Due to widely varying government, risk, and compliance (GRC) tool pricing, enterprise risk management (ERM) leaders must understand four different pricing-tier categories of GRC solutions and apply a scoping framework to further estimate likely costs ahead of vendor selection, according to Gartner.
Only 27% of heads of ERM say that senior, executive and board decision makers consistently take the actions recommended in risk assessments. Only 31% have high confidence that their risk assessment process keeps pace with the changing risk landscape .
44% of Chief Strategy Officers report that their organizations are behind on meeting strategic objectives. Only 19% have high confidence in their ability to embed risk management activities into strategy execution.
60% of IT leaders say their organizations already use generative AI solutions beyond ChatGPT and 28% say their organizations plan to use them by 2024. Only 18% have high confidence in leveraging technology in their risk management processes and the associated opportunities.
“There are no shortcuts to avoiding demos and time-intensive sales processes,” said Joel Backaler, Director Analyst in the Gartner Audit & Risk Practice. “However, understanding four pricing categories that vendors generally fall into, and applying a scoping framework accordingly, can save time and narrow the focus of an RFP to vendors that are likely to fit within budget constraints.”
Four different pricing-tier categories of GRC solutions
Enterprise GRC solutions tend to cost the most and are a best fit for large, complex organizations that require a comprehensive platform to manage a broad spectrum of risk and compliance activities across assurance (risk, legal, compliance, audit) teams. These solutions typically offer extensive customization options, support for multiple risk modules (e.g., enterprise risk, operational risk, third-party risk) and advanced analytics capabilities.
Agile GRC solutions offer a more accessible alternative to enterprise tools, providing essential functionalities with easier implementation and scalability. These tools are ideal for midsize to large organizations that need effective risk and compliance management, but with less complexity and lower costs. They typically feature drag-and-drop configuration, modular structures that allow for gradual expansion and user-friendly interfaces.
Adjacent GRC point solutions can vary in price significantly and offer capabilities that overlap with core GRC capabilities. They also use a distinct set of criteria for deep workflows in one terrain. Examples of point solutions include tools that support business continuity management, third-party risk management and regulatory change management.
Disruptor GRC vendors are emerging players in the market, often founded by former executives from established GRC firms or former management consultants with a background in GRC implementations. They see gaps in the marketplace and aim to address them with the latest technology (e.g., AI use in GRC tools) and ease of data interoperability. This opens the door for strong price negotiation leverage as startups seek to acquire flagship customers.
“Using disruptor tools can also allow heads of ERM to more affordably gain access to new functionality by influencing the vendor’s forward-looking product roadmap,” said Backaler. “Moreover, a flagship customer will have substantial leverage to get the vendor to include enhancement requests in their product roadmap.”
Fill out the form to download your copy: