Gartner, Inc. | G00450383Page 7 of 19

technology vendors aggressively acquiring or partnering. This trend has accelerated especially in the past year, and market consolidation will continue for the near future. Figure 5 depicts the examples of IRM technology providers who have expanded their capabilities across the spectrum of IRM objectives and risk domains via acquisition. Gartner views these acquisitions helping technology providers address the following IRM objectives. Performance and assurance - ACL acquired Rsam and rebranded to Galvanize to expand its capabilities beyond audit analytics and assurance to a greater focus on technology performance. Performance and compliance - NAVEX Global acquired Lockpath to leverage its own ethics and compliance capabilities with a greater focus on technology performance. Resilience and compliance - SAI Global acquired Nasdaq's BWise product set to grow its increasing IRM focus across the business continuity and technology risk domains into ifinancial control and compliance. Performance and resilience - ServiceNow acquired Fairchild Resiliency Systems to enhance capabilities around business continuity and operational resilience. Figure 5. IRM Technology Provider Consolidation, 2019

Page 8 of 19Gartner, Inc. | G00450383

More IRM Technology Providers Are Adopting a Modular Approach to Support Varying

Levels of Customer's Risk Maturity

Organizations have different maturity and approaches to risk management. Not all organizations are ready to implement the full suite of IRM solution offerings. While most ifirst-time buyers have a narrow requirement focused on a single risk domain or use case, the push to IRM is leading organizations to increasingly consider their roadmap of their broader risk management program in their vendor selection process. This has pushed technology providers to adopt a more modular approach to IRM implementation by offering scalable product packaging and pricing that allows customers to gradually expand functionalities in light of organizational changes or increasing risk maturity. IRM technology providers are also focusing on user experience and user advocacy to drive more usage of the solution. They recognize that improvements in a solution's usability, along with an increasing number of regulations (and heavier ifines) that impact a growing number of departments/ lines of business (LOBs), will drive the growth of users in an organization. As one department shows success and satisfaction with a solution, other departments in that organization will look to the

technology provider for additional capabilities. Organizations will scale the platform across multiple

risk domains and/or departments/LOBs, and the increase in the average frequent-user base using IRM solutions, in addition to usability, will drive market expansion. To accommodate a modular approach and increasing expected user volumes, some technology

providers have shifted their pricing structure. Traditionally, typical pricing model for IRM solutions

have been per user based on the type of user (core/admin users, casual/business users and infrequent/single-function users). Some technology providers have shifted to a pricing model that is determined by the number of employees. Here are a couple of examples of this pricing structure:

Per-employee pricing

Per-application pricing model, where the cost of application is determined by the number of employees in the customer organization Product packages based on the maturity of an organization's risk management program (basic, intermediate and advanced), which includes the maximum number of users Product packages based on the maturity of an organization's risk management program (basic, intermediate and advanced), with cost per month per employee Risk Quantiification Analysis Is a Growing Interest, but the Opportunity Outside the Financial

Services Vertical Is More Mid to Long Term

One of the critical capabilities of integrated risk management is quantifying the associated risk exposure across the organization. Organizations in many industries (including banking, insurance and securities) want to measure risk on a quantitative basis in addition to the qualitative assessments. Some of the quantitative analysis is used to support capital calculation requirements driven by regulatory mandates, such as Basel III and the Solvency II Directive. Other quantitative analysis methods are used to develop more precise predictive models to determine the potential for

Gartner, Inc. | G00450383Page 9 of 19

certain operational risk events, such as fraud or theft. For cybersecurity, delivering support for risk

quantiification models that are traditionally used for communicating operations risk is a short-term opportunity. Growing scrutiny on cyberexposures will drive demand for security-related business risk quantiification beyond the BFSI vertical as a means for CISOs to improve risk communication in the mid to long term. Though Gartner has observed a signiificant increase in end-user client

interactions around the topic of risk quantiification in 2019 compared with 2018, it is growing from a

small base. Some sample technology providers that support risk quantiification are Arx Nimbus, Axio, Emergynt, Nehemiah Security and RiskLens. There are some IRM technology providers that provide integration with these platforms. For example, ServiceNow integrates with RiskLens as does Dell Technologies (RSA). IRM Vendor Landscape Will Be Impacted by Organizations' Need for Improved Visibility and

