Top 10 Governance, Risk and Compliance (GRC) Vendors

Share it on Twitter  
Share it on Facebook  
Share it on Linked in  

Risk and compliance management is more important than ever due to high-profile data breaches and mounting pressure in the form of regulations like the EU's General Data Protection Regulation (GDPR). Vendors have responded with an array of Governance, Risk and Compliance (GRC) solutions to mitigate threats and manage risk.

GRC solutions may seem a little boring compared to the latest shiny new AI technology, but a study by the UK's Queens University found that organizations with adequate enterprise risk management programs have a 25% higher market value, meaning their stocks outperform their competitors. Thanks to never-ending compliance regulations and other demands, the GRC market is booming. According to Gartner, the market is projected to grow at a 13.4 percent compound annual growth rate to reach $7.3 billion by 2020.

Renee Murphy, an analyst at Forrester Research, sees cloud-based solutions growing in importance because of their ability to keep up with a changing regulatory and threat landscape. "As on-premises technology becomes outdated and less effective, improved SaaS implementations will dictate which providers will lead the pack," Murphy said. "Vendors that can provide cloud, analytics, and customer support position themselves to deliver successful risk management programs to their customers."

Gartner believes the GRC market is evolving into Integrated Risk Management (IRM), encompassing Digital Risk Management (DRM), Vendor Risk Management (VRM), Business Continuity Management (BCM), Audit Management (AM), Corporate Compliance & Oversight (CCO), and Enterprise Legal Management (ELM).

"IRM goes beyond the traditional, compliance-driven GRC technology solutions to provide actionable insights that are aligned with business strategies, not just regulatory mandates," said John Wheeler, an analyst at Gartner. "Key to the success of IRM is the ability to provide a vertically integrated view of risk starting with an organization's strategy through its business operations and ultimately into the enabling technology assets."

For more on GDPR compliance technologies, see Technologies that Can Help You Comply with GDPR.

Top GRC vendors: selection criteria

For the purposes of this guide, we will stick to current GRC capabilities.

Forrester says a GRC platform should have SaaS capabilities and offer the following:

  • Content management
  • Document management
  • User event input/output, distribution, and communication
  • Risk analytics
  • Risk and control management
  • Workflow management
  • Audit management
  • Dashboards and reporting
  • Regulatory change management

The vendors listed here scored well in the Forrester Wave: Governance, Risk, And Compliance Platforms, Q1 2018. Each vendor summary below links to a detailed analysis, including target markets and use cases, features, metrics, intelligence, use of agents, security certifications, product delivery (cloud, software or hardware) and pricing. See our chart comparing all 10 GRC vendors.

RSA Archer

The RSA Archer Suite includes multi-disciplinary risk and compliance management solutions and use cases. It includes IT & security risk management, enterprise & operational risk management, regulatory & corporate compliance management, audit management, business resiliency, third-party governance, and public-sector solutions. The platform's configurability lets customers quickly make changes with no coding or database development.

See our in-depth look at RSA Archer.


LogicManager's GRC solution speeds the process of aggregating & mining data, building reports, and managing spreadsheets and SharePoint files. LogicManager features enterprise risk management, IT governance and security, compliance management, third-party risk management, audit management, incident management, policy management, business continuity, and financial reporting compliance.

See our in-depth look at LogicManager.


The Riskonnect GRC platform integrates the governance, management and assurance of performance, risk, and compliance activities. This includes work done by departments like internal audit, compliance, risk, legal, finance, IT, HR, and lines of business, executive suite and the board. The company boasts a tight integration with Salesforce.com.

See our in-depth look at Riskonnect.


SAP's GRC offering is composed of a series of modules revolving around SAP HANA in-memory analytics. In-memory data access gives top of the line big data and predictive analytics capability tied to risk management. The offering is aimed at large enterprises.

See our in-depth look at SAP GRC.


ACL's platform contains modules for strategy, projects, results and analytics, with integrated content and add-ons such as data connectors and configuration services. The automated enterprise SaaS platform merges GRC and corporate performance management (CPM). Forrester gives ACL high marks for its simple user interface, strong mobile support, and strong analytic integration. It is used by more than 7,000 companies in 140 countries.

See our in-depth look at ACL GRC.

SAI Global Compliance360

SAI's Compliance360 range of GRC solutions catalogue, monitor, update, notify, and manage a company's operational GRC needs. By raising compliance and lowering risk, the company aims to reduce the $321 billion in fines levied in the decade since the global financial crisis.

See our in-depth look at SAI Global GRC.

MetricStream GRC

MetricStream's platform addresses audits, contracts, financial control, legal, quality, compliance, performance, risk management, vendor governance, FDA compliance, trading surveillance, social compliance, quality assurance audits, and loss prevention. The company also offers a midmarket solution.

See our in-depth look at MetricStream GRC.


BWise identifies roles aligned with GRC and includes a library of GRC templates. It includes modules such as audit, risk management and compliance & policy management. Forrester gives the solution its top rating, but notes that implementations can sometimes be complicated.

See our in-depth look at BWise.

Rsam GRC

The Rsam platform can identify, analyze, and manage risk. Modules include audit, business continuity, compliance, exceptions, policy, vulnerability, vendor risk, security incident response and regulatory change. It collects structured and unstructured data from a wide variety of sources.

See our in-depth look at Rsam.
See user reviews of Rsam.

Enablon GRC

Enablon GRC solutions encompass risk management, mobile safety and inspection, mobile audits, internal controls, internal audits, and more.

See our in-depth look at Enablon.

grc vendors chart