https://www.techtarget.com/searchcio/feature/Top-ERM-software-vendors-to-consider
Enterprise risk management software helps organizations identify, mitigate and remediate business risks, which can lead to improved business performance. The risk management market is rapidly evolving from separate tools across different risk domains toward more integrated platforms that blend governance, risk and compliance functions with management of cybersecurity, IT and third-party risks.
The growing number and complexity of risks that businesses face have put enterprise risk management (ERM) even more in the spotlight for boards of directors, said Kriti Seth, an analyst at research firm Everest Group. Spending on risk and compliance tools is up significantly across different industries as boards prioritize projects to create more risk-resilient business operations, according to Seth. "Building a robust strategy and choosing the right ERM tool is becoming a critical decision for CIOs," she said.
In addition to pricing and the capabilities of different technologies, Seth said CIOs, IT managers and business executives involved in purchasing decisions need to consider the reputation of ERM software vendors and the types of risk management frameworks they support. Buyers should also weigh the tools they're considering across various dimensions involving users, risk management processes and governance impact, she added.
Nucleus Research analyst Charles Brennan recommends that IT decision-makers use the following features and attributes to help select the best risk management software for their organization:
Here, listed in alphabetical order, are 16 prominent ERM software vendors and information on the tools they offer. Informa TechTarget editors compiled the list based on market reports and vendor rankings from Chartis Research, Forrester Research and Gartner, plus additional online research.
Founded in 2001 and owned by private equity firm Cinven since 2023, Archer has developed a full set of capabilities for enterprise, operational, IT, security and third-party risk management as well as regulatory compliance; management of environmental, social and governance (ESG) programs; and other risk-related functions. Its integrated risk management (IRM) platform supports common taxonomies, policies and metrics for managing all of an organization's risk data.
In February 2025, the company introduced Archer Evolv, a new SaaS version of the platform that includes integrated AI capabilities and a redesigned UX. A compliance management implementation is initially available, while an Archer Evolv for Risk one is due to be released later in the year. The platform also includes Archer Engage, a risk reporting and data collection application for both business users and risk management teams; a separate version of the Engage software for third-party vendors; Archer Insight, a risk quantification tool; and an AI governance module announced in 2024.
The Archer platform provides the following features as well:
AuditBoard was founded in 2014 by two former auditors at accounting and professional services firms PwC and EY. Initially, its core focus was on streamlining audit and compliance processes for companies required to meet complex regulations, such as the Sarbanes-Oxley Act. In recent years, though, the company has gradually expanded its cloud-based platform into other aspects of risk management.
In 2023, for example, it released AuditBoard ITRM for IT risk management, with a focus on IT security risks and support for collaboration between security teams, risk managers and business users. ESG program management software was added in 2022. AuditBoard, which was acquired by equity firm Hg in 2024, also offers a separate product for risk and compliance management across various IT frameworks plus ERM and third-party risk management modules. All those products are combined in an integrated platform with a unified UI. A set of AI tools with generative AI (GenAI), machine learning and workflow automation capabilities became available in 2024.
Additional AuditBoard capabilities include the following:
Founded in 1996, Camms was acquired by fellow ERM vendor Riskonnect in June 2024 but remains a separate entity that still offers its own product line -- at least for now. Camms is based in Australia and also has a strong presence in the U.K. and Asia, with operations in the U.S. too. It emphasizes its governance, risk and compliance (GRC) capabilities but also offers a variety of related applications and tools in a single cloud-based platform. Camms touts its software's ease of use and accessibility and highlights its partnerships with various information providers, consultancies and professional services firms.
The core GRC tool supports management of operational, cybersecurity and third-party risks as well as regulatory compliance, audits, ESG programs and other functions. Other available technologies include a strategic planning and execution tool, a project and portfolio management application, a module for securely managing virtual meetings and a library of APIs for integrating the Camms software with other IT systems.