Assessment of Emerging Risks

Organizations will increasingly recognize the need to gain greater visibility into their digital business

operations as an important part of enabling their digital business transformation initiative. Because

digital transformation is different for every organization, so is managing those risks arising from digital transformation. Delivery of capabilities to managing emerging risks in information security, privacy, resilience and new technology requires customization and a mechanism for organizations to translate data into meaningful business risk and compliance metric. The outcome is likely use of a generic IRM platform that is complemented with technology and services that provide visibility into different security vulnerability/threat assessment data or emerging risk assessment data. Customers are increasingly interested in solutions that provide greater functionality related to information security and privacy. Hence, risk management technology providers are emerging that focus on supporting organizations around those speciific risks. Examples of risk management

technology providers that offer functionality speciific to an area, such as aspects of privacy risk, are

SureCloud and InnoSec. CyNation is an example of a risk management technology provider offering risk assessment of third parties and subsidiaries. Some examples of technology providers that

focus on providing visibility and monitoring of security controls to report against security standards

and frameworks, or to support broader compliance and audit efforts, are BAP PolicySecure,

CyberSaint, Panaseer, and Resolver.

Competitive Proifiles

This section is not intended to provide an exhaustive list of technology providers in the market, nor

is it a list based on revenue, market share or number of customers. The technology providers highlighted in this section are examples of technology providers that appropriately relflect the key trends outlined in the above section. The list is in alphabetical order. For additional insight into IRM technology providers, see "Magic Quadrant for Integrated Risk

Management Solutions."

Page 10 of 19Gartner, Inc. | G00450383

CyberSaint

Product or Portfolio Overview

CyberSaint's product is the CyberStrong platform, and it spans compliance management, IT risk management, vendor risk management, audit management and digital risk management. A vast majority of CyberSaint's customers are in North America, with some customers in EMEA.

How CyberSaint Competes

CyberSaint is an example of a technology provider that demonstrates a vision for addressing emerging risks associated with cybersecurity. Though addressing audit and compliance management, CyberSaint has a heavy focus on cybersecurity, and its vision is built around simplifying cybersecurity program management for customers, which makes CISOs of large enterprises its primary buyers. CyberStrong's primary use case is to provide customers with the compliance status of their assets, vendors or location for any framework or standard. As such, CyberSaint's pricing is based on the number of assessments against frameworks or standards such as NIST CSF, NIST SP 800-53, FedRAMP, FIPS, ISO/IEC, DFARS, NIST SP 800-171 and does not charge additionally for integration with third-party software. NERC-CIP, COBIT and CIS are some of CyberSaint's more popular frameworks, given its focus on energy and utilities, and oil and gas.

CyberSaint is unique to some of the technology providers outlined in this report in that it is a newer

and smaller provider but also due to the types of implementation it supports. CyberSaint's current

"sweet spot" is large-scale projects that involve a high level of conifiguration or customization that

are delivered through CyberSaint and their partners, including Accenture, EY and Siemens. They have customer use cases in energy and utilities, defense and aerospace, and managed security services, which are relatively "greenifield" compared with verticals such as BFSI and healthcare, which are heavily penetrated. CyberSaint at times competes directly with established IRM technology providers and in other cases complements those solutions that already exist in their customers' environment. Though CyberSaint faces challenges to scale due to its size, CyberSaint's innovation and agility, coupled with strong advanced analytics, has resulted in revenue growth. CyberSaint helps customers convert compliance mandates into control mappings and offers data aggregation and

real-time visualization as well as continuous monitoring backed by visibility into risk on a per control

basis.

Galvanize

Product or Portfolio Overview

In February 2019, ACL completed its acquisition of Rsam. The combined entity has rebranded as Galvanize and completed its ifirst phase of product integration as of May 2019, which included an API data bridge, executive dashboarding and storyboarding, and a uniified user login and single sign-on (SSO) experience. Complete integration of the two products will take a couple of releases.

Gartner, Inc. | G00450383Page 11 of 19

Galvanize offers two main products: HighBond and ACL Robotics. The HighBond platform offers 11 modules that address multiple risk domains. They are: RiskBond (risk management), ComplianceBond (regulatory compliance management), ControlsBond (internal controls management), AuditBond (audit management), FraudBond (fraud and corruption management), ITGRCBond (IT risk management), ThirdPartyBond (third-party risk management), PolicyBond (policy and training management), IncidentBond (incident reporting), CyberBond (threat and vulnerability management) and ContinuityBond (business continuity management).

