Enterprise risk management software helps organizations identify, mitigate and remediate business risks, which can lead to improved business performance. The risk management market is rapidly evolving from separate tools across different risk domains toward more integrated platforms that blend governance, risk and compliance functions with management of cybersecurity, IT and third-party risks.
The growing number and complexity of risks that businesses face put ERM even more in the spotlight for boards of directors, said Kriti Seth, an analyst at research firm Everest Group. Spending on risk and compliance tools is up significantly across different industries, as boards prioritize projects to create more risk-resilient business operations, according to Seth. "Building a robust strategy and choosing the right ERM tool is becoming a critical decision for CIOs," she said.
In addition to pricing, Seth said CIOs, IT managers and business executives involved in purchasing decisions need to consider the reputation of ERM software vendors and the types of risk management frameworks they support. It's also important to weigh the tools across various dimensions involving users, processes and governance impact as well as the technology itself, she added.
Evaluating enterprise risk management tools
Nucleus Research analyst Charles Brennan recommends that IT decision-makers use the following features and attributes to help select the best risk management software for their organization:
This article is part of
- Integration. The seamless integration of risk management tools with other technologies is pivotal for real-time data exchanges and a comprehensive overview of different business risks.
- Analytics. The right data analytics and reporting features can identify relevant trends, patterns and anomalies in an organization's risk-related data sets.
- Customization. Decision-makers should prioritize tools that enable customization to align with their organization's risk management strategy and create user-friendly interfaces catering to diverse business stakeholders.
- Regulatory compliance. Tools should seamlessly adapt to changing regulations affecting business operations, such as data privacy laws and climate risk disclosure rules.
- Scalability. Look for tools that support modular and adaptable risk management capabilities to seamlessly integrate additional functionality as business requirements evolve.
- Total cost of ownership. Evaluating implementation, maintenance and future upgrade costs is a must to ensure the chosen tool remains financially viable and aligned with the organization's budget.
Here, listed in alphabetical order, are 16 prominent ERM software vendors and information on the tools they offer.
Archer has developed a comprehensive set of capabilities for enterprise, operational, IT, security and third-party risk management as well as regulatory compliance; management of environmental, social and governance (ESG) programs; and other risk-related functions. Its namesake integrated risk management (IRM) platform supports common taxonomies, policies and metrics for managing all of an organization's risk data.
The platform also includes Archer Engage, a risk reporting and data collection application that provides a unified user experience for business users and risk management teams; a separate version of the Engage software for third-party vendors; Archer Insight, a risk quantification tool; and the Archer Exchange, a marketplace for pre-built applications, data integrations, administration tools and configuration accelerators from the company and business partners. Founded in 2001, Archer has gone through several ownership changes: It was acquired by security software vendor RSA in 2010, then became an independent business again in 2021 and was bought by private equity firm Cinven in 2023.
The Archer platform provides the following features as well:
- On-premises or SaaS deployment options.
- Resilience management tools for crisis and business continuity planning, with support for rules and guidance from regulators in the U.S., the U.K., Europe and Australia.
- Document governance capabilities added through the acquisition of software startup Atlas in 2023.
AuditBoard was founded in 2014 by two former auditors at accounting and professional services firms PwC and EY. Initially, its core focus was on streamlining audit and compliance processes for companies required to meet complex regulations, such as the Sarbanes-Oxley Act. In recent years, though, the company has gradually expanded its cloud-based platform into other aspects of risk management.
In July 2023, for example, it released AuditBoard ITRM for IT risk management, with a focus on IT security risks and support for collaboration between security teams risk managers and business users. ESG program management software was added in October 2022. AuditBoard also offers a separate product for risk and compliance management across various IT frameworks plus ERM and third-party risk management modules and other tools, all combined in an integrated platform with a unified UI.
Additional AuditBoard capabilities include the following:
- A SOXHub tool for managing and reporting on compliance with Sarbanes-Oxley and other internal controls.
- OpsAudit, audit management software that supports real-time risk assessments and prioritization of audits based on business risks.
- Automated Evidence Collection, a feature that can pull compliance data from source systems without coding or manual collection processes.
Camms is based in Australia, and the company also has a strong presence in the U.K. and Asia, with operations in the U.S. too. Founded in 1996, the company emphasizes its governance, risk and compliance (GRC) capabilities but also offers a variety of related applications and tools in a single cloud-based platform. Camms highlights its partnerships with various information providers, consultancies and professional services firms, and the company touts its software's ease of use and accessibility.