The following features are also built into the Camms platform:
Founded in 2001, Diligent was best known as a vendor of software for managing and governing boards of directors when it acquired SaaS GRC vendor Galvanize in 2021. It also bought Steele Compliance Solutions, a maker of ethics and compliance software, and ESG reporting tools vendor Accuvio that year. The combined company offers a GRC platform that supports enterprise, IT and third-party risk management as well as audits, internal controls and regulatory compliance.
Diligent One Platform, the core GRC software, provides advanced analytics and workflow automation to automatically identify risks and surface them to risk managers or the board of directors. Formerly named HighBond, the platform also includes prebuilt dashboards and reports for distributing information about business risks to the board. In addition, Diligent has an extensive library of integrations with enterprise applications, databases and third-party data providers.
Other notable features in the Diligent platform include the following:
IBM OpenPages is an AI-driven GRC platform that supports risk management, regulatory compliance and data governance programs. It was first developed in the mid-1990s as an enterprise content management system for publishers by American Computer Innovators, which renamed itself OpenPages in 2000 and refocused on GRC. IBM acquired OpenPages in 2010 to expand its business analytics offerings into compliance and risk management processes. In 2020, the software was integrated into IBM Cloud Pak for Data, a set of cloud-based tools for organizing, managing and analyzing data.
OpenPages is designed to help organizations centralize siloed risk management initiatives. It includes a stack of GRC and ERM tools for managing operational, third-party and ESG risks; IT governance; data privacy; financial controls; audits; compliance; and more. The platform supports integration of GRC processes with third-party applications via IBM App Connect or REST APIs. In addition, IBM's Cognos Analytics software can be used for self-service data exploration and analytics in OpenPages systems.
OpenPages also includes the following features and capabilities:
LogicGate offers a GRC platform that seeks to enable risk management teams to present information about different business risks to the board of directors in a comparable form so investments in IT systems, people and risk mitigation processes can be prioritized. To that end, LogicGate's Risk Cloud platform helps quantify the financial impact of risks through a combination of traditional techniques, Monte Carlo simulations and support for the Open FAIR risk analysis standards.
Risk Cloud is a no-code platform that lets business leaders customize prebuilt workflows to identify, evaluate and mitigate risks. It includes 11 modules for ERM, cyber-risk management, third-party risk management, regulatory compliance, operational resiliency, ESG program management, AI governance and other functions. LogicGate, which was founded in 2015, also provides reporting and analytics features that include prebuilt reports and dashboards, real-time reporting and integrations with external BI tools.
In addition, the Risk Cloud platform includes these features:
LogicManager combines enterprise risk management software with an associated consulting operation that pairs customers with advisory analysts and provides personalized training and guidance on risk management best practices, augmented by a GenAI tool that automates tasks and offers around-the-clock product support. Founded in 2005, the company centralizes risk management functions in a single platform that automates processes for identifying, mitigating and reporting on risks across operational silos in organizations.
In addition to ERM, the cloud-based LogicManager platform supports IT and cybersecurity risk assessments, third-party risk management, regulatory compliance efforts, business continuity management, internal auditing, financial controls and more. The platform can be customized for different industry needs and comes with all-inclusive pricing for consulting and implementation services, integrations, training and unlimited user licenses. An integration hub lets users connect to more than 500 external applications through a no-code, template-based approach.
Additional LogicManager features include the following:
MetricStream has built its software strategy around AI-powered risk management and "connected GRC" capabilities that support an integrated and collaborative approach to managing risks. Founded in 1999, the company provides tools for use in risk, compliance, audit and ESG management processes. That includes its underlying MetricStream Platform and various product modules to help manage enterprise, operational, IT, cybersecurity and third-party risks as well as business continuity, regulatory changes, internal audits, organizational policies and more.
Announced in 2023, MetricStream's AI software uses large language models, generative AI capabilities and knowledge graphs based on GRC ontologies to augment decision-making and prioritization of work in GRC programs. For example, it can identify missing or duplicate controls in business units, map relationships between risks and controls, streamline issue management and gather risk-related information in response to prompts from risk managers or other end users.
