WIXLIB

certain operational risk events, such as fraud or theft. For cybersecurity, delivering support for riskquantification models that are traditionally used for communicating operations risk is a short-termopportunity. Growing scrutiny on cyberexposures will drive demand for security-related businessrisk quantification beyond the BFSI vertical as a means for CISOs to improve risk communication inthe mid to long term. Though Gartner has observed a significant increase in end-user clientinteractions around the topic of risk quantification in 2019 compared with 2018, it is growing from asmall base.Some sample technology providers that support risk quantification are Arx Nimbus, Axio, Emergynt,Nehemiah Security and RiskLens. There are some IRM technology providers that provide integrationwith these platforms. For example, ServiceNow integrates with RiskLens as does Dell Technologies(RSA).IRM Vendor Landscape Will Be Impacted by Organizations’ Need for Improved Visibility andAssessment of Emerging RisksOrganizations will increasingly recognize the need to gain greater visibility into their digital businessoperations as an important part of enabling their digital business transformation initiative. Becausedigital transformation is different for every organization, so is managing those risks arising fromdigital transformation. Delivery of capabilities to managing emerging risks in information security,privacy, resilience and new technology requires customization and a mechanism for organizations totranslate data into meaningful business risk and compliance metric. The outcome is likely use of ageneric IRM platform that is complemented with technology and services that provide visibility intodifferent security vulnerability/threat assessment data or emerging risk assessment data.Customers are increasingly interested in solutions that provide greater functionality related toinformation security and privacy. Hence, risk management technology providers are emerging thatfocus on supporting organizations around those specific risks. Examples of risk managementtechnology providers that offer functionality specific to an area, such as aspects of privacy risk, areSureCloud and InnoSec. CyNation is an example of a risk management technology provider offeringrisk assessment of third parties and subsidiaries. Some examples of technology providers thatfocus on providing visibility and monitoring of security controls to report against security standardsand frameworks, or to support broader compliance and audit efforts, are BAP PolicySecure,CyberSaint, Panaseer, and Resolver.Competitive ProfilesThis section is not intended to provide an exhaustive list of technology providers in the market, noris it a list based on revenue, market share or number of customers. The technology providershighlighted in this section are examples of technology providers that appropriately reflect the keytrends outlined in the above section. The list is in alphabetical order.For additional insight into IRM technology providers, see “Magic Quadrant for Integrated RiskManagement Solutions.”Page 10 of 19Gartner, Inc. G00450383

CyberSaintProduct or Portfolio OverviewCyberSaint’s product is the CyberStrong platform, and it spans compliance management, IT riskmanagement, vendor risk management, audit management and digital risk management. A vastmajority of CyberSaint’s customers are in North America, with some customers in EMEA.How CyberSaint CompetesCyberSaint is an example of a technology provider that demonstrates a vision for addressingemerging risks associated with cybersecurity. Though addressing audit and compliancemanagement, CyberSaint has a heavy focus on cybersecurity, and its vision is built aroundsimplifying cybersecurity program management for customers, which makes CISOs of largeenterprises its primary buyers. CyberStrong’s primary use case is to provide customers with thecompliance status of their assets, vendors or location for any framework or standard. As such,CyberSaint’s pricing is based on the number of assessments against frameworks or standards suchas NIST CSF, NIST SP 800-53, FedRAMP, FIPS, ISO/IEC, DFARS, NIST SP 800-171 and does notcharge additionally for integration with third-party software. NERC-CIP, COBIT and CIS are some ofCyberSaint’s more popular frameworks, given its focus on energy and utilities, and oil and gas.CyberSaint is unique to some of the technology providers outlined in this report in that it is a newerand smaller provider but also due to the types of implementation it supports. CyberSaint’s current“sweet spot” is large-scale projects that involve a high level of configuration or customization thatare delivered through CyberSaint and their partners, including Accenture, EY and Siemens. Theyhave customer use cases in energy and utilities, defense and aerospace, and managed securityservices, which are relatively “greenfield” compared with verticals such as BFSI and healthcare,which are heavily penetrated. CyberSaint at times competes directly with established IRMtechnology providers and in other cases complements those solutions that already exist in theircustomers’ environment.Though CyberSaint faces challenges to scale due to its size, CyberSaint’s innovation and agility,coupled with strong advanced analytics, has resulted in revenue growth. CyberSaint helpscustomers convert compliance mandates into control mappings and offers data aggregation andreal-time visualization as well as continuous monitoring backed by visibility into risk on a per controlbasis.GalvanizeProduct or Portfolio OverviewIn February 2019, ACL completed its acquisition of Rsam. The combined entity has rebranded asGalvanize and completed its first phase of product integration as of May 2019, which included anAPI data bridge, executive dashboarding and storyboarding, and a unified user login and singlesign-on (SSO) experience. Complete integration of the two products will take a couple of releases.Gartner, Inc. G00450383Page 11 of 19