Camms Risk, the core GRC tool, supports management of operational, cybersecurity and third-party risks as well as regulatory compliance, audits, ESG programs and other functions. Some of the company's other technologies include Camms Strategy, for use in strategic planning and execution; Camms Project, a project and portfolio management application; Camms Service, which automates workflows for documenting and reporting on data breaches, business disruptions and other incidents; and Camms Connect, a library of APIs for integrating the Camms software with other IT systems.
The following features are also built into the Camms platform:
- The ability to create registers to capture and report on risk data, with integrated workflows for automating management of them.
- A workplace health and safety module to manage potential hazards, report on incidents and track actions to address problems.
- Dashboard development and self-service reporting tools for distributing relevant data to business executives.
Founded in 2001, Diligent was best known as a vendor of software for managing and governing boards of directors when it acquired SaaS GRC vendor Galvanize in 2021. It also bought Steele Compliance Solutions, a maker of ethics and compliance software, and ESG reporting tools vendor Accuvio that year. The combined company offers a GRC platform that supports enterprise, IT and third-party risk management as well as audits, internal controls and regulatory compliance.
Diligent HighBond, the core GRC software, provides advanced analytics and workflow automation to automatically identify risks and surface them to risk managers or the board of directors. HighBond also includes prebuilt dashboards and reports for distributing information about business risks to the board, and Diligent has an extensive library of integrations with enterprise applications, databases and third-party data providers.
Other notable features in the Diligent platform include the following:
- Board Reporting for IT Risk, a dashboard tool released in July 2023 for presenting cyber-risk data to the board, including cybersecurity performance and benchmarking data from business partners BitSight and SecurityScorecard.
- An automated monitoring and search tool to help identify reputational, financial and crime-related risks in real time.
- A due diligence module for investigating and evaluating potential risks in business transactions worldwide.
IBM OpenPages is an AI-driven GRC platform that supports risk management, regulatory compliance and data governance programs. It was first developed in the mid-1990s as an enterprise content management system for publishers by American Computer Innovators, which renamed itself OpenPages in 2000 and refocused on GRC. IBM acquired OpenPages in 2010 to expand its business analytics offerings into compliance and risk management processes. In 2020, the software was integrated into IBM Cloud Pak for Data, a set of cloud-based tools for organizing, managing and analyzing data.
OpenPages is designed to help organizations centralize siloed risk management initiatives. It includes a stack of GRC and ERM tools for managing operational, third-party and ESG risks; IT governance; data privacy; financial controls; audits; compliance; and more. The platform supports integration of GRC processes with third-party applications via IBM App Connect or REST APIs. In addition, IBM's Cognos Analytics software can be used for self-service data exploration and analytics in OpenPages systems.
OpenPages also includes the following features and capabilities:
- Deployment on a company's private cloud or any of the major cloud platforms, including support for hybrid or multi-cloud environments.
- An embedded GRC Workflow feature with drag-and-drop functionality that can be used to create new risk management workflows or modify existing ones.
- Integration with IBM's Watson AI tools to support a GRC virtual assistant and connections to AI models.
LogicGate offers a GRC platform that seeks to enable what it calls "strategic risk investment" in organizations. The idea is that effective risk management is only achievable when different business risks are presented to the board of directors in a comparable form so investments in IT systems, people and risk mitigation processes can be prioritized. To that end, LogicGate's Risk Cloud platform helps quantify the financial impact of risks through a combination of traditional techniques, Monte Carlo simulations and support for the Open FAIR risk analysis standards.
Risk Cloud is a no-code platform that lets business leaders customize prebuilt workflows to identify, evaluate and mitigate risks. It includes 10 modules for ERM, cyber-risk management, third-party risk management, regulatory compliance, operational resiliency, ESG program management and other functions. LogicGate, which was founded in 2015, also provides reporting and analytics features that include prebuilt reports and dashboards, real-time reporting and integrations with external BI tools.
In addition, the Risk Cloud platform includes these features:
- Support for mapping internal controls against more than 20 cybersecurity and privacy frameworks, with automated calculations of residual risk.
- An OpenAI integration that makes it easier to use generative AI models as part of policy generation, procedure management and other GRC processes.