How Galvanize Competes

Galvanize represents a case of two IRM technology providers bringing together its products and strengths to appeal to a broader spectrum of buyers and better compete in a wide range of IRM implementations that vary in size and complexity. The legacy ACL IRM solution was focused on internal audit; governance, risk and compliance (GRC); and data analytics and was traditionally sold largely into internal audit and compliance functions. Rsam's legacy IRM solution was focused on IT risk, incident response, vendor risk and business continuity management planning (BCMP) with core constituents aligned to IT and security buyers. The combined entity means a wider range of IRM functionality, geographic customer base and support. Galvanize has already reported several legacy Rsam customers migrating to the integrated product. Additionally, the merger allows Galvanize to be better positioned to compete on larger and more complex IRM projects. The combined product also means more opportunity to leverage the strength of the other. For example, Galvanize is extending robotic automation, monitoring and analytics capabilities to Rsam IRM solutions. This includes cloud-only data processing that allows customers to run robotics in the cloud. Following the integration with ACL Robotics and Storyboarding functionality, legacy Rsam

analysis of external data no longer requires the import of all external data into the IRM tool, which

speeds up the deployment of automating data analytics activities. Analysis can now be performed from multiple internal and external sources addressing common concerns around the impact of the increasing volume and velocity of data on IRM platform speed and performance. Galvanize has also expanded its ML commands with its ML TRAIN and PREDICT models and provides more data connectors including Rsam connector, SharePoint connectors, SSO-enabled SAP connector and

RESTful APIs.

NAVEX Global

Product or Portfolio Overview

NAVEX Global provides a suite of products including PolicyTech (policy management), EthicsPoint (incident management), RiskRate (due diligence), NAVEXEngage (ethics and compliance training) and GRC Insights (analytics and benchmarking). In August 2019, NAVEX Global announced its acquisition of Lockpath. Lockpath's offering includes Lockpath for integrated risk management and conifiguration assessment. The platform offers compliance and policy management, IT risk management, continuous security management (including continuous asset conifiguration assessment, ifile integrity monitoring, change detection

Page 12 of 19Gartner, Inc. | G00450383

and asset discovery), operational risk management (including incident management), audit management, vendor risk management, business continuity management, and health and safety management.

How NAVEX Global Competes

NAVEX Global is an example of a pure-play technology provider acquiring a broader risk management solution provider to expand into the IRM space. While the acquisition is still in its early days, the two technology providers have little overlap in product functionality and buyer proifiles. NAVEX Global was traditionally an ethics and compliance management provider primarily serving legal and compliance leaders, while Lockpath sold to CISOs, compliance teams and chief risk ofificers. The strength of each technology provider is complementary to the other. NAVEX Global complements Lockpath with its scale and large customer base. Traditionally, Lockpath did not have local and in-country resources to provide direct support to the more complex and globally

distributed implementations. Additionally, its sales operations were largely limited to North America.

NAVEX Global has a signiificant footprint with approximately 80% of its revenue being generated in the U.S. or by U.S.-based multinational companies and the remainder coming primarily from

Europe.

Lockpath complements NAVEX Global by helping it better address the increasing number of organizations requesting a broader set of functionalities across multiple risk domains as customers adopt IRM. There are also opportunities for NAVEX Global to leverage Lockpath's strengths that are derived from incorporating customer feedback. More notably, the simplicity and transparency in pricing structure and the scalability to expand use cases as customers mature their risk management program. Ease of deployment is another example where Lockpath offers a QuickStart deployment intended to help customers implement the solution more rapidly, resulting in shorter time to value. These factors contribute to Lockpath's ability to support a variety of customers in terms of size and sectors, as opposed to some of its competing products that are not suited to smaller organizations, which are often ifirst-time IRM buyers.

RiskLens

Product or Portfolio Overview

The RiskLens platform consists of features supporting the following use cases: risk data warehouse (includes asset and risk scenario library, guided data collection, industry loss table data and controls mapping to risk scenarios), decision support (incudes risk scenario analyses, cost beneifit analyses, and comparative analyses), issue management (includes rapid assessment and prioritization, customizable worklflows, IT remediation and exception life cycle), risk portfolio management (including baseline enterprise analysis, portfolio aggregation and analytics metrics and

a capability for analyzing risk against risk appetite), and real-time risk reporting and board reporting.

These features are packaged under three tiers (professional, business and enterprise) based on the customer's adoption of cyber-risk quantiification and FAIR methodology.