Galvanize offers two main products: HighBond and ACL Robotics. The HighBond platform offers 11modules that address multiple risk domains. They are: RiskBond (risk management),ComplianceBond (regulatory compliance management), ControlsBond (internal controlsmanagement), AuditBond (audit management), FraudBond (fraud and corruption management),ITGRCBond (IT risk management), ThirdPartyBond (third-party risk management), PolicyBond(policy and training management), IncidentBond (incident reporting), CyberBond (threat andvulnerability management) and ContinuityBond (business continuity management).How Galvanize CompetesGalvanize represents a case of two IRM technology providers bringing together its productsand strengths to appeal to a broader spectrum of buyers and better compete in a wide rangeof IRM implementations that vary in size and complexity. The legacy ACL IRM solution wasfocused on internal audit; governance, risk and compliance (GRC); and data analytics and wastraditionally sold largely into internal audit and compliance functions. Rsam’s legacy IRM solutionwas focused on IT risk, incident response, vendor risk and business continuity managementplanning (BCMP) with core constituents aligned to IT and security buyers. The combined entitymeans a wider range of IRM functionality, geographic customer base and support. Galvanize hasalready reported several legacy Rsam customers migrating to the integrated product. Additionally,the merger allows Galvanize to be better positioned to compete on larger and more complex IRMprojects.The combined product also means more opportunity to leverage the strength of the other. Forexample, Galvanize is extending robotic automation, monitoring and analytics capabilities to RsamIRM solutions. This includes cloud-only data processing that allows customers to run robotics in thecloud. Following the integration with ACL Robotics and Storyboarding functionality, legacy Rsamanalysis of external data no longer requires the import of all external data into the IRM tool, whichspeeds up the deployment of automating data analytics activities. Analysis can now be performedfrom multiple internal and external sources addressing common concerns around the impact of theincreasing volume and velocity of data on IRM platform speed and performance. Galvanize has alsoexpanded its ML commands with its ML TRAIN and PREDICT models and provides more dataconnectors including Rsam connector, SharePoint connectors, SSO-enabled SAP connector andRESTful APIs.NAVEX GlobalProduct or Portfolio OverviewNAVEX Global provides a suite of products including PolicyTech (policy management), EthicsPoint(incident management), RiskRate (due diligence), NAVEXEngage (ethics and compliance training)and GRC Insights (analytics and benchmarking).In August 2019, NAVEX Global announced its acquisition of Lockpath. Lockpath’s offering includesLockpath for integrated risk management and configuration assessment. The platform offerscompliance and policy management, IT risk management, continuous security management(including continuous asset configuration assessment, file integrity monitoring, change detectionPage 12 of 19Gartner, Inc. G00450383

and asset discovery), operational risk management (including incident management), auditmanagement, vendor risk management, business continuity management, and health and safetymanagement.How NAVEX Global CompetesNAVEX Global is an example of a pure-play technology provider acquiring a broader riskmanagement solution provider to expand into the IRM space. While the acquisition is still in itsearly days, the two technology providers have little overlap in product functionality and buyerprofiles. NAVEX Global was traditionally an ethics and compliance management provider primarilyserving legal and compliance leaders, while Lockpath sold to CISOs, compliance teams and chiefrisk officers.The strength of each technology provider is complementary to the other. NAVEX Globalcomplements Lockpath with its scale and large customer base. Traditionally, Lockpath did not havelocal and in-country resources to provide direct support to the more complex and globallydistributed implementations. Additionally, its sales operations were largely limited to North America.NAVEX Global has a significant footprint with approximately 80% of its revenue being generated inthe U.S. or by U.S.-based multinational companies and the remainder coming primarily fromEurope.Lockpath complements NAVEX Global by helping it better address the increasing number oforganizations requesting a broader set of functionalities across multiple risk domains as customersadopt IRM. There are also opportunities for NAVEX Global to leverage Lockpath’s strengths that arederived from incorporating customer feedback. More notably, the simplicity and transparency inpricing structure and the scalability to expand use cases as customers mature their riskmanagement program. Ease of deployment is another example where Lockpath offers a QuickStartdeployment intended to help customers implement the solution more rapidly, resulting in shortertime to value. These factors contribute to Lockpath’s ability to support a variety of customers interms of size and sectors, as opposed to some of its competing products that are not suited tosmaller organizations, which are often first-time IRM buyers.RiskLensProduct or Portfolio OverviewThe RiskLens platform consists of features supporting the following use cases: risk data warehouse(includes asset and risk scenario library, guided data collection, industry loss table data andcontrols mapping to risk scenarios), decision support (incudes risk scenario analyses, cost benefitanalyses, and comparative analyses), issue management (includes rapid assessment andprioritization, customizable workflows, IT remediation and exception life cycle), risk portfoliomanagement (including baseline enterprise analysis, portfolio aggregation and analytics metrics anda capability for analyzing risk against risk appetite), and real-time risk reporting and board reporting.These features are packaged under three tiers (professional, business and enterprise) based on thecustomer’s adoption of cyber-risk quantification and FAIR methodology.Gartner, Inc. G00450383Page 13 of 19