- Additional integrations with collaboration tools and document repositories plus a set of prebuilt connectors and a RESTful API for creating custom ones.
LogicManager combines enterprise risk management software with an associated consulting operation that pairs customers with advisory analysts and provides personalized training and guidance on risk management best practices. Founded in 2005, the company's core value proposition is to help organizations bridge risk management initiatives across operational silos by centralizing risk functions in a single platform that automates processes for identifying, mitigating and reporting on risks.
In addition to ERM, the cloud-based LogicManager platform supports IT and cybersecurity risk assessments, third-party risk management, regulatory compliance efforts, business continuity management, internal auditing, financial controls and more. The platform can be customized for different industry needs and comes with all-inclusive pricing for consulting and implementation services, integrations, training and unlimited user licenses. An integration hub lets users connect to more than 500 external applications through a no-code, template-based approach.
Additional LogicManager features include the following:
- AI, machine learning and automation tools that include a document risk analyzer, an automapper that maps existing controls to new risks and automated risk assurance calculations.
- An operational risk taxonomy that provides a full view of risks enterprise-wide and can help identify duplicate controls and overlaps in risk mitigation work.
- A References tool that helps users uncover information about organizational interdependencies involving vendors, resources, processes and controls to inform risk-based business decisions.
MetricStream has built its software strategy around AI-powered risk management and "connected GRC" capabilities that support an integrated and collaborative approach to managing risks. Founded in 1999, the company provides tools for use in risk, compliance, audit and ESG management processes. That includes its underlying MetricStream Platform and various product modules to help manage enterprise, operational, IT, cybersecurity and third-party risks as well as business continuity, regulatory changes, internal audits, organizational policies and more.
Announced in June 2023, MetricStream's AI software uses large language models, generative AI capabilities and knowledge graphs based on GRC ontologies to augment decision-making and prioritization of work in GRC programs. For example, it can identify missing or duplicate controls in business units, map relationships between risks and controls, streamline issue management and gather risk-related information in response to prompts from risk managers or other end users.
Other MetricStream capabilities include the following:
- A federated data model with predefined relationships between risks, regulations, controls, organizational entities and other elements of GRC programs.
- Built-in dashboards and reports plus API-based integration with external BI tools for risk analysis and real-time insights.
- A set of out-of-the-box connectors and more than 200 built-in APIs that can be used to create REST or Kafka-based connectors.
Navex offers a GRC platform that includes ethics and compliance, integrated risk management and ESG software modules. The IRM software supports management of third-party, IT and operational risks as well as compliance with data privacy regulations. Navex also provides capabilities to develop ethical standards that can be measured and enforced across various business processes, with customized tools and workflows for organizations in the healthcare, financial services, manufacturing, energy, insurance and life sciences industries.
Founded in 2012, the company initially focused on ethics and compliance tools but broadened its product offering in recent years. Many of the components of its Navex One platform, which was launched in 2020, were stitched together from acquisitions. For example, Navex IRM resulted from the acquisition of risk management vendor Lockpath in 2019. Also, Navex ESG is built on software added through the purchase of CSRware in 2020; the ESG module was integrated into Navex One in 2022.
Other notable features of the Navex platform include the following:
- An AI-powered Compliance Assistant that can answer questions from employees about company policies and procedures in natural language.
- Preconfigured Navex IRM Out-of-the-Box offerings designed to speed up deployments of IT and third-party risk management capabilities.
- A Navex One technology bundle for small and midsize businesses.
OneTrust's cloud-based Trust Intelligence Platform includes a broad set of tools for managing ethics and compliance, privacy, GRC and ESG initiatives, split into four product modules aligned with those functions. The GRC and Security Assurance Cloud supports management of technology and third-party risks, as well as internal audits. Features include automated third-party risk assessments; risk data and external risk ratings on vendors; centralized management of cybersecurity incidents; and automated certification of compliance with security standards.
A broad focus on third-party risks is a key element of OneTrust's strategy. Its Ethics and Compliance Cloud includes a due diligence tool that helps screen and monitor vendors for security risks, and the ESG and Sustainability Cloud has similar software for managing ESG risks in supply chains. In addition, the company provides tools for ethics program management; data discovery and security; privacy management; and ESG reporting, among other capabilities.