Gartner, Inc. | G00450383Page 13 of 19

How RiskLens Competes

RiskLens is an example of a niche technology provider offering cyber-risk quantiification. The RiskLens solution set consists of a SaaS platform, purpose built on the FAIR standard for risk

quantiification, and a suite of professional services. The solution is designed to help clients build

cyber-risk quantiification programs and manage cyber risk from the business perspective by

quantifying it in ifinancial terms. Given the higher attach rate for these professional services, early in

2020, RiskLens plans to modify its packaging around outcomes mapped to its FAIR cyber-risk

management life cycle. That change will accommodate entry level buyers at a relatively lower price point. While RiskLens increasingly acts as a system of record for cyber risk for customers, RiskLens does not compete directly with the broader risk management platforms but instead integrates with them. RiskLens commonly provides integration with IRM platforms like Archer, ServiceNow GRC and Galvanize. A majority of RiskLens' current customers are Fortune 1000 companies, and though still

in the early stages of adoption they have seen growing interest from organizations across the private

and public sectors. From a geographic strategy standpoint, RiskLens will continue to focus on North America. However, given the growing interest from markets outside North America (such as the France, Germany, the U.K., Brazil and Peru), RiskLens' strategy will be to accommodate the demand from these regions. RiskLens has an implementation partnership in France while other markets are supported directly through their U.S. operations. RiskLens has a data integration strategy designed to automate data input whenever possible and to fulifill the vision of real-time risk monitoring and management. RiskLens provides: Out-of-the-box (OOTB) industry loss data for breaches of personally identiifiable information, payment card industry (PCI) and personal health information records resulting in ifines and judgment Threat libraries that capture the relative strengths of threat actors Data helpers that allow users to create reusable data inputs for risk scenarios, thereby reducing the need for repetitive data entry The roadmap is focused on providing more data integrations with cybersecurity products beyond the current ones with IRM platforms.

SAI Global

Product or Portfolio Overview

SAI360 is SAI Global's IRM software and learning content platform. BCMP solution capabilities are delivered through the seamless integration with ResilienceONE software from a technology provider called Strategic BCP, which SAI Global acquired in August 2018. In April 2019, SAI Global acquired BWise, a business from Nasdaq, to augment its SAI360 platform in the areas of operational risk management, regulatory change management and audit management. SAI Global's product

Page 14 of 19Gartner, Inc. | G00450383

portfolio, which spans compliance risk, digital risk, ethics and compliance learning, operational risk,

environmental health and safety risk, vendor risk and business continuity management, includes multiple acquired products.

How SAI Global Competes

SAI Global represent an example of a broader risk management technology provider acquiring pure-play technology providers to expand its product capabilities. SAI Global's operational risk management and compliance management capabilities were attained through its acquisition of Compliance 360 in 2012. Its IT risk management and IT vendor risk management capabilities are delivered from its Digital Manager 360 solution, which is primarily based on the capabilities that came from the Modulo International acquisition in 2016. SAI Global acquired Strategic BCP in 2018 to expand its BCMP functionality and more recently acquired BWise to strengthen its ifinancial services offering. In addition to the acquisition of BWise, SAI Global has added more content partnerships with providers such as RegScan and Reifinitiv to better serve the BFSI vertical. The acquisitions SAI Global has made over the years have not only helped bolster its IRM solution suite but also helped grow its global coverage. SAI Global has resources across the globe for international coverage in implementation services and support. Furthermore, SAI Global's customer base is more geographically distributed across North America, Asia/Paciific, Europe, the Middle East and Africa, compared with some of its competitors, whose market presence is typically limited to one or two regions. SAI Global is unique because it is an established IRM technology provider that primarily supports large enterprise customers and complex implementations, but its vision is well-aligned to the needs of less mature organizations that are often ifirst-time buyers seeking a lightweight implementation. For example, SAI Global focuses its vision around helping customers operationalize IRM solutions without the need for extensive customization. SAI Global has also introduced FastStart to reduce the implementation time. FastStart is a collection of over 45 IRM use cases with best-practice

OOTB implementations.

ServiceNow

Product or Portfolio Overview

ServiceNow GRC includes policy and compliance, risk management (encompassing IT risk and operational risk), audit management, vendor risk management, performance analytics and business continuity management for GRC. ServiceNow recently acquired Fairchild Resiliency Systems, a company whose BCM solution, MaestroRS, is built on the Now Platform and already integrates with ServiceNow IT service management and GRC. ServiceNow GRC is built on the ServiceNow Platform as a service (PaaS) offering, called the Now Platform, which is in a private cloud infrastructure with each customer getting its own instance of ServiceNow. This single-tenant model is attractive to organizations that want the beneifits of a cloud deployment with the control of on- premises software. Additionally, it allows ServiceNow to provide quicker updates between releases and responses to issues.