Other MetricStream capabilities include the following:
Navex offers a GRC platform that includes ethics and employee compliance management, integrated risk management and third-party risk management software modules, plus reporting and benchmarking tools. The IRM software supports management of IT and operational risks, internal policies and controls, and compliance with data privacy regulations. Navex also provides capabilities to develop ethical standards that can be measured and enforced across various business processes, with customized tools and workflows for organizations in the healthcare, financial services, manufacturing, energy, insurance and life sciences industries.
Founded in 2012, the company initially focused on ethics and compliance tools but broadened its product offering in recent years. Many of the components of its Navex One platform, which was launched in 2020, were stitched together from acquisitions. For example, Navex IRM resulted from the acquisition of risk management vendor Lockpath in 2019.
Other notable features of the Navex platform include the following:
OneTrust's namesake cloud-based platform includes a set of tools for managing business risks and compliance programs as part of a broader product portfolio that also encompasses data privacy, data governance and related initiatives. Separate tools support management of technology and third-party risks, as well as internal compliance audits. Features include automated third-party risk assessments; risk data and external risk ratings on vendors; centralized management of cybersecurity incidents; and automated certification of compliance with security standards.
The IT risk management tool also enables users to track both qualitative and quantitative metrics to inform decisions on risk mitigation priorities and plans. The compliance automation software is integrated with more than 50 compliance frameworks, standards and regulations, while the third-party offering includes a due diligence tool that helps screen and monitor external organizations for various risks.
The following are some additional features provided by OneTrust, which was founded in 2016:
As its name indicates, Riskonnect provides integrated risk management software for managing risks in an interconnected way, both within an organization and across third parties. Its namesake cloud-based IRM platform includes various tools to help manage insurance, ESG, healthcare, GRC and business continuity risks. The company also offers a software module that risk managers can use to visualize risks, analyze their potential business impact, identify trends and prioritize risk mitigation work.
Founded in 2007, Riskonnect acquired several smaller companies in recent years to expand its product line, in addition to buying Camms in 2024. Its ESG module is tightly integrated with Salesforce's Net Zero Cloud, enabling users to combine ESG, governance, risk and compliance data from the Riskonnect platform into the Salesforce sustainability management software. Riskonnect also provides a set of APIs for creating custom integrations with Salesforce and other external applications, with support for both REST and the Simple Object Access Protocol.
In addition, the Riskonnect platform includes these features:
SAI360 offers a cloud-based platform that combines software for managing GRC initiatives and ethics and compliance training programs. The company was founded as SAI Global in 2003, initially to publish and sell the various standards developed by Standards Australia. It later refocused on risk management and related practices, a strategic shift aided by several acquisitions -- most notably, the purchase of GRC vendor BWise from Nasdaq in 2019. The company rebranded its platform as SAI360 in 2018 and changed its name to that in 2021. It also added environment, health, safety and sustainability tools, which were spun off into a separate company named Evotix in October 2024.
SAI360's GRC software supports functions that include risk, audit, compliance and business continuity management, as well as internal controls and automated reporting on conflicts of interest among employees. The ethics and compliance training product provides a suite of tools and resources to promote risk awareness and corporate ethics across organizations, with a goal of incorporating consideration of potential ethics and compliance issues into business decision-making processes.
Additional capabilities built into the SAI360 platform include the following:
Founded in 2003, ServiceNow was a pioneer in cloud-based IT service management capabilities. It has since extended its product line across various other domains, including risk management for business, security and IT functions. Built on the company's Now Platform, ServiceNow Governance, Risk and Compliance supports enterprise, operational and third-party risk management. The software also offers capabilities for managing compliance, internal controls, privacy, operational resilience and business continuity.
The GRC module provides real-time visibility of compliance issues through dynamically updated dashboards as well as automated workflows and AI tools that are designed to increase risk management productivity. It supports ServiceNow's common data model and configuration management database to help avoid information silos. In addition, the software includes a set of prebuilt integrations with content consolidators, security score providers and business continuity vendors plus access to the company's Integration Hub for creating other integrations.