The following are some additional features provided by OneTrust, which was founded in 2016:
- Natural language processing capabilities that automate vendor onboarding and risk disclosure workflows.
- AI governance tools to help inventory, assess and monitor various risks associated with the use of AI.
- AI-driven document classification to help classify unstructured data more accurately and automatically apply relevant data governance and protection policies.
As its name indicates, Riskonnect provides integrated risk management software for managing risks in an interconnected way, both within an organization and across third parties. Its cloud-based IRM platform includes numerous tools to help manage insurance, ESG, healthcare, GRC and business continuity risks. The company also offers a software module that risk managers can use to visualize risks, analyze their potential business impact, identify trends and prioritize risk mitigation work.
Founded in 2007, Riskonnect acquired several smaller companies in recent years to expand its product line. Its ESG module is tightly integrated with Salesforce's Net Zero Cloud, enabling users to combine ESG, governance, risk and compliance data from the Riskonnect platform into the Salesforce sustainability management software. Riskonnect also provides a set of APIs for creating custom integrations with Salesforce and other external applications, with support for both REST and the Simple Object Access Protocol.
In addition, the Riskonnect platform includes these features:
- Risk analytics software with a set of built-in interactive dashboards supporting various data visualization techniques and industry-specific analyses.
- Implementation, data transformation and regulatory compliance services, plus consulting and managed services on business continuity.
- A risk register for tracking risks plus tools for doing bowtie cause-and-effect analysis and analyzing risk management schedules and costs.
RiskOptics specializes in IT and cybersecurity risk management, offering software primarily designed for use by chief information security officers and information security teams. Founded in 2009 under the name Reciprocity, the company initially sold a platform called ZenGRC that automated compliance audits. In 2022, it introduced the ROAR Platform -- short for Risk Observation, Assessment and Remediation -- as its new lead product, with broader risk management capabilities. The company changed its name to RiskOptics in early 2023 to highlight its expanded focus on managing risks.
The ROAR Platform includes tools to help assess potential third-party risk exposure from data breaches at suppliers and partners, as well as real-time risk scoring, reporting and compliance monitoring capabilities. But RiskOptics is in some flux. After naming a new acting CEO in August 2023, the company said ROAR is best suited to midmarket organizations and ZenGRC is still being supported and enhanced for users with complex GRC needs.
RiskOptics also offers the following features as part of the ROAR Platform:
- A library of more than 25 compliance frameworks and standards, with tools to map internal controls to them.
- Built-in integrations with cloud and SaaS offerings from AWS, Azure, Salesforce, Jira, Google Cloud, GitHub and other vendors.
- The RiskOptics Community, a self-service support, training and information sharing hub.
SAI360 offers a cloud-based platform that combines software for managing GRC; ESG; ethics and compliance learning; and environment, health and safety initiatives. The company was founded as SAI Global in 2003, initially to publish and sell the various standards developed by Standards Australia. It later refocused on risk management and related practices, a strategic shift aided by several acquisitions -- most notably, the purchase of GRC vendor BWise from Nasdaq in 2019. The company rebranded its expanding software platform as SAI360 in 2018 and changed its name to that in 2021.
The BWise software is now part of SAI360 GRC, which supports operational resilience; risk, audit and compliance management; ESG programs; and healthcare GRC workflows. A separate ESG module is also available, and SAI360 Learning provides a suite of training tools and resources to promote risk awareness and corporate ethics across organizations, with a goal of incorporating consideration of potential ethics and compliance issues into business decision-making processes.
Additional capabilities built into the SAI360 platform include the following:
- FastStart, an implementation program that provides preconfigured templates, upfront cost information and a rapid deployment methodology.
- A variety of preconfigured dashboards for visualizing and analyzing data.
- Tools to help identify and mitigate psychosocial risks in the workplace that could affect the health and well-being of workers.
Founded in 2003, ServiceNow was a pioneer in cloud-based IT service management capabilities. It has since extended its product line across various other domains, including risk management. Built on the company's Now Platform, ServiceNow Governance, Risk and Compliance supports enterprise, operational and third-party risk management in business, security and IT functions. The software also offers capabilities for managing compliance, internal controls, privacy, operational resilience and business continuity.