Gartner, Inc. | G00450383Page 15 of 19

How ServiceNow Competes

ServiceNow represents a technology provider that has been growing organically since its relatively late entry into the GRC market in 2014. As a large global company, ServiceNow beneifits from having a large existing customer base, global footprint and sales operation and an extensive partner network. ServiceNow has more than 75 dedicated client-facing locations around the world supporting regional customers, and it has hundreds of partners around the world. ServiceNow has partnerships with advisories, global system integrators and boutiques in every major market. ServiceNow also has the resources to aggressively expand its IRM solution portfolio. ServiceNow has rapidly invested and developed IRM capabilities in recent years including its worklflow-rich UIs, which support a wide range of risk users across an enterprise. The IRM product takes advantage of the Now Platform for capabilities in worklflow design and integrations. ServiceNow GRC can natively integrate through the common platform with other ServiceNow products such as Financial Close Automation, HR Service Delivery, IT worklflows and security operations. All of these products use the same underlying database, and the ability to share data from across the enterprise on the platform is a differentiator of ServiceNow GRC. For example, the ServiceNow GRC continuous monitoring capability allows customers to assess the impact to their overall risk and compliance posture. Customers can use data from HR Service Delivery for ethics and corporate oversight, Finance Close Automation for ifinancial control automation, Customer Service Management for privacy and reputational risk. They can also use Conifiguration Compliance for vulnerable and misconifigured IT assets, and security operations applications such as Vulnerability Response and Security Incident Response to identify and respond to critical vulnerabilities and threats.

SureCloud

Product or Portfolio Overview

SureCloud offers several products under the categories of IT risk management and cybersecurity, compliance management, vendor risk management and data privacy management. SureCloud offers a series of prebuilt IRM solutions and the ability to build custom solutions hosted on the SureCloud platform, which is a low-code platform utilizing simple components. This often contributes to shorter deployment lengths. SureCloud's infrastructure hosting providers are

Rackspace and Amazon Web Services (AWS).

How SureCloud Competes

SureCloud is an example of an IRM technology provider with a strong focus on privacy compliance requirements and the operational and compliance scope of effectivity. In addition to its mature capabilities around IT and third-party risk management, including the ability to integrate with external cybersecurity and vulnerability data sources, SureCloud has an established offering for data privacy management. SureCloud's GDPR suite includes products such as GDPR Program Tracker, GDPR Discovery (data inventory), GDPR Management and Information Asset Management. Its GDPR suite is a differentiator for SureCloud, especially because the primary markets in which SureCloud operates are mainland Europe and the U.S.

Page 16 of 19Gartner, Inc. | G00450383

SureCloud's vision has a strong focus around developing an intuitive platform. SureCloud's UI and worklflow are streamlined, and ifirst-line-of-defense users can largely self-serve. SureCloud is focused on a light-touch approach to application design where users with limited technical expertise can easily conifigure and build applications around data input, worklflow and dashboard using a graphical user interface. SureCloud has invested in developing a tile-based interface and moving away from a menu-based system, and it has made improvement over time, such as tile- based shortcuts to action items to reduce the number of clicks for better usability.

References and Methodology

Primary and secondary resources were used to prepare this research. We used additional industry

sources and publicly available information to verify the accuracy of the information. Sources of data

used by Gartner include the following:

Technology provider questionnaires

Technology provider brieifings and interviews

Data from Gartner interaction with end users and technology providers

Gartner end-user survey

Articles in the general and trade press

Published company announcement and ifinancial earnings reports In addition, factual review of the technology provider information was conducted by the respective technology providers. Our conclusions about competitive positioning consider these inputs but, ultimately, relflect Gartner's own judgment based on our overall perspective of the market.

Acronym Key and Glossary TermsAMaudit managementBCMbusiness continuity managementCCOcorporate compliance and oversightDRMdigital risk managementELMenterprise legal managementVRMvendor risk management

Gartner Recommended Reading

Some documents may not be available as part of your current Gartner subscription.

Gartner, Inc. | G00450383Page 17 of 19

"Emerging Technology Analysis: Integrated Risk Management Impact on GRC Technology" "Critical Capabilities for Integrated Risk Management Solutions" "Magic Quadrant for Integrated Risk Management Solutions" "Introduction to Creating Individual Persona Proifiles for Digital Business" "Market Insight: Fuel Digital Business Transformation via a Digital Risk Management Solution Stack"

"Top Use Cases and Capabilities for Integrated Risk Management"This document is published in the following Market Insights:

Security Solutions Worldwide

quotesdbs_dbs17.pdfusesText_23