There are no shortcuts for buyers of governance, risk and compliance tools, who must navigate a complex and time-intensive process to identify and select the right tools for their businesses.

This is the conclusion drawn by Gartner in its latest analysis of the GRC market, published this week. It says complex approaches to pricing mean enterprise risk management professionals must understand four different tiers of GRC solutions and apply a scoping framework to further estimate likely costs ahead of vendor selection.

Gartner advises that ERM professionals address several key questions to understand which of the following four tiers of GRC solution will best meet their needs: enterprise GRC solutions, agile GRC solutions, adjacent GRC point solutions and disruptors.

“There are no shortcuts to avoiding demos and time-intensive sales processes,” said Joel Backaler, director and analyst in the Gartner Audit and Risk Practice. “However, understanding four pricing categories that vendors generally fall into and applying a scoping framework accordingly, can save time and narrow the focus of an RFP to vendors that are likely to fit within budget constraints.

“Using disruptor tools can also allow heads of ERM to more affordably gain access to new functionality by influencing the vendor’s forward-looking product roadmap. Moreover, a flagship customer will have substantial leverage to get the vendor to include enhancement requests in their product roadmap.”

Simplifying GRC tool offerings: Four tiers (Source: Gartner)

Enterprise GRC Solutions
Enterprise GRC solutions tend to cost the most and are a best fit for large, complex organisations that require a comprehensive platform to manage a broad spectrum of risk and compliance activities across assurance (risk, legal, compliance, audit) teams. These solutions typically offer extensive customisation options, support for multiple risk modules (eg. enterprise risk, operational risk, third-party risk) and advanced analytics capabilities.

Agile GRC solutions
Agile GRC solutions offer a more accessible alternative to enterprise tools, providing essential functionalities with easier implementation and scalability. These tools are ideal for mid-size to large organisations that need effective risk and compliance management, but with less complexity and lower costs. They typically feature drag-and-drop configuration, modular structures that allow for gradual expansion and user-friendly interfaces.

Adjacent GRC point solutions
Adjacent GRC point solutions can vary in price significantly and offer capabilities that overlap with core GRC capabilities. They also use a distinct set of criteria for deep workflows in one terrain. Examples of point solutions include tools that support business continuity management, third-party risk management and regulatory change management.

Disruptors
Disruptor GRC vendors are emerging players in the market, often founded by former executives from established GRC firms or former management consultants with a background in GRC implementations. They see gaps in the marketplace and aim to address them with the latest technology (eg. AI use in GRC tools) and ease of data interoperability. This opens the door for strong price negotiation leverage as start-ups seek to acquire flagship customers.



Looking for risk software and don’t know where to start? CIR’s annual Risk Software Report has been designed to demystify what’s on offer in the market.

Complete with our popular features comparison table, the 2024 CIR Risk Software Report can be viewed here: https://cirmagazine.com/cir/cirreports.php

For vendors looking to get involved in the 2025 report, please contact Steve Turner.

---