The GRC module provides real-time visibility of compliance issues through dynamically updated dashboards as well as automated workflows and AI tools that are designed to increase productivity in risk management processes. It also supports ServiceNow's common data model and configuration management database across risk disciplines to help avoid information silos. In addition, the software includes a set of prebuilt integrations with content consolidators, security score providers and business continuity vendors plus access to the company's Integration Hub for creating other integrations.
Other notable features in the ServiceNow GRC software include the following:
- Tools to continuously monitor for IT risks and authorize deployments of new IT systems against the NIST Risk Management Framework.
- A built-in risk assessment capability to help identify and mitigate various risks.
- A Virtual Agent chatbot that answers questions and helps end users resolve issues, and other AI tools that can assign tasks and suggest risk remediation strategies.
SureCloud launched in 2006 with a penetration-testing-as-a-service offering that included a process to help manage security and IT risks. Over time, the company extended the risk identification and mitigation tools across various types of risks and created an integrated suite of cloud-based GRC software. In addition to IT risks, the SureCloudPlatform includes modules for managing enterprise and third-party risks as well as compliance, audits, data privacy and security vulnerabilities. Another tool provides a structured approach to using the Information Risk Assessment Methodology 2 standard.
In 2022, SureCloud introduced a Capabilities offering that combines its software with different levels of consulting services for a single price. Now the focus of SureCloud's strategy, the integrated approach is built on an outcome-focused delivery model with service-level agreements that the vendor commits to meet on compliance and risk management processes. Capabilities customers also get on-demand access to SureCloud's consultants.
In addition, SureCloud's platform includes the following features:
- Built-in integration with the Secure Controls Framework, the Standard of Good Practice for Information Security and other popular control frameworks.
- An Integration Hub that provides prebuilt connectors to external applications and APIs for creating custom connectors.
- Fully managed services for cyber-risks, third-party risks and compliance initiatives.
Workiva's cloud-native platform combines operational, IT and enterprise risk management; auditing; and other GRC workflows with financial reporting and ESG program management. The collection of GRC tools is designed to help organizations build risk-resilient operations and adapt internal processes and controls to address emerging risks. The software provides centralized collaboration capabilities; real-time views of risk management initiatives; and more than 3,000 templates for audits, risk assessments and other tasks.
Workiva was founded as WebFilings in 2008, offering tools to better control business data management and reporting processes. The company was renamed Workiva in 2014 and has expanded its product line through internal development and acquisitions. But transparent reporting capabilities are still at the heart of its strategy, with a focus on connecting different teams to needed data. For example, risk management teams can upload documents in their native format, and Workiva will automatically recommend risk remediations.
Additional features in the Workiva platform include the following:
- Generative AI capabilities that can streamline reporting workflows by creating draft documents and rewriting or summarizing information written by teams.
- An online marketplace that lists Workiva's prebuilt templates plus more than 70 connectors to other applications and 60 external consulting services.
- Drag-and-drop data transformation and preparation tools plus data lineage documentation that provides a full audit trail on changes to data sets.
Challenges in adopting risk management tools
When considering enterprise risk management systems, GRC software and other tools, organizations should also be aware of the challenges that can arise in deploying and using them. For example, integrating new risk management tools into existing workflows requires upfront planning to ensure it goes smoothly. But doing so is an important step to take.
"Often, process-specific tools such as risk management are seen in isolation, with standalone implementation," said Rajesh Kumar R., CIO at technology consulting services firm LTIMindtree. Instead, he advocated looking at ERM and GRC tools as an integral component of the enterprise software ecosystem and weaving them into core business workflows.
Kumar said another challenge is that these tools might not be integrated into identity and access management systems. The implementation of an ERM system should adhere to an organization's standard user authentication approaches so access control and platform security can be centrally managed at an enterprise level, he advised.
Risk management tools can also introduce new privacy and data security challenges. Risk management and security teams need to ensure that risk data is well protected against potential breaches.
The cultural shift required to adopt ERM tools should be considered too. Brennan said resistance to change, employee hesitancy about new technology and inadequate alignment with business objectives can impede adoption by end users. He recommended being open and transparent about a new GRC or ERM program so employees understand why effective risk management is important and how the chosen software can help streamline the process. "Cultivating a culture of proactive risk awareness ensures a smooth transition and sustained tool adoption," he said.
Editor's note: This list was compiled based on a combination of market reports and vendor rankings from Gartner, Forrester Research and Chartis Research, plus additional research by TechTarget editors.