How RiskLens CompetesRiskLens is an example of a niche technology provider offering cyber-risk quantification. TheRiskLens solution set consists of a SaaS platform, purpose built on the FAIR standard for riskquantification, and a suite of professional services. The solution is designed to help clients buildcyber-risk quantification programs and manage cyber risk from the business perspective byquantifying it in financial terms. Given the higher attach rate for these professional services, early in2020, RiskLens plans to modify its packaging around outcomes mapped to its FAIR cyber-riskmanagement life cycle. That change will accommodate entry level buyers at a relatively lower pricepoint.While RiskLens increasingly acts as a system of record for cyber risk for customers, RiskLens doesnot compete directly with the broader risk management platforms but instead integrates with them.RiskLens commonly provides integration with IRM platforms like Archer, ServiceNow GRC andGalvanize. A majority of RiskLens’ current customers are Fortune 1000 companies, and though stillin the early stages of adoption they have seen growing interest from organizations across the privateand public sectors.From a geographic strategy standpoint, RiskLens will continue to focus on North America. However,given the growing interest from markets outside North America (such as the France, Germany, theU.K., Brazil and Peru), RiskLens’ strategy will be to accommodate the demand from these regions.RiskLens has an implementation partnership in France while other markets are supported directlythrough their U.S. operations.RiskLens has a data integration strategy designed to automate data input whenever possible and tofulfill the vision of real-time risk monitoring and management. RiskLens provides: Out-of-the-box (OOTB) industry loss data for breaches of personally identifiable information,payment card industry (PCI) and personal health information records resulting in fines andjudgment Threat libraries that capture the relative strengths of threat actors Data helpers that allow users to create reusable data inputs for risk scenarios, thereby reducingthe need for repetitive data entryThe roadmap is focused on providing more data integrations with cybersecurity products beyondthe current ones with IRM platforms.SAI GlobalProduct or Portfolio OverviewSAI360 is SAI Global’s IRM software and learning content platform. BCMP solution capabilities aredelivered through the seamless integration with ResilienceONE software from a technology providercalled Strategic BCP, which SAI Global acquired in August 2018. In April 2019, SAI Global acquiredBWise, a business from Nasdaq, to augment its SAI360 platform in the areas of operational riskmanagement, regulatory change management and audit management. SAI Global’s productPage 14 of 19Gartner, Inc. G00450383

portfolio, which spans compliance risk, digital risk, ethics and compliance learning, operational risk,environmental health and safety risk, vendor risk and business continuity management, includesmultiple acquired products.How SAI Global CompetesSAI Global represent an example of a broader risk management technology provideracquiring pure-play technology providers to expand its product capabilities. SAI Global’soperational risk management and compliance management capabilities were attained through itsacquisition of Compliance 360 in 2012. Its IT risk management and IT vendor risk managementcapabilities are delivered from its Digital Manager 360 solution, which is primarily based on thecapabilities that came from the Modulo International acquisition in 2016. SAI Global acquiredStrategic BCP in 2018 to expand its BCMP functionality and more recently acquired BWise tostrengthen its financial services offering. In addition to the acquisition of BWis

Figure 2. Magic Quadrant and Critical Capabilities for IRM Solutions, 2019. Gartner forecasts the IRM software market to grow at an 8% compound annual growth rate (CAGR) through 2023 to reach 6.3 billion (see "Forecast: Information Security and Risk Management, Worldwide, 2017-2023, 2Q19 Update").