You may have heard that Gartner's latest Magic Quadrant for Enterprise GRC (EGRC) was released this month (see a summary here, or go buy a full copy over here). There's been a ton of press releases and media coverage since Gartner's announcement, as well as some interesting responses. However, if you look at the MQ graphic itself, what you'll find is a melange of random tech companies providing solutions in a wide range of areas that may or may not qualify as "EGRC."
According to their summary report, Gartner says that they define EGRC around four (4) key functions: risk management, audit management, compliance and policy management, and regulatory change management. However, as much as this might sound like a coherent set of criteria, their application of this definition is odd and inconsistent. For example, SAP and SAS both show up in the "Leaders" quadrant, yet SAS appears to barely meets these four functions, and certainly not in the comprehensive way you might expect, and SAP is even weaker at meeting these criteria (their "EGRC" solution is just one plugin module in their overall ERP framework). In both cases you would be far more likely to look to these technologies for financial risk management, and not for enterprise risk management. It's rare to encounter either of these products in the GRC RFPs and bake-offs we're seeing every month, and yet they're supposedly "Leaders" in the space? The same can in fact be said for 7 of the 9 products listed in that quadrant; they're simply not seen in routine GRC competitive situations much, if at all.
Michael Rasmussen, who by most accounts invented the "GRC" monicker to describe the market space, has posted a vitriolic rant about this latest Gartner report, highlighting many of the discrepancies that the report and associated research process contain. Of his complaints, I think the most important one is that the report is "a mile wide and an inch deep." In his retort, French Caldwell (co-author of the MQ report) even agrees that this is a shortcoming of the process and marketspace. This is curious to me... if you, as the authoring analyst, realize that you've defined the space too broadly, why would you then move forward with publishing a report at all? It seems to me that EGRC is ripe for re-segmenting, such as around Financial GRC, Legal GRC, etc.