Risk and policy management: Innovators 2015

On the surface this is a pretty boring category. But don't yawn just yet. There are some really neat transformations taking place here and one of the most interesting is the one that is not obvious. We have observed two basic kinds of risk and policy management (GRC: governance, risk and compliance) tools. The first is what we term next-generation tools. These are cloud-based in many instances but always share the highly technical view of GRC. They may manage firewalls or configure routers, but whatever they do, they wrap it in technology and the cloud.

The complexity of today's enterprises and the myriad of regulatory and policy requirement argues for a next-generation tool.

The second kind is what we term traditional or old school. These products take a very straight-laced approach to gathering data, applying policy and regulatory requirements and generating reports that usually include a way of managing workflows and remediation. When you find a next-generation tool dressed up as a traditional tool you really have something. That was what we were on the prowl for as we searched out Innovators for this category.

Traditional GRC requires that users generate and manage policies and manage regulatory mandates, apply industry-standard best practices such as those developed by NIST, create workflows for the audit and analysis process, and create and manage remediation workflows. Gathering data from the enterprise to accomplish all of this is a challenge, especially for large enterprises, those that arguably need these tools the most.

Collecting data needs to be diverse allowing data collection directly off of network devices and from questionnaires and other “soft” sources. Remediation of discrepancies requires the ability to work the process in the other direction, especially with the network devices. All along the way, regulatory compliance must be addressed and documented.

All of this implies a traditional system, but the complexity of today's enterprises and the myriad of regulatory and policy requirement argues for a next-generation tool. When we started digging for the “perfect” tool to go in this section, what we really wanted, of course, was the Innovator(s) that managed to hit this middle ground, the best of both worlds. We found one.

Vendor MetricStream 

Flagship product GRC Apps and GRC Platform 

Cost Ranging from $200-$2,500 per user per app, based on user type. Includes license and support. Discounts given based on volume. 

Innovation GRC Platform approach with snap-in applications for specializations. 

Greatest strength Vision and passion for GRC and the GRC market.


MetricStream is one of those GRC companies that have mixed the old with the new and is continuing to add more innovation as it makes increased use of cloud resources. The thing that we really liked about this Innovator is that large, old-line companies will be as comfortable with this as they are with any traditional tools while, at the same time, getting capabilities that far exceed traditional expectations. This truly is a good balance between comfort and technology giving a complete solution to the challenges of GRC in an age of ever-increasing regulatory requirements.

The core of this Innovator's offering is the underlying platform. The platform does all of the heavy lifting while snap-in modules provide specialized capabilities. Users can craft the GRC product one needs for the specific business environment. However, there really is a lot more to this Innovator than its product, although that by itself would be a big step toward GRC success in organizations of just about any size.

MetricStream has, indeed, created a formal community of interest around GRC. Did we say at the beginning of this section that GRC could be boring? Not here, for certain. The company has developed something it calls the GRC Journey. This is a mix of product, support, rich content sources and its own brand of social media. All of this, plus a superior product, leads to what the company refers to as pervasive GRC.

Two key things that this company believes have brought it to the top of the GRC heap: having the right people and taking a platform approach. The company creates innovative small teams that are empowered to do what they need to do. This allows the company to scale innovation. The platform contains all of the infrastructure ready to receive snap-in applications. Security is baked into the platform due to a secure software development lifecycle.

When it comes to the cloud – which this Innovator believes will shortly overtake its other delivery mechanisms – they keep everything segregated, no co-mingling or multi-tenancy.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.