Other notable features in the ServiceNow GRC software include the following:
SureCloud launched in 2006 with a product for penetration testing as a service, which included a process to help manage security and IT risks. Over time, the company extended the risk identification and mitigation tools across various types of risks and created an integrated suite of cloud-based GRC software. In 2023, it introduced a new platform named Aurora that focused on information security risk management, but it has now reverted to a broader GRC strategy and a namesake platform.
The SureCloud platform includes modules for managing enterprise, technology and third-party risks as well as compliance, audits, data privacy, security vulnerabilities, incidents and risk-related policies. It also provides real-time dashboards and reporting tools along with a UI that's designed to be easy enough for business executives to use. In addition to the GRC software, the platform includes a set of continuous control monitoring tools for testing internal controls and checking their compliance with various security, privacy and risk management frameworks.
The following features are also part of the SureCloud platform:
Workiva's cloud-native platform combines operational, IT and enterprise risk management; auditing; and other GRC workflows with financial reporting and ESG program management. The collection of GRC tools is designed to help organizations build risk-resilient operations and adapt internal processes and controls to address emerging risks. The software provides centralized collaboration capabilities; real-time views of risk management initiatives; and more than 3,000 templates for audits, risk assessments and other tasks.
Workiva was founded as WebFilings in 2008, offering tools to better control business data management and reporting processes. The company was renamed Workiva in 2014 and has expanded its product line through internal development and acquisitions. But transparent reporting capabilities are still at the heart of its strategy, with a focus on connecting different teams to needed data. For example, risk management teams can upload documents in their native format, and Workiva will automatically recommend risk remediations.
Additional features in the Workiva platform include the following:
ZenGRC specializes in IT and cybersecurity risk management, offering software primarily designed for use by chief information security officers and information security teams. Founded in 2009 under the name Reciprocity, it initially sold a ZenGRC platform that automated compliance audits. In 2022, the company introduced the ROAR Platform -- short for Risk Observation, Assessment and Remediation -- as its new lead product, with broader risk management capabilities. But in June 2024, it consolidated the product offering as ZenGRC -- and after previously changing its own name to RiskOptics the year before, it made that ZenGRC too.
The ZenGRC platform includes tools to help assess potential third-party risk exposure from data breaches and other issues at vendors, suppliers and partners, as well as real-time risk scoring, reporting and compliance monitoring capabilities. It also continues to support compliance audits and assessments, and an add-on Trust Center portal provides a centralized location for sharing security and compliance documentation with customers and other stakeholders.
ZenGRC also offers the following features as part of its platform:
When considering enterprise risk management systems, GRC software and other tools, organizations should also be aware of the challenges that can arise in deploying and using them. For example, integrating new risk management tools into existing workflows requires upfront planning to ensure it goes smoothly. But doing so is an important step to take.
"Often, process-specific tools such as risk management are seen in isolation, with standalone implementation," said Rajesh Kumar R., CIO at technology consulting services firm LTIMindtree. Instead, he advocated looking at ERM and GRC tools as an integral component of the enterprise software ecosystem and weaving them into core business workflows.
Kumar said another challenge is that these tools might not be integrated into identity and access management systems. The implementation of an ERM system should adhere to an organization's standard user authentication approaches so access control and platform security can be centrally managed at an enterprise level, he advised.
Risk management tools can also introduce new privacy and data security challenges. Risk management and security teams need to ensure that risk data is well protected against potential breaches.
The cultural shift required to adopt ERM tools should be considered too. Nucleus Research's Brennan said resistance to change, employee hesitancy about new technology and inadequate alignment with business objectives can impede adoption by end users. He recommended being open and transparent about a new GRC or ERM program so employees understand why effective risk management is important and how the chosen software can help streamline the process. "Cultivating a culture of proactive risk awareness ensures a smooth transition and sustained tool adoption," he said.
Editor's note: Informa TechTarget editors updated this article in March 2025 for timeliness and to add new information.
George Lawton is a journalist based in London. Over the last 30 years he has written more than 3,000 stories about computers, communications, knowledge management, business, health and other areas that interest him.
06 Mar 2025